Advice needed on wifi URL filtering and relation to Omada switches
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Dear @MrCollins ,
MrCollins wrote
I have an ER605 router, an OC200 Omada controller, and a couple of EAP115s on my SOHO network, and I'm using the OC200 to manage them. Alongside my main SSID, I'd like to have an SSID for kids to use with URL filtering (deny all plus list of whitelisted sites). I've followed the instructions here and here. This gives the two SSIDs ok, but it makes the filtered connection unusably slow and inconsistent. I'm currently using with two Netgear unmanaged switches (POE and non POE). Is what I'm trying to do here possible, or do I need to have Omada compatible switches?This brings me to my second question: I have about 20 ethernet ports in the building, but I only need 6 of them to have PoE. I'd be grateful for suggestions on which Omada switch to buy. It's light domestic use, so 24 port PoE seems like overkill, and I would prefer the least power-consuming and least noisy option. Rather than buying a 24 port PoE switch, I was thinking of an 8 port PoE switch (e.g. TL-SG2210MP) in conjunction with a 16 port non-PoE switch (TL-SG2218). Does this sound like a good solution, and would it permit what I want to achieve (url filtering etc.) as described above? If a single switch would be better (and there is a not-noisy one available), I'd be grateful for recommendations on which model.
To better assist you, would you be able to provide the firmware and hardware version of your all devices?
1. What's the physical connection(current topology) of your devices?(You can draw a diagram of Network Topology simply if you don't mind.)
2. To confirm, how did you find that your network slowed down or even dropped after setting up URL Filtering?
I mean how did you locate the issue?
3. TL-SG2210MP and TL-SG2218 are all compatible with SDN controller.
Best Regards!
- Copy Link
- Report Inappropriate Content
Thank you for your response. In answer to your questions:
- I have put a diagram of the topology below.
- I noticed because it was very slow (e.g. 30 seconds) to connect to websites, sometimes couldn't connect at all (to whitelisted sites), and the windows wifi logo was still showing as not having a connection (even though some sites could be reached -- and this wasn't because they were cached)
- Is TL-SG2210MP and TL-SG2218 a good solution, or better to get a 24 port switch, and if so, which one?
Thanks again.
- Copy Link
- Report Inappropriate Content
Based on your description, it seems like a problem with Windows PC itself, try another client to test.
As to whether or not to switch to an Omada Switch, this depends more on your budget and needs, but it doesn't pinpoint whether or not this issue is related to the switch.
TL-SG2210MP and TL-SG2218 are all good.
Best Regards!
- Copy Link
- Report Inappropriate Content
Thank you for your reply. I tried with a couple of different clients but with identical results. And in each case, disconnecting from the filtered SSID and then connecting to the non-filtered SSID immediately resolved the problem (so there wasn't a general Windows or client-specific problem here). The TP-Link instructions here specify that a 'Deny All' rule should be added after the 'Permit' rules. If I disable the 'Deny All' rule, the problem goes away, however this also means that the the whitelisting no longer works (because everything is now permitted). Any other suggestions? Thank you.
- Copy Link
- Report Inappropriate Content
@MrCollins I guess the problem is more related to the DNS server or something, not the switch. Try this: 1. Under URL filtering, delete all EAP rules, only leave the Gateway rules; 2. connect a PC to the Router directly and check if it influence the Internet speed/connection.
Yep I also agree an omada switch might be helpful, but hard to say it is related to your current issue
- Copy Link
- Report Inappropriate Content
Thank you for your suggestion, I tried it and had some success. I disabled all permit/deny rules for both Gateway and EAP. Everything working well on both LAN and wifi. I implemented a couple of simple permit rules (e.g. *.google.*, *.youtube.*), and a deny all rule on the gateway. Google seems to work okay, but youtube only partially -- the site comes up and the search works, but the videos won't play (just a circling graphic as if waiting to load). I disable the Gateway rules, all works normally again. Now I enable the same rules on EAP, connect via wifi, and get the same results -- site loads but videos won't play. I also get an inconsistent reading on the wifi status (sometimes 'secured', sometimes 'connected, secured', sometimes 'No internet, secured'). I disable EAP rules, and wifi goes back to normal. Now as per your suggestion, I plug laptop directly into router, with wifi disabled, and I enable the Gateway rules. This time it's much better, whitelisting works, and youtube videos play as normal (though it looks like screenshot images don't show for all videos) -- anyway, massive improvement.
I also tried to whitelist www.broadbandspeedchecker.co.uk, but although the site would load, the test wouldn't run. I assume because it invokes another site that I haven't whitelisted. If so, is this a common problem with whitelisting?
As the router method worked, does this mean it's a DNS problem, and if so, is that something that would be resolved with an Omada switch, or is it a problem with my set up?
Thanks for your help and suggestions.
- Copy Link
- Report Inappropriate Content
@MrCollins My suggestion is: No need the EAP ACL anymore.
The Gateway rules will also apply to the SSID if your SSID has been put into the kids network you created.
So,
1. Create a network(VLAN interface) for your kids. For example Main network on VLAN 1 and Kids network on VLAN 10;
2. We need to set up VLAN on your managed switch, to make VLAN tagged data go through the switch. (if you don't know how to do that ,the point is: make sure uplink and downlink port of the switch in both VLAN1 and VLAN 10, and work as trunk/tagged port)
3. On SSID settings set up VLAN ID 1 for main network and VLAN ID 10 for Kids network.
4. On Gateway ACL choose Kids network to do the rules.
- Copy Link
- Report Inappropriate Content
Thanks for your reply. I made an error in my description above: in my original post, I mention that I have two unmanaged Netgear switches, but in my topology diagram, I incorrectly listed one of them as managed. If I understand correctly, the method you offer above is close to this one. I have been able to follow the instructions here (and those you supplied), except with regard to management of the switch. As a result, I'm getting the same problem as I had with EAP whitelisting: intermittent connection, whitelisted sites only half-loading, and so on. My inference is that it is not possible to achieve a filtered kids network without a managed switch, and that it would need to be an omada compatible switch to work meaningfully with the OC200. So in answer to my question in my original post, it seems that although two separate VLANS can be set up just using the OC200 and ER605, they can't be successfully implemented without a managed switch. If I have misunderstood here, please correct me. I'll try getting a managed switch, though the major suppliers in the UK (Amazon, Ebuyer etc.) don't currently have stock of the omada compatible models that I would need.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1510
Replies: 8
Voters 0
No one has voted for it yet.