Well, I have some concern to make again a post on this forum, because I'm totally discouraged of from how Omada products are supported. In past I have done several posts and after horrible experience I decided to quit the community to save my mental health. My most famous post is this mDns Service and we are still waiting, but there are others where TP-Link didn't do nothing.

 

I give it another chance, but...

 

My setup is: TL-R605 (router) / TL-SG2428P (Switch) / 5 EAPs / OC200

 

After having moved to pfSense with a wonderful experience I decided for some unhappy reason to try to go back to the horrible TL-R605, but anyway the point of this post is not this.

 

Today I tried a simple Switch ACL:

 

Scope: Have the TVCC NVR only accessible from selected devices.

 

Here is the testing setup:

- I have the TVCC NVR connected to a switch port in it's own VLAN named TVCC. The NVR has aswell a fixed IP address.

- I have 2 computers both connected to their own VLAN named PC. Both computers with a fixed IP address.

- Wanted to have only computer 1 (PC1) to have access and any other device have it.

 

What I have done in principle is:

 

Switch ACL in order:

1) IP-address_PC1 -> permit -> TVCC_IP-address

2) IPGroup_Any -> deny -> TVCC_IP-address

 

This blocks everything; when I disable rule 2) I have communication again but of course not blocking anything

 

then I tried all kind of combination replacing individual IP addresses with VLAN like:

 

1) IP-address_PC1 -> permit -> TVCC_Network

2) IPGroup_Any -> deny -> TVCC_IP-address

 

1) IP-address_PC1 -> permit -> TVCC_Network

2) IPGroup_Any -> deny -> TVCC_Network

 

1) PC-Network -> permit -> TVCC_Network          <- even if in this case I allowing not just the PC1 but all PC, but ok just for try

2) IPGroup_Any -> deny -> TVCC_Network

 

Also tried with all the combination of MAC addresses like, here below just 1 as example as i don't want to get long and long:

1) Mac_PC1 -> permit -> Mac_TVCC

2) IPGroup_Any -> deny -> TVCC_IP-address

 

Nothing!

 

I was thinking into a but of the predefined IPGroup_Any, so I created a group called IP-ALL defined as 0.0.0.1/1 and replaced IPGroup_Any with it, the result in this case is that nothing is blocked from rule 2) IP-ALL -> deny -> TVCC-IP-address (or TVCC_Network).

 

So what to say ? What a nightmare AGAIN and AGAIN....

 

Overall during this experience I noted UI bugs that after creating the rules and moving up and down they were not moving accordingly and if you press edit on a rule it open another and the only fix is to reload the page.