VLAN Trouble - Devices can't talk to each other
Hello everyone!
I'm trying to isolate some PCs and servers on my network with a vlan and I'm running in to some unexpected behavior that I'm not able to solve.
Omada Controller version 5.14.32.4 is running in a docker container.
Hardware model, version, firmware, name:
ER605 V2.0 - 2.2.6 Router
TL-SG2008P V1.0 - 1.0.9 Office Switch
TL-SG2008 V3.0 - 3.0.9 Wall Switch
SG2008 V4.20 - 4.20.1 Hobby Room Switch
SG2008P V3.20 - 3.20.1 Living Room Switch
The connection map goes Router -> Office Switch -> Wall Switch -> Hobby Room Switch -> Living Room Switch
I also have three APs but they're not a factor.
My default LAN is 192.168.1.0/24.
I created VLAN10 192.168.10.0/24 for the devices I want to isolate in one direction. The objective is the same as an IOT network where I can reach devices on VLAN10 from LAN, devices on VLAN10 cannot connect to LAN, and the devices on VLAN10 can communicate with each other.
Here are the steps I went through to create VLAN10:
- New LAN interface
- Select LAN1 for the LAN Interface
- VLAN: 10
- Gateway/Subnet: 192.168.10.1/24
- DHCP Range: 192.168.10.100 - 192.168.10.254
- Everything else is default
After creating this VLAN, switch profile VLAN10 was auto-generated. The devices I want to isolate are on port 4 and 5 of the Hobby Room Switch. After changing their IPs to the new range, 192.168.10.22 and 192.168.10.63, I set port 4 and 5 to the VLAN10 profile. I tested the connection and I can connect to both boxes and they can connect to me on default LAN.
To isolate VLAN10 I first attempted a Switch ACL to block Source Network:VLAN10 to Destination Network:Default. When enabled, I was no longer able to connect to either device.
I then disabled the switch ACL and tried a Gateway ACL to deny Source Network:VLAN10 to Destination Network:Default. This works and allows me to connect to both .10 addresses. I validated that neither .10 devices can connect to the default LAN. All good here so far. Both .10 devices can also connect to the internet.
For some reason though my .10 devices cannot communicate directly with each other. 192.168.10.22 and 192.168.10.63 cannot ping each other even though they're on the same VLAN on the same switch.
To add to the weirdness - 10.22 is a server. If I launch a Docker container and assign it an address of 192.168.10.51 through MACVLAN, then it can connect to 10.63 no problem. Any container hosted on 10.22 in bridge mode cannot communicate to 10.63 either.
I don't know what else to try. To add to my confusion, pretty much any YouTube video or article I read instructs to use Switch ACL for isolation but that doesn't seem to be working for me for some reason.
