ACL not working
Well, I have some concern to make again a post on this forum, because I'm totally discouraged of from how Omada products are supported. In past I have done several posts and after horrible experience I decided to quit the community to save my mental health. My most famous post is this mDns Service and we are still waiting, but there are others where TP-Link didn't do nothing.
I give it another chance, but...
My setup is: TL-R605 (router) / TL-SG2428P (Switch) / 5 EAPs / OC200
After having moved to pfSense with a wonderful experience I decided for some unhappy reason to try to go back to the horrible TL-R605, but anyway the point of this post is not this.
Today I tried a simple Switch ACL:
Scope: Have the TVCC NVR only accessible from selected devices.
Here is the testing setup:
- I have the TVCC NVR connected to a switch port in it's own VLAN named TVCC. The NVR has aswell a fixed IP address.
- I have 2 computers both connected to their own VLAN named PC. Both computers with a fixed IP address.
- Wanted to have only computer 1 (PC1) to have access and any other device have it.
What I have done in principle is:
Switch ACL in order:
1) IP-address_PC1 -> permit -> TVCC_IP-address
2) IPGroup_Any -> deny -> TVCC_IP-address
This blocks everything; when I disable rule 2) I have communication again but of course not blocking anything
then I tried all kind of combination replacing individual IP addresses with VLAN like:
1) IP-address_PC1 -> permit -> TVCC_Network
2) IPGroup_Any -> deny -> TVCC_IP-address
1) IP-address_PC1 -> permit -> TVCC_Network
2) IPGroup_Any -> deny -> TVCC_Network
1) PC-Network -> permit -> TVCC_Network <- even if in this case I allowing not just the PC1 but all PC, but ok just for try
2) IPGroup_Any -> deny -> TVCC_Network
Also tried with all the combination of MAC addresses like, here below just 1 as example as i don't want to get long and long:
1) Mac_PC1 -> permit -> Mac_TVCC
2) IPGroup_Any -> deny -> TVCC_IP-address
Nothing!
I was thinking into a but of the predefined IPGroup_Any, so I created a group called IP-ALL defined as 0.0.0.1/1 and replaced IPGroup_Any with it, the result in this case is that nothing is blocked from rule 2) IP-ALL -> deny -> TVCC-IP-address (or TVCC_Network).
So what to say ? What a nightmare AGAIN and AGAIN....
Overall during this experience I noted UI bugs that after creating the rules and moving up and down they were not moving accordingly and if you press edit on a rule it open another and the only fix is to reload the page.