This guide will show you how you can create stateful ACL rules with fine grained IP-Group and IP-Port Group control.

Required:
Omada Gateway and at least one Omada switch at the core of the network.  This cannot be achieved with a gateway or switch alone

 

IMPORTANT NOTE

This only works if your Router VLAN interfaces are the Gateway for each vlan.  This will not work if you have switch interfaces being used as gateways.

 

This example:

We want to create a stateful (ie - a network or single IP can reach out to another device on another vlan and recieve response, but that device cannot reach out itself directly) ACL that allows a user on the IT network to access a Raspberry Pi on the office network, but we dont want that Pi to be able to access the IT network.  We dont want the IT network to be able to reach any other devices on the office network, or the office network to be able to reach anything on the IT network.

 

IT Network

192.168.7.0 /24 "IT"

 

Office Network

192.168.10.0 /24 "Office LAN"

Raspberry Pi : 192.168.10.100

 

What we want to achieve with our stateful ACL:

User on IT network, 192.168.7.10 > Pi 192.168.10.100 - Allow

User on IT network, 192.168.7.10 > NAS 192.168.10.101 - Deny

Pi 192.168.10.100 > IT network - Deny

NAS 192.168.10.101 > IT network - Deny

Office network > IT Network - Deny

 

 

Gatewway ACLs to create:

Order is important as "first match wins" operates for all types of ACL lists

 

1) ALLOW - ALL PROTOCOLS

Network "IT" > Network "Office LAN"

 

2) DENY - ALL PROTOCOLS

NEtwork "Office LAN" > Network "IT"

 

 

IP_Group to make

"Pi Access"

192.168.7.0 /24  **CHANGE THIS TO AN INDIVIDUAL IP with a /32 IF NECESSARY AS THE SOURCE

192.168.10.100 /32 **TARGET

 

 

Switch ACLs to create:

Order is important as "first match wins" operates for all types of ACL lists

 

1) ALLOW - ALL PROTOCOLS

IPGroup "Pi Access" > "Pi Access"

**having the same IP group on both sides of the rule creates a bi-directional rule without needing a second reverse direction rule

 

2) DENY - ALL PROTOCOLS

Network "IT" > Network "Office"

** this effectively blocks both ways IT > Office and Office > IT as switch rules are not stateful

 

 

 

How this works

Gateway ACLs for LAN>LAN only allow the selection of an entire VLAN, not IP_Groups or IP_Port groups.  Therefore, if a network is allowed to communicate to another, it can see the entire network.  In this example, that is still the case, but behind that, the Switch rules take over and only allow what is specified in the IP Group.  Since the switch rule set has a deny IT > Office rule, the entire rest of the vlan in inaccessible to the user on the IT network.

 

This achieves a stateful Gateway ACL rule to more granular targets on other VLANs.

 

You can expand this to include other vlans, IP_Port Groups etc. 

 

 

 

 

A more complex example

I have three Networks

Tech LAN, Tech WiFi, Event_Tech

 

I want Tech WiFi to communicate out to Tech_LAN

I want Tech WiFi to communicate out to Event_Tech

I want Event_Tech to be able to reach .200 to .220 on Tech_LAN

I dont want Event_Tech or Tech_LAN to be able to reach Tech_WiFi directly by itself

I dont want Tech_LAN to be able to reach Event_Tech directly by itself

 

Gateway Rules

1) ALLOW - ALL Tech_WiFi > Event_Tech, Tech_LAN

2) ALLOW - ALL Event_Tech > Tech LAN

3) DENY - ALL Event_Tech & Tech_LAN > Tech_WiFi

4) DENY - ALL Tech_LAN > Event_Tech

 

IP_Group

Event_Tech_Access

192.168.14.0 /24 (Event Tech Network Range)

192.168.6.200 /27 (Allowed IP range on Tech_LAN)

 

Switch Rules

1) ALLOW - ALL Event_Tech_Access > Event_Tech_Access

2) ALLOW - ALL Tech_LAN & Tech_WiFI > Tech_LAN & Tech_WiFi

2) DENY - ALL Event_Tech > Tech_LAN