Knowledge Base Isolated VLAN Configuration for Omada
Updated 04/11/22 - updated x.1 with x.0 for Networks: There was a time where .0 is not accepted, but now it is fixed.
Hello All.
I have created a new version of the previous design I shared I shared. In this version, a new VLAN has been added (Isolated).
Use Case:
This Isolated VLAN is to complement the limitation of the "Guest" feature for Wireless, specifically, the end-device isolation (i.e. all wireless clients connected to Guest WiFi can't see each other). The Guest feature only works for Wireless Clients only so this Isolated VLAN do a similar thing: prevent other Wired Clients in the same VLAN to see each other (and also not see other Clients in other VLANs). The Isolated VLAN end devices must still be able to access the Internet.
I have listed all the ACLs needed below, along with the layout. If you want to see the ACL in Action, I have a video uploaded and you'll find the testing and demo at Part 4 of the video.
VLAN Info:
- VLAN 1-Admin (192.168.1.x)- this is the Native/Default VLAN 1. Access to all VLAN, can get granular Access to IoT VLAN with VNC and SSH
- VLAN 10-Home (192.168.10.x) - Access to all except Admin VLAN, granular access to IoT VLAN with VNC and SSH
- VLAN 20-Guest (192.168.20.x)- Access to Internet only, no access to same-VLAN devices. Wireless ONLY
- VLAN 30-Cameras (192.168.30.x)- Access to same-VLAN devices only, no Internet
- VLAN 40-Isolated (192.168.40.x)- Access to Internet only, no access to same-VLAN devices. Wired ONLY
- VLAN 90-IoT (192.168.90.x)- Access to same-VLAN devices with Internet, granular access to Home VLAN with DNS
Device List:
-
ER-7206 v1 / v1.2.3
-
OC-300 v5.7.6 / v1.14.7
-
SG-2210MP v1 / v1.0.7
-
EAP-235 v1 / v3.1.0
Note: DNS Server @ Home VLAN: 192.168.10.75
ACLs:
For Guests, make sure the Guest Network check box for Wifi is checked
Gateway ACLs:
- Deny Home to Admin
Direction: LAN > LAN
Policy: Deny
Protocols: All
Source > Network > Home
Destination > Network > Admin
- Deny Camera to Internet
Direction: LAN > WAN
Policy: Deny
Protocols: All
Source > Network > Camera
Destination > IP Group > IPGroup_Any
- Deny Camera to All
Direction: LAN > LAN
Policy: Deny
Protocols: All
Source > Network > Camera
Destination > Network > Admin
Destination > Network > Home
Destination > Network > Guest
Destination > Network > IoT
Destination > Network > Isolated
Switch ACLs:
- Permit VNC to IoT
Policy: Permit
Protocols: All
Source > IP Port Group > (Subnet 192.168.90.0/24, Ports: 5800, 5900)
Destination > Network > Home
- Permit SSH to IoT
Policy: Permit
Protocols: All
Source > IP Port Group > (Subnet 192.168.90.0/24, Port: 22)
Destination > Network > Home
- Permit DNS Port to Home
Policy: Permit
Protocols: All
Source > Network > IoT
Destination > IP Port Group > (Subnet 192.168.10.75/32, Port: 53)
- Deny IoT to All
Policy: Deny
Protocols: All
Source > Network > IoT
Destination > Network > Admin
Destination > Network > Home
Destination > Network > Guest
Destination > Network > Camera
Destination > Network > Isolated
- Permit Isolated To Net
Policy: Permit
Protocols: All
Source > Network > Isolated
Destination > IP Group > (Subnet 192.168.40.1/32)
- Permit Isolated To Net Reverse
Policy: Permit
Protocols: All
Source > IP Group > (Subnet 192.168.40.1/32)
Destination > Network > Isolated
- Deny Isolated To All and Itself
Policy: Deny
Protocols: All
Source > Network > Isolated
Destination > Network > Admin
Destination > Network > Home
Destination > Network > Guest
Destination > Network > Camera
Destination > Network > Isolated
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I've finally made sense of the situation with regards to Q2.
