Limiting client's external (internet) access

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Limiting client's external (internet) access

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Limiting client's external (internet) access
Limiting client's external (internet) access
2023-03-18 14:29:21
Tags: #Internet remote access
Model: EAP615-Wall  
Hardware Version:
Firmware Version:

Admittedly Omada newbie with limited advanced networking knowledge.

 

I've redone part of my home network.

 

I've got the ISPs modem/router (Bell HomeHub 2000) using its own SSID which nothing is connected to (I only connect to it to configure the ISP router when needed).  It's plugged into the uplink of my switch.

 

It feeds an unmanaged POE+ switch (non tolink) 

 

It has the OC200 Omada controller plugged into it, and also feeds three eap615s.

 

All the EAPs have a similar SSID which I use for all home networking which is different than the main ISP router.

 

I also have the eap615 ETH2 port feeding a hikvision NVR which has three Poe cameras on it.  I have no cloud service for saving the cameras, but the HIKVISION App can access the cameras and NVR from anywhere, which is fine, but also a problem.

 

PROBLEM1:

Even when I'm not accessing the cameras remotely for days, there seems to be a LOT of internet activity using up my internet bandwidth on the cameras.  I technically don't need internet access externally unless I'm travelling or there's some alert.  I don't mind intrAnet traffic (checking at home for example), but is there a way to block external traffic to devices (unless I enable it remotely), while still allowing internal access?   When I use the BLOCK feature on the Omada App or cloud it works, but it also fully blocks internal access.  Thoughts?

 

PROBLEM2:

My Alexa echos are gobbling up a lot of bandwidth in the last couple months despite not really using them.  It shows up in the Omada Cloud and they are using around 1-4GB in a day (a lot of upload oddly, but more download).  These are simply audio devices on which we might play music on one of them at night.  No video.  So if I plug a router with Gargoyle (which allows quota limits) fed by an EAP615, am I able to see all devices plugged into that router still?

  1      
  1      
#1
Options
7 Reply
Re:Limiting client's external (internet) access
2023-03-19 00:30:38

  @Gjjb 

 

Hey

 

The limiting of internet access / speed is primarily the role of the Gateway in Omada, which unfortunately do you do not have.  Its highly unlikely your Bell HomeHib would support this.   You would need something like an ER605 to control bandwidth to the clients.

 

The problem also occurs as the switch is not managed, you cannot create ACLs or VLANs.   These would allow you to restrict the network speed and limit the traffic.  

 

To do this correctly you would need to implement at least a gateway (er605 for example), you can then set speed limits on the devices individually and this would be a start.   Ideally, the solution for you is VLANs with bandwidth controls, but this would require a gateway and switch.

  2  
  2  
#2
Options
Re:Limiting client's external (internet) access
2023-03-19 14:25:32

  @Gjjb 

 

I doubt very much that your cameras are causing your outbound traffic issues. It's almost certainly your Alexa devices..big brother IS listening 24/7 after all, and honestly these devices are not really suitable for a capped connection.  I know the HH2000 is an older device and you are almost certainly on DSL with Bell...I also noticed they charge a LOT more for their 'unlimited' than the 100G/mon capped service.  You could switch to an alternate provider, like Teksavvy (I own no shares, subscribe to no services and get no benefit whatsoever from mentioning them) or you can unplug the Alexa's.  For what it's worth no ACL is going to be able to filter the differences between, "Alexa, Play XXXX" from "Honey, I was thinking we should really get a YYYY this year" from hitting the internet.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#3
Options
Re:Limiting client's external (internet) access
2023-03-31 14:06:06 - last edited 2023-03-31 14:49:31

Great advice...

 

Here's what I'm looking to perhaps do next then, but I'll first show my current network and my possible additions... (and also I have a wired device blind spot??)

 

CURRENT SETUP: 

ISP > Bell HH2000 Router (it's own SSID) > non-Omada Switch (see model below) >> which then feeds:

 

a > eap615 wall

b > eap615 wall

c > eap615 wall (not yet installed, but soon enough)

d > eap655 wall (not yet installed, but soon enough)

e > OC-200 Omada Controller

f > Hikvision NVR (which in turn feeds 3 POE cameras)

 

Problem with the above (beyond what you already answered for me in this thread - thank you so much btw) is no ability to turn off ports or manage throughputs, though I CAN manage the eap connected devices, except the NVR.

 

Question 1: When I plug the NVR feed into the eap615's wired port (it has 3), I never see anything under "Wired" when I select that EAP in the OC200 Omada App... it just shows blank... yet I can access those cameras / NVR remotely, so obviously data is moving through the eap615. What does "Wired" mean under the EAP in the app then??? Or how do I 'see' wired devices?

 

Here's the Non-Omada Switch, as FYI:

YuanLey 11 Port Gigabit PoE Switch, 8 PoE+ Port 1000Mbps, 2 Gigabit Uplink, 1 SFP Port, 120W 802.3af/at, Metal, Qos, Unmanaged Plug and Play AI Smart Detection Ethernet Switch

 

FUTURE SETUP:???

