Secluded Wireless VLAN Configuration for Omada

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Secluded Wireless VLAN Configuration for Omada

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Secluded Wireless VLAN Configuration for Omada
Secluded Wireless VLAN Configuration for Omada
2023-03-30 19:56:16 - last edited 2023-10-12 11:55:16

Hello All.

 

I have added a new section/feature for the design I shared, you can find the 1st (Gateway ACL-focused) and 2nd revision here (added Switch ACL for Granular Access) and then I have added an Isolated VLAN (Wired Only, like Guest WiFi, clients can't ping each other). In this revision, i have added a new VLAN for Secluded WiFi.

 

Use Case (Refer to the Table/Diagram below):

The Secluded Wireless VLAN is to prevent wireless clients to see each peers/neighbors in the same VLAN but still have Internet Access and Granular Access to clients (in this example, Admin VLAN hosts can VNC to WiFi clients). For users that have implemented the Isolated VLAN design (refer to the #5-#7 Switch ACLs below), they found out that using the same/similar ACLs and applying it to EAP didn't work as they expected it to be: the WiFi clients always sees each other in the same VLAN. In this revision, the solution is to simply "poke" a h0le to the Guest Feature functionality. 

 

I have listed all the ACLs needed below, along with the layout. If you want to see the ACL in Action, I have a video uploaded and you'll find the testing and demo at Part 7 of the video.

 

VLAN Info:

  • VLAN 1-Admin (192.168.1.x)- this is the Native/Default VLAN 1. Access to all VLAN, can get granular Access to IoT VLAN with VNC and SSH, Secluded WiFi with VNC
  • VLAN 10-Home (192.168.10.x) - Access to all except Admin VLAN, granular access to IoT VLAN with VNC and SSH
  • VLAN 20-Guest (192.168.20.x)- Access to Internet only, no access to same-VLAN devices. Wireless ONLY
  • VLAN 30-Cameras (192.168.30.x)- Access to same-VLAN devices only, no Internet
  • VLAN 40-Isolated (192.168.40.x)- Access to Internet only, no access to same-VLAN devices. Wired ONLY
  • VLAN 50-Secluded (192.168.50.x)- Access to Internet only, no access to same-VLAN devices. Admin VLAN can reach Secluded clients. WiFi ONLY
  • VLAN 90-IoT (192.168.90.x)- Access to same-VLAN devices with Internet, granular access to Home VLAN with DNS

Device List:

  • ER-7206 v1 / v1.2.3

  • OC-300 v5.7.6 / v1.14.7

  • SG-2210MP v1 / v1.0.7

  • EAP-235 v1 / v3.1.0

 

Note:

  • DNS Server @ Home VLAN: 192.168.10.75
  • Guests WiFi and Secluded WiFi, make sure the Guest Network check box for Wifi is checked

 

Gateway ACLs:

  1. Deny Home to Admin
    Direction: LAN > LAN
    Policy: Deny
    Protocols: All
    Source > Network > Home
    Destination > Network > Admin
     
  2. Deny Camera to Internet
    Direction: LAN > WAN
    Policy: Deny
    Protocols: All
    Source > Network > Camera
    Destination > IP Group > IPGroup_Any
     
  3. Deny Camera to All
    Direction: LAN > LAN
    Policy: Deny
    Protocols: All
    Source > Network > Camera
    Destination > Network > Admin
    Destination > Network > Home
    Destination > Network > Guest
    Destination > Network > IoT
    Destination > Network > Isolated
    Destination > Network > Secluded

 

Switch ACLs:

  1. Permit VNC to IoT
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.90.1/24, Ports: 5800, 5900)
    Destination > Network > Home
     
  2. Permit SSH to IoT
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.90.1/24, Port: 22)
    Destination > Network > Home
     
  3. Permit DNS Port to Home
    Policy: Permit
    Protocols: All
    Source > Network > IoT
    Destination > IP Port Group > (Subnet 192.168.10.75/32, Port: 53)
     
  4. Deny IoT to All
    Policy: Deny
    Protocols: All
    Source > Network > IoT
    Destination > Network > Admin
    Destination > Network > Home
    Destination > Network > Guest
    Destination > Network > Camera
    Destination > Network > Isolated
    Destination > Network > Secluded
     
  5. Permit Isolated To Net
    Policy: Permit
    Protocols: All
    Source > Network > Isolated
    Destination > IP Group > (Subnet 192.168.40.1/32)
     
  6. Permit Isolated To Net Reverse
    Policy: Permit
    Protocols: All
    Source > IP Group > (Subnet 192.168.40.1/32)
    Destination > Network > Isolated
     
  7. Deny Isolated To All and Itself
    Policy: Deny
    Protocols: All
    Source > Network > Isolated
    Destination > Network > Admin
    Destination > Network > Home
    Destination > Network > Guest
    Destination > Network > Camera
    Destination > Network > Isolated
    Destination > Network > Secluded

 

EAP ACLs:

  1. Permit VNC to Secluded
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.50.1/24, Ports: 5800, 5900)
    Destination > Network > Admin LAN

 

  4      
  4      
#1
Options