@Tescophil There is definitely some weirdness with the ACL functions from my tests as well.  In your case, you might try only blocking TCP and UDP instead of all protocols.  I know some protocols don't use ports (IE: ICMP) and I wonder if that might be causing you issues.

With that said, I don't see a reason why you shouldn't have been able to ping on the same VLAN.  I haven't had a chance to test this too much, but it's almost like Omada is considering any routing (IE: VLAN to VLAN) a WAN action.  I have cases where when access certain web services on my local LAN (IE: a Caddy Server), it is reported to the service as the WAN Gateway IP address trying to access the service.  This makes no sense to me.  Not sure if you are seeing something similar, but definitely something weird going on.

  @Tescophil 

Hello,

Did you have switch acl menu? Try to create on switch instead.

* The protocol option should be tested with only UDP first, then TCP/UDP.

Cheer :)

Zool

Tried this on my guest network, just TCP and UDP protocols, exactly the same result, total network shutdown. As soon as I enabled the rule, my phone (which was connected to the guest network) said the current WiFi connection has no internet access.

Even after deleting the rule it didn't come back, had to reboot the router.

@zool_ I dont want to create a switch ACL because this rule is a LAN->WAN rule (i.e. gateway), I'm trying to block external DNS requests, not any internal traffic.

  @Tescophil I am betting it wasn't actually the same issue.  I bet you bloked all DNS only, which would make your phone think there was no internet.

I am fairly confident that for some unknown reason, the Omada system is considering VLAN routing as WAN.  I am pretty sure I am having some of the same issues on my system, and this would explain it.  

It would be nice if we could get an official statement on this.