Network configuration for Omada (ER7206, SG2210P, EAP245, OC200)
Hello,
I need some advice regarding the basic configuration and what I need to do in order to setup a network with Omada hardware. This is for my home and office since working from home is a requirement now and please have patience with me because I have only worked with an almost plug and play AC87U flashed with asuswrt merlin. I have already bought the EAPs and swithc and have the router and controller coming next week. I may deploy the eaps earlier just to see how they work with the AC87U. The ISP is FTTH Gigabit PPOE 920/800.
Here is the full picture:
Did I get things right regarding the network logic? I have adopted this model from the advices seen here.
Can I configure the vlans on the gateway level with the controller? I have 3 cat5e cables coming from the router to my living that will have the eap, tv and xbox and buying another switch is out of the question for now, so those 3 clients will be connected directly to the router.
Short note on setting this:
1. configure controller > office > controller access
2. Wired Networks > Internet Wan config
3. Vlan config (Wired Networks > Create New Lan > Select Interface > Vlan > Gateway > update dhcp server)
4. Wireless config - same name for the SSID as VLAN (Wireless Networks > SSID > enable WPA > security key > Advanced setting > VLAN)
5. Switch config (Switch > Settings > Wired Networks > Lan > Pofile > Create Port Profile)
6. Firewall config
Disable Inter VLAN routing (New Rule > enable > deny Network to network, all networks except the network selected)
Block access to router interface from other subnets except native (Profiles > Group > New Group > Type Ip Port Group > all subnets except native > port 80, 8080, 443, 22 > Network Security Switch ACL > create new rule > deny network to ip port group)
questions:
- my pc also has wireless connection so that means, that I need to enforce the rule for the switch and eap? the first eap is connected directly to the router, the rule would also apply to the gateway, considering notebook and phone clients?
- how to make the rules in order to let IOT clients bee seen and controlled by the private vlan clients? basically IOT clients cannot access private vlan, but the connections established from private to be allowed.
- what rule do I need in order to let my Smart TV see the movies library situated on my desktop on the private vlan? what rules do I need for the SMB share and what ports do I need to keep open?
- can I connect to clients such as chromecasts? I have seen that they require mDNS Service in order to be located. I would preffer to not connect chromecast to my private VLAN if possible.
Any other good practice for firewall rules to be added? attack filtering, url or others? Any good practice regarding port forwarding (I need some ports for the xbox and the plex server).
Please have patience with me, because I am new to this.