The Switch ACL 3 (access to DNS) made sense to me from the get go.
It's literally about allowing the DNS requests to flow from IOT to HOME. Other traffic in that direction is blocked by rule 4
The previous 2 rules (especially 2) made less sense.
Now I believe they are actually about allowing SSH responses to flow from IOT back into HOME.
You don't need a "direct" rule to allow SSH requests the other way (HOME to IOT) because they are not blocked by anything.
But rule 2 at least appears to be a "reverse" rule.
In my opinion, it would help to specify where the SSH servers are (apparently on the IOT side) and you may also want to update the rule name...
I'm now pretty sure my previous ACL experiments ended up very poorly because I had missed the stateless nature of these Switch ACLs.
I have no clue how other vendors deal with this but this is not intuitive and maybe not emphasized enough in the docs (because I don't appear to be the only one that didn't get it based on other posts).
- Copy Link
- Report Inappropriate Content
@Death_Metal should this setup work for my use-case?
I would like to set up an IoT VLAN that is
- isolated (can't peer with others inside its vlan)
- can't talk to any other VLAN
- Home/Admin VLAN should be able to talk to IoT clients
I guess due to the last one, I need to use stateful Gateway ACLs? I can't make it to work together with the Switch ACLs that would deny to peer inside the VLAN
- Copy Link
- Report Inappropriate Content
If all your IoT clients are wireless, you only need to setup the IoT wireless network as a Guest network.
If some of them are wired, then you need to resort to switch ACLs (rules 5 & 6 , IMO with a .1 not a .0, for gateway access, and the first destination of rule 7).
Your 2nd use case is more easily achieved with a getaway ACL (LAN->LAN deny with IoT source and all other networks as destination).
Then you don't need to do anything for the 3rd use case (allowed by default and not blocked by the above rules).
It's closer to the config in this post: Secured Admin, Home, IoT, Cameras and Guest VLAN using Gateway ACL - Business Community (tp-link.com)
You could implement your use cases 2 and 3 with switch ACLs (along the lines of this current post) but you'll need to be more specific about which traffic is allowed to flow BACK from IoT to Home/Admin. Here, the OP allowed VNC and SSH.
HTH
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hmm, I had not experimented enough with the "Guest Network" functionality apparently. I just remedied that situation.
It indeed blocks way more than just traffic within the wireless network...
So you can achieve use cases 2 & 3 with the gateway ACL mentioned in your last reply.
That leaves the traffic within IoT network.
My experimentations this morning have been completely fruitless.
* Enabling "Guest Network" blocks everything but DHCP/Internet, and I also failed to override that setting with Permit ACLs at any level.
* I've also failed to reproduce "Guest Network" functionality with AP and/or Switch ACLs...
The switch ACLs work properly when at least one of my test peers is wired.
If both test peers are wireless (same SSID, same antenna), I failed to block any traffic using my EAP245! It's as if AP ACLs plain do nothing (which could also explain my failure to override above).
I'm going to sleep it over and retry tomorrow (or sooner if I get a new idea).
Otherwise, I'll likely start a new thread because something seems amiss.
- Copy Link
- Report Inappropriate Content
My testing procedure was flawed yesterday. I'm now getting more consistent results...
Summary:
- "Guest Network" seems to be the only way to block traffic between peers on the same AP/Antenna (maybe just same AP).
No amount of ACLing allowed me to replicate that part. If the traffic stays within the confines of the AP, that seems to be the only way that I found... - As you (then me) found out, "Guest Network" blocks more than just traffic within the wireless network. By default, it only allows DHCP and Internet outbound traffic.
- The "Guest Network" blocking behavior can be overridden by AP ACLs but ONLY for traffic coming in and out of the AP.
For example, I was able to allow ping and ssh from clients in other VLANs and also wired clients within my test VLAN. - The "Guest Network" blocking behavior is stateless!
In other words, when you enable some granular traffic to a host in the guest WLAN, you also need to allow the replies to flow back to their sources... - My AP only supports 16 ACLs and you consume 2 per granular function enabled so choose carefully...
