Business Community > Controllers > ACL - allow access to single IP in another VLAN
< Controllers

ACL - allow access to single IP in another VLAN

ACL - allow access to single IP in another VLAN

ACL - allow access to single IP in another VLAN
ACL - allow access to single IP in another VLAN
Monday
Tags: #VLAN & Multi-Networks #ACL
Model: Omada Software Controller (Windows)  
Hardware Version:
Firmware Version: 6.0.0.24

Hi all,

 

I'm quite unfamiliar with ACL settings on Omada devices.

I have ER605 Gateway and some SG2008, SG2008P and SG2218 switches.

 

I have a dedicated VLAN 200 for IoT devices and I will to configure following:

  • allow access from default LAN to IoT VLAN (for management)
  • allow access from IoT VLAN to mqtt server in default LAN
  • allow access from IoT VLAN to internet
  • deny access from IoT VLAN to any network (except mqtt server - see 2nd bullet point)

 

I've tried to read lot of ACL guides, but somehow I'm unable to configure it properly - green ones without problem - red one I'm unable to configure....

 

can please someone help me?

/BR ZoloNN ----------------------------------------------------------------------------------- Omada 2x ER605(UN) v2.0 + SG2008P(UN) V3.20 + SG2218 V1.20 + 2x SG2008 V4.20 + 3x EAP615-Wall(EU) V1.0
  0      
 
  0      
 
#1
Options
4 Reply
Re:ACL - allow access to single IP in another VLAN
Monday

  @ZoloNN 

 

You need to use switch rules, and remember to ensure that it is bidirectional as a switch deny rule in one directio will also block responses in the reverse direction

  1  
  1  
#2
Options
Re:ACL - allow access to single IP in another VLAN
22 hours ago

Hi @GRL,

 

tied, still not successful....

in the moment I activate last rule (deny all), nothing works. the allow rules are somehow overridden even if they're higher on the list of rules.

I have two rules for IoT <-> DNS and MQTT on Main (for each direction) and even those are overridden by deny rule on the bottom of the list.....

 

anyway, I could not find any deeper explanation of rule mechanism, especially for ACL Binding parameter....

additionally why the gateway ACL rules could deal only with whole networks?

 

I think, it is a common scenario on segmented networks to expose only some IP from one network to another.

my goal for configuring the rules for two networks (Main and IoT) is:

  1. allow any client from Main to reach IoT devices
  2. allow all IoT devices to reach only DNS and MQTT servers on Main LAN
  3. allow all IoT devices access internet
  4. deny all IoT devices to reach any IP on Main LAN except those in point 2

 

when this will be successful, I plan to move servers to new dedicated VLAN and expose only necessary ports to Main and IoT VLANs, but I'm not able to correctly isolate the IoT network.......

 

/BR ZoloNN ----------------------------------------------------------------------------------- Omada 2x ER605(UN) v2.0 + SG2008P(UN) V3.20 + SG2218 V1.20 + 2x SG2008 V4.20 + 3x EAP615-Wall(EU) V1.0
  0  
  0  
#3
Options
Re:ACL - allow access to single IP in another VLAN
15 hours ago

  @ZoloNN 

 

Requirement rule 2 is the problem - this would requaire a switch rule which isnt stateful - meaning it will block all traffic from IOT back to Main at all times

  0  
  0  
#4
Options
Re:ACL - allow access to single IP in another VLAN
13 hours ago

Hi @GRL,

 

yes, indeed, it seems so....

And gateway rules don't allow any other rules as for whole networks in LAN->LAN mode, IMHO really granular rules aren't possible.... crying

This seems not what I was expecting from business class devices...

Even if in my scenario were only DNS and MQTT mentioned, to protect critical AD servers in the same manner (separate VLAN with access only to essential ports from outside) isn't possible.

 

/BR ZoloNN ----------------------------------------------------------------------------------- Omada 2x ER605(UN) v2.0 + SG2008P(UN) V3.20 + SG2218 V1.20 + 2x SG2008 V4.20 + 3x EAP615-Wall(EU) V1.0
  0  
  0  
#5
Options

Information

Helpful: 0

Views: 86

Replies: 4

Tags

VLAN & Multi-Networks ACL
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.