Business Community > Controllers > Omada ACL blocks both ways
< Controllers

Omada ACL blocks both ways

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Omada ACL blocks both ways

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Omada ACL blocks both ways
Omada ACL blocks both ways
2023-03-05 20:22:36 - last edited 2023-03-14 02:55:16
Tags: #ACL
Model: Omada Software Controller (Linux)   ER605 (TL-R605)   TL-SG2218  
Hardware Version:
Firmware Version:

Hi.

 

I am trying to block some VLANS from certain parts of the network using ACL within Omada, but are having some issues. For an example if I want to restrict access from VLAN1 to VLAN2, but allow from VLAN2 to VLAN1, I can only get this working by adding a gateway network ACL. If I add a similar rule the Switch ACL section, that rule will block both ways, even though it is only being set up to work one way.

 

For a simple network rule like the example above, a gateway ACL seams to be a simple solution to the problem, however this solution lacks more advanced options like IP Groups and such or targeting specific ports. For this you must use switch ACL's and it should be possible. It's possible in other similar products and Omada even includes a bidirectional option when creating ACL's, which makes no sense, if unidirectional is not possible.

 

What am I missing?

  1      
 
  1      
 
#1
Options
5 Reply
Re:Omada ACL blocks both ways
2023-03-05 22:46:08
It wont. I have he same issue. I want to be able to get from my user VLAN to my IOT VLAN but not the other way.
  0  
  0  
#2
Options
Re:Omada ACL blocks both ways
2023-03-06 08:04:29

Hi  @dbergloev 

 

Currently only the router supports Stateful ACL.

This has been forwarded to the developer team for further evaluation.

 

Subscribe the following post to get the newest firmware notification for your Omada router :)

Current ER605 / ER7206 / ER8411 Firmware Releases - [Constantly Updated]

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#3
Options
Re:Omada ACL blocks both ways
2023-03-16 13:02:41 - last edited 2023-03-16 13:03:31

  @Hank21   How is it not possible for an industrial rated system that the ACL is not working properly. Now we are not able to do the following thing: get from an user VLAN to an IOT VLAN and not the other way arround. I am trying a workaround to do this by IPgroups for now and hope to test it properly this afternoon. 
Is is right to say that the one-way permit or deny in the ACL is not working properly? I am working with Switch ACL's.  @Hank21 How is it not possible for an industrial rated system that the ACL is not working properly. Now we are not able to do the following thing: get from an user VLAN to an IOT VLAN and not the other way arround. I am trying a workaround to do this by IPgroups for now and hope to test it properly this afternoon. 
Is is right to say that the one-way permit or deny in the ACL is not working properly? I am working with Switch ACL's.

Is there an official workaround for this issue? 

  0  
  0  
#4
Options
Re:Omada ACL blocks both ways
2023-03-16 14:05:36

Hi @Robert642 

 

Network connection is a two-way communication. If you block one way, then the opposite direction won't work. 

 

Stateful ACL means the router can verify this connection was "started" from this network, then allow the “reply traffic" even there is a "blocked" rule.

 

TP-Link keeps improving the firmware and router functions. But currently the switch ACL is a strict ACL, no "excess permit“ for the connection start from specified VLAN. 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#5
Options
Re:Omada ACL blocks both ways
2023-03-16 14:55:38

  @Hank21 Well I hope this gets added in the near future, cause IOT is the main cause for setting up vlans, and you do want to access IOT devices.

 

Also, why is IP groups not an option on gateway ACL?

  1  
  1  
#6
Options

Information

Helpful: 1

Views: 2135

Replies: 5

Tags

ACL
Related Articles
Omada ACL configuration
1174 0
ACL on Omada with EAP245 and ER605
593 0
Omada blocks both ways when denying EAP unidirectional traffic
179 0
 Omada ACL not working, blocks both sides
824 0
EAP ACL vs. Switch ACL
2592 0
Omada Captive Portal not showing if ACL are enabled
96 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.