Omada EAPs block traffic that are allowed on the firewall ?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Omada EAPs block traffic that are allowed on the firewall ?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Omada EAPs block traffic that are allowed on the firewall ?
Omada EAPs block traffic that are allowed on the firewall ?
2022-05-24 07:51:33

Hello !

I have multiple VLANs, with one subnet /24 for each VLAN, and each vlan belongs to its own firewall zone. That's set up on the router (OpenWRT), and on Omada, each VLAN is associated with one SSID. 

Now, VLAN16 is the admin VLAN, and on the router, forwarding to all the other zones are accepted. But I realized that, if I put my laptop on SSID VLAN16, my smartphone on VLAN11, my smartphone doesn't show up when I use IP scanner. It is not the case if I use the wifi of the router directly with the same thing: I see my smartphone on IP scanner.

 

This means that EAP is blocking something between two subnets more than what I set on the router. But under EAP access control, I have no rule involving two distinct subnets: my understanding is, this should be regulated by the router.

 

I would appreciate if someone could please explain to me what's going on??

  0      
  0      
#1
Options
2 Reply
Re:Omada EAPs block traffic that are allowed on the firewall ?
2022-05-24 23:06:49

  @doremifajb 

 

Props for the musical reference.

 

I believe what's going on is that your APs are treating the traffic as tagged, and the non-TPlink router WiFi is not.  I do not know what kind of port scanning software is being used, but it would seem that the router is not un-tagging scans from your laptop and then re-tagging them out to the smartphone.  I suspect if you ping the smartphone from the laptop it will respond, the difference being directed vs broadcast packets.  

 

The Wifi of the router is running as a separate internal interface which is at the same level as the interface feeding the OpenWRT's routers switch ports, meaning all packets are untagged as far as the router's Wifi is concerned, and the switch ports provide the necessary tagging as those packets are fed to and from the AP and end clients.

 

In order for it to work the same way from an SSID-connected device, you'd have to configure specific forwarding rules on the router for your port scanning software (is it using ARP's?) to force them out all interfaces.  Not super familiar with Open WRT bolted onto Omada, but it may also have some 'client isolation' defaults that protect VLAN'd subnets from talking with each other.

<< Paying it forward, one juicy problem at a time... >>
  1  
  1  
#2
Options
Re:Omada EAPs block traffic that are allowed on the firewall ?
2022-05-28 12:54:05

  @d0ugmac1 Thank you very much for your explanation. You are right, the EAPs are connected to OpenWRT over a trunk port. It still strange, I had thought that the router untaggs incoming tagged packet and send out with a tag for outgoing. But it's true, as long as I'm on wifi of the router, there is no tagging.

 

The IP scanner I use is Angry IP scanner, it uses ping, but something else in addition to it, depending on platform. I use Macbook Pro 2012, and the result is different if I run it on win 8.1.

 

In the end, I just used ftp, and found out that at least file transfer is allowed/blocked as I intended, so I decided, that's enough;;

  0  
  0  
#3
Options