Knowledge Base Secluded Wireless VLAN Configuration for Omada
Hello All.
I have added a new section/feature for the design I shared, you can find the 1st (Gateway ACL-focused) and 2nd revision here (added Switch ACL for Granular Access) and then I have added an Isolated VLAN (Wired Only, like Guest WiFi, clients can't ping each other). In this revision, i have added a new VLAN for Secluded WiFi.
Use Case (Refer to the Table/Diagram below):
The Secluded Wireless VLAN is to prevent wireless clients to see each peers/neighbors in the same VLAN but still have Internet Access and Granular Access to clients (in this example, Admin VLAN hosts can VNC to WiFi clients). For users that have implemented the Isolated VLAN design (refer to the #5-#7 Switch ACLs below), they found out that using the same/similar ACLs and applying it to EAP didn't work as they expected it to be: the WiFi clients always sees each other in the same VLAN. In this revision, the solution is to simply "poke" a h0le to the Guest Feature functionality.
I have listed all the ACLs needed below, along with the layout. If you want to see the ACL in Action, I have a video uploaded and you'll find the testing and demo at Part 7 of the video.
VLAN Info:
- VLAN 1-Admin (192.168.1.x)- this is the Native/Default VLAN 1. Access to all VLAN, can get granular Access to IoT VLAN with VNC and SSH, Secluded WiFi with VNC
- VLAN 10-Home (192.168.10.x) - Access to all except Admin VLAN, granular access to IoT VLAN with VNC and SSH
- VLAN 20-Guest (192.168.20.x)- Access to Internet only, no access to same-VLAN devices. Wireless ONLY
- VLAN 30-Cameras (192.168.30.x)- Access to same-VLAN devices only, no Internet
- VLAN 40-Isolated (192.168.40.x)- Access to Internet only, no access to same-VLAN devices. Wired ONLY
- VLAN 50-Secluded (192.168.50.x)- Access to Internet only, no access to same-VLAN devices. Admin VLAN can reach Secluded clients. WiFi ONLY
- VLAN 90-IoT (192.168.90.x)- Access to same-VLAN devices with Internet, granular access to Home VLAN with DNS
Device List:
-
ER-7206 v1 / v1.2.3
-
OC-300 v5.7.6 / v1.14.7
-
SG-2210MP v1 / v1.0.7
-
EAP-235 v1 / v3.1.0
Note:
- DNS Server @ Home VLAN: 192.168.10.75
- Guests WiFi and Secluded WiFi, make sure the Guest Network check box for Wifi is checked
Gateway ACLs:
- Deny Home to Admin
Direction: LAN > LAN
Policy: Deny
Protocols: All
Source > Network > Home
Destination > Network > Admin
- Deny Camera to Internet
Direction: LAN > WAN
Policy: Deny
Protocols: All
Source > Network > Camera
Destination > IP Group > IPGroup_Any
- Deny Camera to All
Direction: LAN > LAN
Policy: Deny
Protocols: All
Source > Network > Camera
Destination > Network > Admin
Destination > Network > Home
Destination > Network > Guest
Destination > Network > IoT
Destination > Network > Isolated
Destination > Network > Secluded
Switch ACLs:
- Permit VNC to IoT
Policy: Permit
Protocols: All
Source > IP Port Group > (Subnet 192.168.90.1/24, Ports: 5800, 5900)
Destination > Network > Home
- Permit SSH to IoT
Policy: Permit
Protocols: All
Source > IP Port Group > (Subnet 192.168.90.1/24, Port: 22)
Destination > Network > Home
- Permit DNS Port to Home
Policy: Permit
Protocols: All
Source > Network > IoT
Destination > IP Port Group > (Subnet 192.168.10.75/32, Port: 53)
- Deny IoT to All
Policy: Deny
Protocols: All
Source > Network > IoT
Destination > Network > Admin
Destination > Network > Home
Destination > Network > Guest
Destination > Network > Camera
Destination > Network > Isolated
Destination > Network > Secluded
- Permit Isolated To Net
Policy: Permit
Protocols: All
Source > Network > Isolated
Destination > IP Group > (Subnet 192.168.40.1/32)
- Permit Isolated To Net Reverse
Policy: Permit
Protocols: All
Source > IP Group > (Subnet 192.168.40.1/32)
Destination > Network > Isolated
- Deny Isolated To All and Itself
Policy: Deny
Protocols: All
Source > Network > Isolated
Destination > Network > Admin
Destination > Network > Home
Destination > Network > Guest
Destination > Network > Camera
Destination > Network > Isolated
Destination > Network > Secluded
EAP ACLs:
- Permit VNC to Secluded
Policy: Permit
Protocols: All
Source > IP Port Group > (Subnet 192.168.50.1/24, Ports: 5800, 5900)
Destination > Network > Admin LAN