Business Community > Routers > Inter-VLAN Communication on Specific Ports with Gateway but no Omada Switch
< Routers

Inter-VLAN Communication on Specific Ports with Gateway but no Omada Switch

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Inter-VLAN Communication on Specific Ports with Gateway but no Omada Switch

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Inter-VLAN Communication on Specific Ports with Gateway but no Omada Switch
Inter-VLAN Communication on Specific Ports with Gateway but no Omada Switch
2022-12-31 20:43:56
Tags: #Gateway ACL
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.2.3

I just put in my ER7206 alongside my Netgear Managed switches and my 2x EAP245 APs.

 

With the latest firmware, I'm happy that I can now restrict access from the IOT VLAN to the LAN without restricting the inverse. This is good and I am pleased.

 

One gap that I have that I'm hoping people can sort out for me is... allowing access to specific hosts on the LAN from the IOT VLAN on specific ports. Here's the Use Case:

 

- IOT devices leveraging my 2 Pihole instances that sit on my LAN.

 

The research I've done points to creating an IP-Port group and then creating a Switch ACL to permit that traffic. This doesn't work, presumably because I don't have a TP-Link Omada switch.

 

When I go to create a Gateway ACL and set the direction to "LAN to LAN", the option for referencing an IP Group or IP-Port Group goes away and I can only go "Network" to "Network".

 

I have set the direction type to "LAN to WAN" for giggles and it does then allow the IP-Port Group on the right side but it doesn't appear to work.

 

Is this just not possible when you don't have an Omada switch? Any guidance would be appreciated.

 

Thank you!

  0      
 
  0      
 
#1
Options
5 Reply
Re:Inter-VLAN Communication on Specific Ports with Gateway but no Omada Switch
2023-01-02 05:40:35

  @jim2cpu 

 

You are right. If you only have Omada Gateway, then you can not do LAN-to-LAN access control with the IP group you created. There are only default "Network" IP groups.

 

Hope there will be an update in future, but for now you may still need to add an Omada switch to your network.

 

 

  0  
  0  
#2
Options
Re:Inter-VLAN Communication on Specific Ports with Gateway but no Omada Switch
2023-01-02 14:52:20

  @jim2cpu 

 

If you want to use IP Groups, the Direction needs to be ALL. With IP Groups and a proper Service Type (possibly custom), you may be able to set up an ACL that will do the job, but I'm not sure. I haven’t done it myself since I do not use my ER7206 for inter-VLAN routing.

Kris K
  0  
  0  
#3
Options
Re:Inter-VLAN Communication on Specific Ports with Gateway but no Omada Switch
2023-01-02 15:35:24

  @KJK 

KJK wrote

  @jim2cpu 

 

If you want to use IP Groups, the Direction needs to be ALL. With IP Groups and a proper Service Type (possibly custom), you may be able to set up an ACL that will do the job, but I'm not sure. I haven’t done it myself since I do not use my ER7206 for inter-VLAN routing.

 

Thank you for the replies. ALL isn't an option when setting the direction on a Gateway ACL, it seems.

 

I may need an Omada switch to apply this at the Switch ACL level but would be open to trying any other ideas.

 

Not a deal breaker but a minor inconvenience.

  0  
  0  
#4
Options
Re:Inter-VLAN Communication on Specific Ports with Gateway but no Omada Switch
2023-01-02 21:29:21

  @jim2cpu 

 

ALL isn't an option when setting the direction on a Gateway ACL”

 

That’s disappointing. I guess they have not implemented it in Omada Controller, yet.

 

“I may need an Omada switch to apply this at the Switch ACL level”

 

I’m having a trouble to picture how ACL at the switch level can do that when the inter-VLAN routing is done by the router. I would love to learn some details of it if it works.

 

“but would be open to trying any other ideas.”

 

Try the ‘standalone’ with the router if you can. I think it would be a valuable experience even if it does not work. You can always go back to Omada Controller. That should be easy with proper configuration backups.

Kris K
  0  
  0  
#5
Options
Re:Inter-VLAN Communication on Specific Ports with Gateway but no Omada Switch
2023-01-03 01:48:29

KJK wrote

  @jim2cpu 

 

Try the ‘standalone’ with the router if you can. I think it would be a valuable experience even if it does not work. You can always go back to Omada Controller. That should be easy with proper configuration backups.

  @KJK 

 

I don't think I'm going to try it in standalone mode given the family impacts of any network change. With a very connected household with two teenagers gaming and TikToking 24/7/365, I need to pick my spots. :-)

 

I think I'll wait to see how the controller advances in the months ahead, not to mention additional firmware releases for the ER7206.

 

... and I'm still willing to try other configurations with what's available today to see if I can make this use case work.

 

Cheers.

  0  
  0  
#6
Options

Information

Helpful: 0

Views: 660

Replies: 5

Tags

Gateway ACL
Related Articles
 Inter-VLAN communication not working
1902 0
Inter-VLAN Access
880 0
How to configure ACL to prevent inter VLAN communication
2787 0
 Inter-VLAN communications - ER7206 - SG2218 - EAP218
104 0
 TL-SG3210 inter-vlan communication not working
804 0
Inter VLAN routing
2039 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.