Omada ACL not working, blocks both sides

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Omada ACL not working, blocks both sides

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Omada ACL not working, blocks both sides
Omada ACL not working, blocks both sides
2024-02-22 15:05:30
Tags: #ACL
Model: TL-SG2218  
Hardware Version: V1
Firmware Version: 1.20.0

Example i have 2 Networks:
Home VLan 100
DMZ VLan 200

 

Now both networks can reach each other. (Ping / iPerf3)

I create a ACL:

Deny DMZ -> Home
now everything is blocked ?
Home does not reach DMZ and DMZ does not reach Home?

I create a new Rule:
Allow Home -> DMZ

This rule has no effect. Home -> DMZ no access.

The only way is to delete "Deny DMZ -> Home" that "Home -> DMZ" works???
I test it with "Network" and "IP-Group" ACL
Omada Version 5.12.9 and now 5.13.30.10

Only i want to block DMZ to Home but Home allow to DMZ.
PS: I reset the system twice and the rules don't work.
Devices:
OpnSense Gateway
Switch 1: SG2218 v1.20
Switch 2: SG2210P v5.20
Switch 3: SG2005P-PD v1.0
Controller: OC200 v2.0 Omada v5.13.30.10

Test on Switch1 with Port1 (Home (PC)) and Port2 (DMZ (Notebook Ethernet)) with iPerf3 and Ping


Next Test: i create a Network on OpnSense (SRV) with ip 172.30.1.1/24
I create a Proxy Server default Homepage with Raspberry PI (172.30.1.10)
It works, my PC (Home) can open the Page 172.30.1.10. I create a ACL:
IP-Group 172.30.1.0/24 -> Deny -> Home
Both sides can no longer reach each other.
Both sides are always blocked, not just one direction...
This used to work with the old version under Omada v5.12

Question 2:
Every traffic from 2 networks goes through the gateway

Is “inter-vlan routing” possible with the new L3 Omada switches?  Traffic/Routing only via the switch?
A lot of people ask and want inter-vlan-routing
  0      
  0      
#1
Options
9 Reply
Re:Omada ACL not working, blocks both sides
2024-02-23 02:10:01

Hi @EliteAustria 

Thanks for posting in our business forum.

EliteAustria wrote

 

Both sides can no longer reach each other.
Both sides are always blocked, not just one direction...
This used to work with the old version under Omada v5.12

Then try to downgrade your controller to V5.12. Be sure you have backup everything in any version.

 

EliteAustria wrote

 

Question 2:
Every traffic from 2 networks goes through the gateway

Is “inter-vlan routing” possible with the new L3 Omada switches?  Traffic/Routing only via the switch?
A lot of people ask and want inter-vlan-routing

Explain the concept from you on this "inter-vlan-routing".

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:Omada ACL not working, blocks both sides
2024-02-23 12:26:22

  @Clive_A 

 

Thanks, I'll try it this weekend and then write the result here.
 

Clive_A wrote

Explain the concept from you on this "inter-vlan-routing".

 

I want L3 routing on the switch from network A to network B without routing via the gateway.
There are now new L3 switches from TP-Link Omada:
Example "SG6428X"
Is this possible with Omada or is all internal network traffic only routed via the gateway?
  0  
  0  
#3
Options
Re:Omada ACL not working, blocks both sides
2024-02-26 06:34:43

Hi @EliteAustria 

Thanks for posting in our business forum.

EliteAustria wrote

  @Clive_A 

 

Thanks, I'll try it this weekend and then write the result here.
 

Clive_A wrote

Explain the concept from you on this "inter-vlan-routing".

 

I want L3 routing on the switch from network A to network B without routing via the gateway.
There are now new L3 switches from TP-Link Omada:
Example "SG6428X"
Is this possible with Omada or is all internal network traffic only routed via the gateway?

If you don't want it to go to the router, then don't set it up on the router. Do not use a VLAN interface on the router which will defaultly send the inter-VLAN to the router and route. Create the DHCP server on the switch instead. And use static routing.

FAQ 887 as an example. Don't need to go for the SG6428X.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:Omada ACL not working, blocks both sides
2024-02-28 00:34:44

  @Clive_A 

https://www.tp-link.com/us/support/faq/887/ 
is this also possible under Omada or only Standalone Mode?
In Omada this would be an incredible feature

 

  0  
  0  
#5
Options
Re:Omada ACL not working, blocks both sides
2024-02-28 06:18:53

Hi @EliteAustria 

Thanks for posting in our business forum.

EliteAustria wrote

  @Clive_A 

https://www.tp-link.com/us/support/faq/887/ 
is this also possible under Omada or only Standalone Mode?
In Omada this would be an incredible feature

 

Omada, then refer to this: https://www.tp-link.com/en/support/faq/3155/

You have to use the Omada router which supports multi-nets NAT.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#6
Options
Re:Omada ACL not working, blocks both sides
2024-03-01 17:12:31 - last edited 2024-03-01 17:19:48

  @Clive_A 

Thanks for the Link, it is working.

