Limiting client's external (internet) access
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Admittedly Omada newbie with limited advanced networking knowledge.
I've redone part of my home network.
I've got the ISPs modem/router (Bell HomeHub 2000) using its own SSID which nothing is connected to (I only connect to it to configure the ISP router when needed). It's plugged into the uplink of my switch.
It feeds an unmanaged POE+ switch (non tolink)
It has the OC200 Omada controller plugged into it, and also feeds three eap615s.
All the EAPs have a similar SSID which I use for all home networking which is different than the main ISP router.
I also have the eap615 ETH2 port feeding a hikvision NVR which has three Poe cameras on it. I have no cloud service for saving the cameras, but the HIKVISION App can access the cameras and NVR from anywhere, which is fine, but also a problem.
PROBLEM1:
Even when I'm not accessing the cameras remotely for days, there seems to be a LOT of internet activity using up my internet bandwidth on the cameras. I technically don't need internet access externally unless I'm travelling or there's some alert. I don't mind intrAnet traffic (checking at home for example), but is there a way to block external traffic to devices (unless I enable it remotely), while still allowing internal access? When I use the BLOCK feature on the Omada App or cloud it works, but it also fully blocks internal access. Thoughts?
PROBLEM2:
My Alexa echos are gobbling up a lot of bandwidth in the last couple months despite not really using them. It shows up in the Omada Cloud and they are using around 1-4GB in a day (a lot of upload oddly, but more download). These are simply audio devices on which we might play music on one of them at night. No video. So if I plug a router with Gargoyle (which allows quota limits) fed by an EAP615, am I able to see all devices plugged into that router still?
That's how I started, ER605 + 2208P, I later wished I'd started with the 2210P, because I quickly gobbled up the 4 POE capable ports on the 2008P with the OC200 and 3 APs, but then wanted to add a few cameras and that got messy. They have about the same power budget (~60W), but all 8 ports on the 2210P support POE devices and you can power cycle each port independently. For future proof...if you have the extra $30...I'd start with the 2210P. Of course my EAP615wall and EAP225-outdoors typically only consume about 3.5W each, the other EAP6xx devices may consume more.
Let's say you have the unmanaged plugged into port 4 of the 2210P and it uplinks via port 8 to the ER605 port 5. Your controller will report (and show in map view) ER605.port5---> 2210P.port8. However all devices plugged into any port on the unmanaged switch, will show as being connected to 2210P.port 4. Not a huge deal and because your ER605 will be managing DHCP and the like, each device will get reported on (by MAC and/or IP) independently in the controller. Also note that devices connected to the LAN ports of the APs will likely report as belonging to the same 2210P port that the AP is connected to, however, the firmware has had issues with assigning VLANs and reporting on these ports from the beginning. You should still see the device as a Client, but you may not see it in the Topology Map.
The difference in putting the unmanaged switch between the ER605 and the 2210P is that you can no longer disable it, or apply ACLs to devices attached to it with the same granularity as having the ER605-->2210P-->unmanaged topology which is what I'd recommend.
Below you'll see my 2210P driving 2 x EAP225-outdoor, 1xEAP615 Wall and 1 x OC200 and I'm only using about 1/4 of the available POE budget.
