Omada ACL not working, blocks both sides
Example i have 2 Networks:
Home VLan 100
DMZ VLan 200
Now both networks can reach each other. (Ping / iPerf3)
I create a ACL:
Deny DMZ -> Home
now everything is blocked ?
Home does not reach DMZ and DMZ does not reach Home?
I create a new Rule:
Allow Home -> DMZ
This rule has no effect. Home -> DMZ no access.
The only way is to delete "Deny DMZ -> Home" that "Home -> DMZ" works???
I test it with "Network" and "IP-Group" ACL
Omada Version 5.12.9 and now 5.13.30.10
Only i want to block DMZ to Home but Home allow to DMZ.
PS: I reset the system twice and the rules don't work.
Devices:
OpnSense Gateway
Switch 1: SG2218 v1.20
Switch 2: SG2210P v5.20
Switch 3: SG2005P-PD v1.0
Controller: OC200 v2.0 Omada v5.13.30.10
Test on Switch1 with Port1 (Home (PC)) and Port2 (DMZ (Notebook Ethernet)) with iPerf3 and Ping
Next Test: i create a Network on OpnSense (SRV) with ip 172.30.1.1/24
I create a Proxy Server default Homepage with Raspberry PI (172.30.1.10)
It works, my PC (Home) can open the Page 172.30.1.10. I create a ACL:
IP-Group 172.30.1.0/24 -> Deny -> Home
Both sides can no longer reach each other.
Both sides are always blocked, not just one direction...
This used to work with the old version under Omada v5.12
Question 2:
Every traffic from 2 networks goes through the gateway
A lot of people ask and want inter-vlan-routing
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thanks for posting in our business forum.
EliteAustria wrote
Both sides can no longer reach each other.
Both sides are always blocked, not just one direction...
This used to work with the old version under Omada v5.12
Then try to downgrade your controller to V5.12. Be sure you have backup everything in any version.
EliteAustria wrote
Question 2:
Every traffic from 2 networks goes through the gatewayIs “inter-vlan routing” possible with the new L3 Omada switches? Traffic/Routing only via the switch?
A lot of people ask and want inter-vlan-routing
Explain the concept from you on this "inter-vlan-routing".
- Copy Link
- Report Inappropriate Content
Clive_A wrote
Explain the concept from you on this "inter-vlan-routing".
There are now new L3 switches from TP-Link Omada:
Example "SG6428X"
Is this possible with Omada or is all internal network traffic only routed via the gateway?
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
EliteAustria wrote
Thanks, I'll try it this weekend and then write the result here.Clive_A wrote
Explain the concept from you on this "inter-vlan-routing".
I want L3 routing on the switch from network A to network B without routing via the gateway.
There are now new L3 switches from TP-Link Omada:
Example "SG6428X"
Is this possible with Omada or is all internal network traffic only routed via the gateway?
If you don't want it to go to the router, then don't set it up on the router. Do not use a VLAN interface on the router which will defaultly send the inter-VLAN to the router and route. Create the DHCP server on the switch instead. And use static routing.
FAQ 887 as an example. Don't need to go for the SG6428X.
- Copy Link
- Report Inappropriate Content
https://www.tp-link.com/us/support/faq/887/
is this also possible under Omada or only Standalone Mode?
In Omada this would be an incredible feature
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
EliteAustria wrote
https://www.tp-link.com/us/support/faq/887/
is this also possible under Omada or only Standalone Mode?
In Omada this would be an incredible feature
Omada, then refer to this: https://www.tp-link.com/en/support/faq/3155/
You have to use the Omada router which supports multi-nets NAT.
- Copy Link
- Report Inappropriate Content
Thanks for the Link, it is working.
So here is my test that ACL doesn't work:
Test Setup:
Gateway ER605 v1
Switch SG2210P v5
OC200 v2
I reset all devices and created a fresh installation.
I create 2 networks (Interface):
HOME = 192.168.100.1/24 (VLAN100)
SERVER = 192.168.200.1/24 (VLAN200)
Switch Config: Port 1 = Home / Port 2 = Server
I Test with 2 PC on Port 1 + 2
Ping Test: Works
iPerf3 Test: Works
Now i create a ACL:
- Deny
- All Protocols
- Source: SERVER Net
- Destination: HOME Net
- Bind: Ports
So SERVER Client (Port 2) can no longer reach HOME (Port 1)
it is working
Now comes the bug:
HOME Client can no longer reach SERVER
that is wrong
Ping Test: not working
iPerf3 Test: not working
"Bi-Directional" Option is NOT set, but every ACL block every time BOATH SIDES.