Should I be looking at an ER605 Router (and just use the ISP's as a modem)?

AND /OR also add a SG2008P POE+ switch?? (I might get a SG2210MP due to needing to feed power to the 4 EAPs).

(or a the SG2008 (non-POE+) which is much cheaper, and feed my current YuanLey PEO+ switch from that)?

 

Question 2: What does getting both Router & Switch do for me over just getting a switch? My interest is the Omada cloud's ability to manage things remotely. So perhaps the Router with existing Switch is fine?  Or just a new SG2008 Switch feeding my own POE+ Switch?

Among other abilities, I would like to be able to completely shut down the NVR feed (from the switch or EAP port) remotely to prevent inexplicable internet data usage (the cameras still record as they are connect to the NVR POE feeds directly), and only turn that NVR feed on via the Omada Cloud App when I choose to check in if needed.

 

Thoughts?

  0  
  0  
#4
Options
Re:Limiting client's external (internet) access
2023-03-31 19:23:32

  @Gjjb 

 

For the sake of $70 (newegg dot ca) for the ER605, you would get a richer Omada experience.  Same for the SG2008P / SG2210P (not sure I'd fork out for the SG2210MP for your setup)... you'd get port level stats and the ability to power cycle individual POE ports via the controller/app.  Put the HH2000 in bridge mode and away you go.  You can keep using your unmanaged POE switch, but all devices connected to it will report as being connected to the first managed upstream port (you'll get summarized data).

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#5
Options
Re:Limiting client's external (internet) access
2023-03-31 19:36:42

  @d0ugmac1  Thank you!  That helps a lot.

  0  
  0  
#6
Options
Re:Limiting client's external (internet) access
2023-03-31 20:06:36 - last edited 2023-03-31 20:36:02

  @d0ugmac1 

 

Thank you....

Sorry, one more question (and assume I will grab both the ER605 and the SG2210P with the uplinks)...

 

When you stated

"You can keep using your unmanaged POE switch, but all devices connected to it will report as being connected to the first managed upstream port (you'll get summarized data)"

which I assume is connected to the sg2210P, though all devices are shown as connected to the 1st managed port (on the 2210P I assumed, and not the ER605), will I still be able to see each device IP / MAC etc via the cloud?    And is the same true if I plug the Unmanaged Switched into the ER605?  (are the ports of the ER605 simply unpowered switch ports?)

 

Is there an advantage of plugging the Unmanaged Switch into the sg2210P as opposed to the ER605?)

 

Here's a possible layout (I'd be grateful for suggestions for better):

 

ISP ->  ISP Modem HH2000 ->  ER605  ->  SG2210P  -> feed the following:

1-> EAP615 -> wifi devices, but possibly the use of the built-in etehrnet ports for TV, etc.

2-> EAP615 -> wifi devices, same

3-> EAP615 -> wifi devices, same

4-> Hikvision NVR ?

5-> Unmanaged Switch  (which has high POE capacity than the sg2008) ->  feeding the following:

 

           1> EAP655 -> many wifi devices

           2> Ethernet to Laptop, or whatever....

           3> Home Entertainment

           4> etc...

(NOTE:  I have a separate question posted elsewhere regarding my inability to see WIRED devices connected to my EAP615).
 

  0  
  0  
#7
Options
Re:Limiting client's external (internet) access
2023-03-31 20:42:56

  @Gjjb 

 

That's how I started, ER605 + 2208P, I later wished I'd started with the 2210P, because I quickly gobbled up the 4 POE capable ports on the 2008P with the OC200 and 3 APs, but then wanted to add a few cameras and that got messy.  They have about the same power budget (~60W), but all 8 ports on the 2210P support POE devices and you can power cycle each port independently.  For future proof...if you have the extra $30...I'd start with the 2210P.   Of course my EAP615wall and EAP225-outdoors typically only consume about 3.5W each, the other EAP6xx devices may consume more.

 

Let's say you have the unmanaged plugged into port 4 of the 2210P and it uplinks via port 8 to the ER605 port 5.  Your controller will report (and show in map view) ER605.port5---> 2210P.port8.  However all devices plugged into any port on the unmanaged switch, will show as being connected to 2210P.port 4.  Not a huge deal and because your ER605 will be managing DHCP and the like, each device will get reported on (by MAC and/or IP) independently in the controller.  Also note that devices connected to the LAN ports of the APs will likely report as belonging to the same 2210P port that the AP is connected to, however, the firmware has had issues with assigning VLANs and reporting on these ports from the beginning.  You should still see the device as a Client, but you may not see it in the Topology Map.

 

The difference in putting the unmanaged switch between the ER605 and the 2210P is that you can no longer disable it, or apply ACLs to devices attached to it with the same granularity as having the ER605-->2210P-->unmanaged topology which is what I'd recommend.

 

Below you'll see my 2210P driving 2 x EAP225-outdoor, 1xEAP615 Wall and 1 x OC200 and I'm only using about 1/4 of the available POE budget.

 

 

 

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#8
Options