During my tests, I kept the Gateway ACL blocking all LAN->LAN traffic out of the isolated VLAN.
Test AP ACLs used:
For ping, allow ICMP from my entire private network (IP group) to the "guest" Network. Second rule with reverse source and destination.
For SSH, allow TCP from my entire private network (IP group) to SSH hosts in the "guest" Network (IP-Port group). Second rule with reverse source and destination.
I made at least couple mistakes yesterday. I got bit by the stateless nature of the "guest network" (didn't do enough to override).
I also had one test peer not behaving like the others because of a firewall rule not enabled...
If you have wired clients within your isolated network, you're likely to need switch ACLs (one to block traffic within the VLAN, pairs similar to the AP ACLs above to allow what you need).
HTH
- Copy Link
- Report Inappropriate Content
@EricPerl wow great, thanks a lot for your efforts. This seems to do the trick for me. Let's see when the AP ACL limit will block me.
- Copy Link
- Report Inappropriate Content
You've done a lot of work, but I would leave the Guest network alone and use it only for what it has been designed for. Try something different.
1. To block Wi-Fi intra-VLAN traffic, create a deny ACL rule (all protocols) for the given SSID as the source and the subnet of the VLAN associated with the SSID for the destination. However, this will also block access to the VLAN's default gateway. Therefore, it needs to be preceded by a rule that would enable access to that gateway. In order to do that, create a permit ACL rule (all protocols) for the given SSID as the source and the IP address of that gateway as the destination and move it to the top of the list.
2. The above will block intra-VLAN traffic of Wi-Fi devices connected to the given SSID. You should be able to employ the same idea to block intra-VLAN traffic of devices connected to the switchports that provide access to the associated VLAN. Those Switch ACL rules would need to be applied to switchports on ingress. I don't have any switch under Omada so I just hope that's possible.
3. Create Gatway ACL rules to control inter-VLAN traffic. That shouldn't be difficult considering their stateful nature.
Hope this will work for you.
- Copy Link
- Report Inappropriate Content
Hi Kris/ @KJK ,
I already had such rules because they were the fairly obvious way to replicate Guest Network functionality with AP ACLs.
But I was not 100% sure I retested them after I made my testing setup more reliable. So I just retested again.
Setup:
* TEST VLAN
* TEST SSID for the above VLAN
* 1 AP ACL for all protocols, source is SSID:Test, destination is IP Group:TEST VLAN subnet (also tried 10.0.0.0/8 for my entire internal network).
* 1 Windows machine over Wi-Fi
* 1 Linux machine, wired or Wi-Fi
I only have 1 TP-Link AP (EAP245) but if anything, it may expose something unexpected... Both machines on the same antenna/channel.
With the rule disabled, and both machines on Wi-Fi, ping works in both directions. All clear.
I enable the ACL. NOTHING happens. Ping still work. SSH too.
I switch the Linux box to wired only. Ping fails. SSH too. Both ways due to the stateless nature of AP ACLs.
I disable the ACL. Ping & SSH work again.
My conclusion is that AP ACLs plain don't work as long as the traffic does not leave the confines of the AP...
They seem to apply when traffic comes in or goes out of the AP.
[Edit: Fortunately, this doesn't apply to inter-VLAN traffic, which clearly get pushed through switch (and likely GW) because a switch ACL can take care of that. Interestingly, the AP ACL extended to my full internal network also catches that, which aligns with my previous conclusion].
Is your experience different?
- Copy Link
- Report Inappropriate Content
I set up a test case where two Wi-Fi devices were connected exactly the same way as in your negative test and, indeed, the traffic between those devices was not block. It looks as if such traffic takes another, more internal, path so it does not flow through the interface to which AP ACL rules are bound. Certainly, that's not a good thing. That does not happen if different frequencies or APs are involved (still the same VLAN and subnet). I believe that's fixable and TP-Link should do something about it. Cheers!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 7
Views: 9990
Replies: 27