I create also a Permit Rule vor Source HOME to SERVER, I put it as the 1st rule, not working.. ALL communication is blocked
I Downgrade the OC200 firmware, reset hardware and test again, and is also not working.
How to solve this (everything bi-directional) bug?
HOME requires access to the network SERVER. Simple DMZ rule.
Do ACL rules work in the TP-Link lab or is it just me who has the bug?
PS: It doesn't work with Switch SG2218 v1 either
I think the ACL for all may have a bug
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
EliteAustria wrote
Thanks for the Link, it is working.
So here is my test that ACL doesn't work:
Test Setup:
Gateway ER605 v1
Switch SG2210P v5
OC200 v2
I reset all devices and created a fresh installation.
I create 2 networks (Interface):
HOME = 192.168.100.1/24 (VLAN100)
SERVER = 192.168.200.1/24 (VLAN200)
Switch Config: Port 1 = Home / Port 2 = Server
I Test with 2 PC on Port 1 + 2
Ping Test: Works
iPerf3 Test: Works
Now i create a ACL:
- Deny
- All Protocols
- Source: SERVER Net
- Destination: HOME Net
- Bind: Ports
So SERVER Client (Port 2) can no longer reach HOME (Port 1)
it is working
Now comes the bug:
HOME Client can no longer reach SERVER
that is wrongPing Test: not working
iPerf3 Test: not working
"Bi-Directional" Option is NOT set, but every ACL block every time BOATH SIDES.
I create also a Permit Rule vor Source HOME to SERVER, I put it as the 1st rule, not working.. ALL communication is blocked
I Downgrade the OC200 firmware, reset hardware and test again, and is also not working.
How to solve this (everything bi-directional) bug?
HOME requires access to the network SERVER. Simple DMZ rule.
Do ACL rules work in the TP-Link lab or is it just me who has the bug?
PS: It doesn't work with Switch SG2218 v1 either
I think the ACL for all may have a bug
Oh, that's normal in SW ACL. It is not stateful and of course, one block rule would block bidirectional.
Let me ask you this, in the GW ACL setup with your controller, do you have this option?
If you don't have this option, it is also expected that GW ACL does not work. As for ER605 V1 is not stateful ACL.
This "stateful" determines if you can achieve single-directional access.
- Copy Link
- Report Inappropriate Content
then switch ACL interface makes no sense?
1.
Permit and Deny - "Permit" does not exist. All is "Permit", you can only user "Deny"
2.
Source and Destination - sources doesn't work, why is a graphic arrow shown from source to destination? <- no effect
3.
Bi-directional Button - No effect, no function, all configs are "Bi-directional"
The entire Omada structure and settings are just fake...
very confusing when none of the settings are "true".
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
EliteAustria wrote
then switch ACL interface makes no sense?
1.
Permit and Deny - "Permit" does not exist. All is "Permit", you can only user "Deny"
2.
Source and Destination - sources doesn't work, why is a graphic arrow shown from source to destination? <- no effect
3.
Bi-directional Button - No effect, no function, all configs are "Bi-directional"
The entire Omada structure and settings are just fake...very confusing when none of the settings are "true".
I want to make it clear that I have no interest in discussing or arguing with you if you continue to be negative and ignorant. You are free to stop using the products at any time, as it is your choice.
If you are not willing to engage in a constructive discussion and instead choose to complain, I will no longer respond to your posts. I would rather focus my energy on maintaining a positive environment with other users. Negativity is unproductive for both of us and reading such comments is a waste of my time.
I have already explained that stateful ACL is necessary for achieving single-directional communication. If you are unfamiliar with this concept, I suggest doing some research online.
Communication requires two-way interaction; if one party stops responding, the connection will be lost.
It is important to remove terms such as "fake" or "bug." Such terminology can come across as ignorant without due diligence and may lead to misunderstandings among others on the official channel. Please choose your words carefully when expressing yourself in this forum. Feel free to use whatever language you prefer outside of official channels.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 967
Replies: 9
Voters 0
No one has voted for it yet.