So here is my test that ACL doesn't work:
Test Setup:
Gateway ER605 v1
Switch SG2210P v5
OC200 v2

I reset all devices and created a fresh installation.
I create 2 networks (Interface):
HOME = 192.168.100.1/24 (VLAN100)
SERVER = 192.168.200.1/24 (VLAN200)
Switch Config: Port 1 = Home / Port 2 = Server

 

I Test with 2 PC on Port 1 + 2
Ping Test: Works
iPerf3 Test: Works

Now i create a ACL:
- Deny
- All Protocols
- Source: SERVER Net
- Destination: HOME Net
- Bind: Ports

So SERVER Client (Port 2) can no longer reach HOME (Port 1)
it is working

 

Now comes the bug:
HOME Client
can no longer reach SERVER
that is wrong

Ping Test: not working
iPerf3 Test: not working

 

"Bi-Directional" Option is NOT set, but every ACL block every time BOATH SIDES.
I create also a Permit Rule vor Source HOME to SERVER, I put it as the 1st rule, not working.. ALL communication is blocked
I Downgrade the OC200 firmware, reset hardware and test again, and is also not working.
How to solve this (everything bi-directional) bug?

HOME requires access to the network SERVER. Simple DMZ rule.
Do ACL rules work in the TP-Link lab or is it just me who has the bug?

PS: It doesn't work with Switch SG2218 v1 either
I think the ACL for all may have a bug

  0  
  0  
#7
Options
Re:Omada ACL not working, blocks both sides
2024-03-04 09:41:09

Hi @EliteAustria 

Thanks for posting in our business forum.

EliteAustria wrote

  @Clive_A 

Thanks for the Link, it is working.

So here is my test that ACL doesn't work:
Test Setup:
Gateway ER605 v1
Switch SG2210P v5
OC200 v2

I reset all devices and created a fresh installation.
I create 2 networks (Interface):
HOME = 192.168.100.1/24 (VLAN100)
SERVER = 192.168.200.1/24 (VLAN200)
Switch Config: Port 1 = Home / Port 2 = Server

 

I Test with 2 PC on Port 1 + 2
Ping Test: Works
iPerf3 Test: Works

Now i create a ACL:
- Deny
- All Protocols
- Source: SERVER Net
- Destination: HOME Net
- Bind: Ports

So SERVER Client (Port 2) can no longer reach HOME (Port 1)
it is working

 

Now comes the bug:
HOME Client
can no longer reach SERVER
that is wrong

Ping Test: not working
iPerf3 Test: not working

 

"Bi-Directional" Option is NOT set, but every ACL block every time BOATH SIDES.
I create also a Permit Rule vor Source HOME to SERVER, I put it as the 1st rule, not working.. ALL communication is blocked
I Downgrade the OC200 firmware, reset hardware and test again, and is also not working.
How to solve this (everything bi-directional) bug?

HOME requires access to the network SERVER. Simple DMZ rule.
Do ACL rules work in the TP-Link lab or is it just me who has the bug?

PS: It doesn't work with Switch SG2218 v1 either
I think the ACL for all may have a bug

Oh, that's normal in SW ACL. It is not stateful and of course, one block rule would block bidirectional.

Let me ask you this, in the GW ACL setup with your controller, do you have this option?

 

If you don't have this option, it is also expected that GW ACL does not work. As for ER605 V1 is not stateful ACL.

This "stateful" determines if you can achieve single-directional access.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#8
Options
Re:Omada ACL not working, blocks both sides
2024-03-04 19:55:43 - last edited 2024-03-04 23:04:54

  @Clive_A 

then switch ACL interface makes no sense?

1.
Permit and Deny - "Permit" does not exist. All is "Permit", you can only user "Deny"
2.
Source and Destination - sources doesn't work, why is a graphic arrow shown from source to destination? <- no effect
3.

Bi-directional Button - No effect, no function, all configs are "Bi-directional"

The entire Omada structure and settings are just fake... frown

very confusing when none of the settings are "true".

 

  1  
  1  
#9
Options
Re:Omada ACL not working, blocks both sides
2024-03-05 01:18:49

Hi @EliteAustria 

Thanks for posting in our business forum.

EliteAustria wrote

  @Clive_A 

then switch ACL interface makes no sense?

1.
Permit and Deny - "Permit" does not exist. All is "Permit", you can only user "Deny"
2.
Source and Destination - sources doesn't work, why is a graphic arrow shown from source to destination? <- no effect
3.

Bi-directional Button - No effect, no function, all configs are "Bi-directional"

The entire Omada structure and settings are just fake... frown

very confusing when none of the settings are "true".

 

I want to make it clear that I have no interest in discussing or arguing with you if you continue to be negative and ignorant. You are free to stop using the products at any time, as it is your choice.

If you are not willing to engage in a constructive discussion and instead choose to complain, I will no longer respond to your posts. I would rather focus my energy on maintaining a positive environment with other users. Negativity is unproductive for both of us and reading such comments is a waste of my time.

I have already explained that stateful ACL is necessary for achieving single-directional communication. If you are unfamiliar with this concept, I suggest doing some research online.

 

Communication requires two-way interaction; if one party stops responding, the connection will be lost.

It is important to remove terms such as "fake" or "bug." Such terminology can come across as ignorant without due diligence and may lead to misunderstandings among others on the official channel. Please choose your words carefully when expressing yourself in this forum. Feel free to use whatever language you prefer outside of official channels.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#10
Options