Issue with IPGroup ACL
Issue with IPGroup ACL
Hi All,
I have more issues with Omada ACLs between IP Groups.
I have one common VLAN for all public devices (192.168.0.1/24), which needs internet connection on wired and on wireless network. The problem is, that I have to isolate from the internet a certain group of IPs of this VLAN in a certain period of time.
These IPs are all provided by fixed DHCP, grouped into a subset of the whole big VLAN, ie: 192.168.0.224/28, and containing wired and wireless IPs mixed. Lets call the group "Teens"
First I created a gateway ACL as follows,
direction: LAN -> WAN
policy: deny
Protocols: all
Time range: enabled (ie the referenced timeslot is every day between 16:00 and 22:00)
Source Rule Type: IP Group (ie: Teens)
Destination Rule Type: IP Group (ie: IPGroup_Any)
It is working in the defined time range, BUT I have noticed, that when the rule is getting enabled or disabled at start and end schedule, ALL other connected devices of the big VLAN is loosing the internet connectivity for few seconds. This is a big problem for all other IPs/devices in the VLAN. Still wondering, how this could happen? This is the issue no 1.
As next I tried to narrow down, and separate the IP ranges within the big VLAN, therefore created another group for the WAN router/gateway IP (192.168.0.1), called "Gateway" assuming, that if I would deny the connection between the group "Teens" and the group "Gateway", then no internet connection would work.
This was the ACL config
direction: LAN -> WAN
policy: deny
Protocols: all
Time range: enabled (ie the referenced timeslot is every day between 16:00 and 22:00)
Source Rule Type: IP Group (ie: Teens)
Destination Rule Type: IP Group (ie: Gateway)
This is not working at all. Even if I remove the Time range, and set the deny rule enabled, all these devices can access the internet through the gateway. This is the issue no 2.
This behaviour is the very same on router ER7212PC and ER605
Anyone faced the same issues?
If not, what do I wrong?
Thanks for any response in advance!
gZoma
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
sorry for the confusing explanation. The essence is, that the issue is still there, means, if I set up a time schedule based ACL to a subgroup (/28) of a complete /24 VLAN, whenever the ACL schedule controls the access (either disabling the connectivity to IPGroup_Any, or even re-enabling it), the clients of the /24 are controlled fine by ACL, but every other clients of the /24 disconnects from the internet for short time. MS Teams sessions are broken, online connections are broken for few seconds, and even some streaming is glitching as well. What I have noticed, wireless devices are not disconnecting ie from the WLAN, but the existing sessions towards the internet got broken and they need to be re-established. This re-establishment happens in different way, depending on the OS of the device (android or windows), or even the application (online games/VPN clients/apps), of which internet sessions are broken.
Another fresh finding is, that the issue not necessarily related to the time based control of an ACL. If it is disabled for the given ACL rule, and I disable/enable the ACL manually from the OMADA UI, issue is there too.
Please try to reproduce it in your env, hope, You will experience the same and then can advise, how to mitigate it.
gZoma
- Copy Link
- Report Inappropriate Content
as I shared earlier, I had ER605 V1 earlier only, it had 1.3.1. firmware, with exactly the same issue. Recently its replaced with ER7212PC V1 running on 1.2.0 Build 20240716 Rel.80083.
For the replacement I preferred ER7212PC to ER605V2 (brand new model with more hw capabilities like POE ports and built-in Omada controller) with the hope, it will have newer or at least more stable features. Since then experineced, that the firmware of ER7212PC (inclusive Omada version) has more generation of late, compared to the old device.
Hoped its only delayed in the versioning, not in the features and bug remediations, but it doesnt really seem so.
Any near future plans for ER7212PCV1 firmware, where this basic issue will be fixed? Or any other suggestion, with which configuration I can differentiate groups of devices in the same VLAN in an ACL rule? Of course without having the reported impact on the other devices of the VLAN.
regards
gZoma
- Copy Link
- Report Inappropriate Content
I confirmed with the R&D department that the ER7212PC V1.2.0 does not yet include the remedy to this issue. Please wait for the next firmware release. This is an issue that we will address. This problem has already been resolved with the latest firmware on our ER605 V2.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 758
Replies: 13
Voters 0
No one has voted for it yet.