ACL on Omada with EAP245 and ER605

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACL on Omada with EAP245 and ER605

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ACL on Omada with EAP245 and ER605
ACL on Omada with EAP245 and ER605
2023-02-28 07:20:32 - last edited 2023-03-14 02:59:47
Tags: #ACL

Hello,

 

I'm using the software Omada Controller on a Raspberry Pi with EAP245's and an ER605 Router - all adopted in Omada.

 

I need to prevent Internet Access for a few devices from 6PM to 8AM. I have tried using ACL to do this but it prevents the entire network from accessing the Internet.

 

Can someone guide me on how to do this? I think the problem lies in the IP group - it asks for a subnet and I'm not sure what I need to enter here. I would just like to block a few IP's / MAC Addresses.

 

Thanks.

  0      
  0      
#1
Options
1 Accepted Solution
Re:ACL on Omada with EAP245 and ER605-Solution
2023-02-28 18:16:57 - last edited 2023-03-01 05:42:01

  @msb1 

 

You have some choices, but let's say you have 3 teenagers you want to get some sleep.  You can either corral them into a small block of IP's and then operate on that, or you can add them as individual hosts (either way, you want to have a DHCP reservation for the MAC addresses of those devices or this won't work permanently)

 

Adding 3 users to a Profile:

 

3users

 

or if you statically assigned them IP addresses in the controller in a contiguous block, say 192.168.1.243, 192.168.1.244 and 192.168.1.245 you can treat this block as a small subnet like this:

 

smallblock

 

what this does is apply a filter so that all IP addresses from 192.168.1.240 through 192.168.1.247 are managed at once.

 

then you simply Apply your newly createrd Profile->Group to your ACL rule.

 

Now teenagers being teenagers, the very first thing they will do is statically configure their devices to a different unmanaged IP in the same subnet and circumvent all your good work.  So what you really want to do is operate on their MAC addresses (unique to the hardware and much harder to change)

 

Same basic idea but now you add the MACs to the Profile instead of the IPs.  You can get the MAC corresponding to the client from the 'Clients' page on your controller.

 

macgroup

 

<< Paying it forward, one juicy problem at a time... >>
Recommended Solution
  2  
  2  
#2
Options
5 Reply
Re:ACL on Omada with EAP245 and ER605-Solution
2023-02-28 18:16:57 - last edited 2023-03-01 05:42:01

  @msb1 

 

You have some choices, but let's say you have 3 teenagers you want to get some sleep.  You can either corral them into a small block of IP's and then operate on that, or you can add them as individual hosts (either way, you want to have a DHCP reservation for the MAC addresses of those devices or this won't work permanently)

 

Adding 3 users to a Profile:

 

3users

 

or if you statically assigned them IP addresses in the controller in a contiguous block, say 192.168.1.243, 192.168.1.244 and 192.168.1.245 you can treat this block as a small subnet like this:

 

smallblock

 

what this does is apply a filter so that all IP addresses from 192.168.1.240 through 192.168.1.247 are managed at once.

 

then you simply Apply your newly createrd Profile->Group to your ACL rule.

 

Now teenagers being teenagers, the very first thing they will do is statically configure their devices to a different unmanaged IP in the same subnet and circumvent all your good work.  So what you really want to do is operate on their MAC addresses (unique to the hardware and much harder to change)

 

Same basic idea but now you add the MACs to the Profile instead of the IPs.  You can get the MAC corresponding to the client from the 'Clients' page on your controller.

 

macgroup

 

<< Paying it forward, one juicy problem at a time... >>
Recommended Solution
  2  
  2  
#2
Options
Re:ACL on Omada with EAP245 and ER605
2023-03-01 02:14:55

  @d0ugmac1 

Thank you so much. I will try that.

How do you determine what comes after the /

Thanks

  0  
  0  
#3
Options
Re:ACL on Omada with EAP245 and ER605
2023-03-01 03:48:03

  @msb1 my pleasure :)

 

Google CIDR for details, but basically it represents the subnet mask of the subnet in question.  An ipv4 subnet mask is made of 4 bytes, each with 8 bits, so 32 in total.

 

You may be familiar with a subnet mask of say 255.255.255.0?  Well that's a /24....because the first 24 bits are ones, for example:

 

11111111.11111111.11111111.00000000

 

The /29 I used in my example is the same as a 255.255.255.240 because only the last 3 bits are zeroes.

 

A unique host ip is defined as a network of 255.255.255.255 or /32.

 

HTH

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#4
Options
Re:ACL on Omada with EAP245 and ER605
2023-03-01 05:41:42 - last edited 2023-03-01 05:53:57

Perfect, cheers.

 

Option 1 seems to work. I have bound the MAC for the devices with IP's and used the IP's in the rule.

 

There seems to be no way to use MAC addresses for ACL for Gateways. This option for some reason only shows for Switches and I'm not using one.

  0  
  0  
#5
Options
Re:ACL on Omada with EAP245 and ER605
2023-03-01 13:46:21

  @msb1 

 

Yes, the current Gateway ACLs are quite limited in my experience.  I had to buy and add a switch just to isolate two VLANs from each other as the gateway was incapable of doing it in Controller mode.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#6
Options