Unable to block traffic between VLANs on ER7206
Model: ER7206 (TL-ER7206)
Hardware Version: V1.0
Firmware Version: 1.1.1
What is the correct procedure to seggragate VLAN's so that they're not able to talk to each but still have internet access? I've tried creating Switch ACL's , Gateway ACL's and even EAP ACL's with the Deny Policy selected but they seem to have no effect at all.
I have VLAN1 which is my home network and I've created a VLAN10. I then change my laptop's ethernet adapter to VLAN ID 10 and I get the correct ip, dns from DHCP (10.0.10.0/24). Internet works but I can access everything on my VLAN1 (192.168.2.0/24) network and vice versa. I'd like to be able to make it so that VLAN10 cannot talk to VLAN1 but that VLAN1 can talk to VLAN10. How can I do this?
In the ACL I've tried selecting VLAN10 as the source and VLAN1 as destination with both Port and VLAN ACL binding but no matter what options I choose both networks can always ping each other.
I have the ER7206 connected to a Cisco SG350X-48 switch on a Trunked port and the laptop which also runs the Controller software is connected to another trunked port configured for tagged vlan 10. I've also created a LAN Profile on the ER7206 and tagged VLAN10 with LAN as the Native Network (also tried VLAN10 as the Native Network and have LAN tagged instead).
Any ideas how to block traffic between vlans?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@yorkman you need an Omada switch to do this with switch ACLs. The VLAN traffic is crossing in the switch and never making it to the gateway.
I figured this one out the hard way,,,,
- Copy Link
- Report Inappropriate Content
@yorkman you need an Omada switch to do this with switch ACLs. The VLAN traffic is crossing in the switch and never making it to the gateway.
I figured this one out the hard way,,,,
- Copy Link
- Report Inappropriate Content
Thank you for that. I think you're right. I do have a Cisco SG350X-48 switch but I've never had to use ACL's yet. It does appear to have ACL allow/deny capability for VLANs so I'll play with those settings as soon as I get a chance again.
- Copy Link
- Report Inappropriate Content
@yorkman same situation with tl-er605, that's very annoying.
- Copy Link
- Report Inappropriate Content
@S-K Yes. I just got the ER605 yesterday to troubleshoot this problem as well as why I was seeing SFP port is down message on ER7206. I think I was able to resolve the latter problem but not the unable to block vlan traffic issue.
If a switch is needed to do the job, why is TPLink including the ACL feature on these routers when it won't work? I guess it's because its ACL's are only for:
1) Gateway ACL
2) Switch ACL
3) EAP ACL
It seems like it's missing a VLAN ACL feature there!
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@yorkman, I ended up being in the same situation. I use ER7206 with VLANs, but the Omada Controller does not manage my switch. I was using the Software Controller to manage the router. When I defined the Switch ACLs, they didn't work. Because I only have the router, I thought I would set it up as a standalone device without the Omada Controller.
I defined ACLs that block inter-VLAN communication by configuring the router in standalone mode. I tested that, and it is indeed blocking the traffic that goes through the switch. My switch is connected to the router, and then clients connect to the switch. Defining the ACLs didn't go without issues. Initially, I tried blocking Network `A` to Network `!A`, but that broke DHCP, and clients were no longer getting IPs. I tried allowing DHCP, but that didn't work; I probably didn't configure something properly. I ended up defining IP Groups for the different VLANs by first defining IP address lists as below. Note: the router is outside the defined network ranges.
Below are screens found at Preferences > IP Group
ID | Name | IP Address Type | IP Address Range | IP Address/Mask | Description |
---|---|---|---|---|---|
2 | IP_ManagementPC | IP Address/Mask | *.*.*.10/32 | *.*.*.10/32 | Management Desktop |
3 | Infra_Client_IPs | IP Address Range | *.*.*.2-*.*.*.255 | --- | Infra Client IPs |
4 | Guest_Client_IPs | IP Address Range | *.*.*.2-*.*.*.255 | --- | Guest Client IPs |
5 | Work_Client_IPs | IP Address Range | *.*.*.2-*.*.*.255 | --- | Work Client IPs |
6 | Security_Client_IPs | IP Address Range | *.*.*.2-*.*.*.255 | --- | Security Client IPs |
Then define the IP Group lists:
ID | Group Name | Address Name | Description |
---|---|---|---|
3 | Management_IP_Group | IP_ManagementPC | Management Desktop |
4 | G_Clients_Group | Guest_Client_IPs | Client IPs in Guest |
5 | I_Clients_Group | Infra_Client_IPs | Client IPs in Infra |
6 | W_Clients_Group | Work_Client_IPs | Client IPs in Work |
7 | S_Clients_Group | Security_Client_IPs | Client IPs in Security |
8 | Not_G_Clients_Group | Infra_Client_IPs,Work_Client_IPs,Security_Client_IPs | Client IPs outside Guest |
9 | Not_W_Clients_Group | Infra_Client_IPs,Guest_Client_IPs,Security_Client_IPs | Client IPs outside Work |
10 | Not_I_Clients_Group | Guest_Client_IPs,Work_Client_IPs,Security_Client_IPs | Client IPs outside Infra |
11 | Not_S_Clients_Group | Infra_Client_IPs,Guest_Client_IPs,Work_Client_IPs | Client IPs outside Security |
Then go to Firewall > Access Control:
ID | Name | Source | Destination | Source Network | Destination Network | Policy | Service Type | Direction | Effective Time |
---|---|---|---|---|---|---|---|---|---|
1 | Allow_Management_to_All | Management_IP_Group | IPGROUP_ANY | --- | --- | Allow | ALL | ALL | Any |
2 | Block_Infra_to_others | I_Clients_Group | Not_I_Clients_Group | --- | --- | Block | ALL | ALL | Any |
3 | Block_Guest_to_others | G_Clients_Group | Not_G_Clients_Group | --- | --- | Block | ALL | ALL | Any |
4 | Block_Security_to_others | S_Clients_Group | Not_S_Clients_Group | --- | --- | Block | ALL | ALL | Any |
5 | Block_Work_to_others | W_Clients_Group | Not_W_Clients_Group | --- | --- | Block | ALL | ALL | Any |
Congratulations, your inter-VLAN traffic is blocked, and you have a management console that sees all VLANs.
***Disclaimer***
I don't plan on monitoring this thread and providing further guidance. I am sharing my experience and what worked for me. Your situation probably has differences, and you will need to figure it out. I hope the above information is also helpful to you.
- Copy Link
- Report Inappropriate Content
@marulya I wa hoping to do this on my ER605 but alas, FYI, this doesn't work. Intervlan is always on.
I'll be going with the DLink DSR-500 instead, I need the dual link, but this cheap $50 ER605 is incredibly painful to use.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3459
Replies: 7
Voters 0
No one has voted for it yet.