Setting up wifi portal on second omada interface/ip
Hi,
I would like to setup the wifi captive portal on the second omada interface (and on the guest vlan) leaving the first ip/interface (poe) for the administration.
How can i achieve this ?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
We need to know more about your topology. What router and do you have a switch or not? Are all managed by the OC200?
- Copy Link
- Report Inappropriate Content
I have 6 EAP225(EU) v3.0 (Firmware Version:5.0.8 Build 20220118 Rel. 54520) and 1 OC200 (Version 5.1.7 1.15.2 Build 20220323 Rel.60717 ) connected to a TL-SG2428P v4.0 (Firmware Version: 4.0.1 Build 20211105 Rel.57589). Connection to the internet is guaranteed by an open source router/firewall (don't have a TP-Link router).
- Copy Link
- Report Inappropriate Content
I am pretty sure you will need a managed tplink router to run the portal via the omada controller. ER605 is good enough for your situation.
- Copy Link
- Report Inappropriate Content
@d0ugmac1 I already have a firewall/router and can't justify the acquisition of another router. What i am looking for is to put omada's first interface (poe) on admin vlan and have the portal listening on the other interface, which i want to put on the guest vlan. This should be easily achievable, but there's no such config option on the cloud console. Tutorial, videos, documentation,don't even mention the second interface: what is it for ? How to configure/use it ?
- Copy Link
- Report Inappropriate Content
@Fathi_B.N. ok I think the issue is that you believe the 'omada' by which I now believe you mean the OC200 can do clever things, it is nothing more than a linux computer running the Omada software. Those two ports of the OC200 are nothing more than a dumb 100M ethernet switch, the left one allowing you to power it by POE.
If you want to continue with your existing router, you will have to reverse engineer what the oc200 does to make the portal work in the Omada SDN environment and then implement those routes and rules on your router.
- Copy Link
- Report Inappropriate Content
Thank you. So, from what i have understood the two ports weren't meant to have an admin interface on one and a public interface on the other port. I don't want the oc200 admin interface to be publicly accessible to gust visitors.
- Copy Link
- Report Inappropriate Content
Correct. The way the Omada solution separates traffic is by VLAN which leverages their router (function). I think the sole reason for the second port on the OC200 is if you just need to jack in locally, without needing to worry about tagging your computer's interface with the management VLAN. It was not designed as a 2-port gateway.
- Copy Link
- Report Inappropriate Content
Hello,
to the question if someone need omada-router:
if the hotspot is only used in the WLAN, it is sufficient for the OC controller. If LAN connections are also to be operated with hotspot, an Omada router is required.
Isolation of the controller access:
Since the controller and the hotspot manager are on the same IP, but the hotspot manager has to be reached by portal-users for authentication, access to the controller-Section of OC can only be blocked by using an ACL. As said bevore this can't be done with the use of Port 2 of Controller.
In the Omada-menu "Profiles" - "Groups" you have to ad the following "ip-port-group":
IP of your controller as subnet x.x.x.x/32
and port 443. (with /32 and port 443 only controller-section of omada gets blocked)
Than you create a switch ACL which blocks this IP group.( source: guest-(V)lan, destination: ip-group from obove)
So clients can reach the hotspot section of the OC, but not the controller section.
Remember to put the deny-rule before the hotspot's permit-rule, otherwise it won't take effect.
(If someone does not have omada-aware switch, they can try if the ACL works as EAP-ACL instead of Switch-ACL)
Hope that helps
- Copy Link
- Report Inappropriate Content
switch is TL-SG2428P v4.0 (4.0.1) and access points are all EAP225(EU) v3.0 (5.0.8). Everything is TP-Link except the firewall. OC-200, SG2428P and EAP225 all get their ips from firewall's dhcp server. Firewall has interfaces in all the different vlans.
Only two ssids have captive portal enabled, Guest ssid has a simple accept terms login with advertisement and VIP ssid authenticates against an external cloud radius server.
Other ssid are hidden, with no authentication, no captive portal but traffic is intercepted by firewall's simple captive portal.
I have setup a firewall exception rule to allow access from Guest and VIP ssids to oc-200 ip/32 in the lan vlan.
I wished i could setup the captive portal ip in the Guest vlan, which is accessible to all vlans and don't allow anyone to know my lan addressing nor access a signle ip of it , that's why i asked about the second ethernet interface.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1263
Replies: 9
Voters 0
No one has voted for it yet.