OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.

OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.

OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.
OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.
2024-11-14 12:22:18 - last edited 2024-11-15 02:27:31
Hardware Version: V1
Firmware Version: 1.2.3 Build 20240822 Rel.52946

Hello!

I got problem, witch contloler Omada, i gues.
I'm using router ER707-M2 v1.0, two switches T1600G-52P and a few APs adopted to Omada Software Controler.

Omada version: 5.14.32.3

Into router is configured three VLAN:

 

- Default (vlan 1)
- Kamery - (vlan 20)
- And VLAN for wi-fi (vlan 130)

 

Inside LAN, every roules works fine, network "Default" can't see "Kamery" and wi-fi, network.

But when i configured OpenVPN server, i can accces to any of this VLANs. Even when i set only one of this three as visible.

 

How should i do this corectly?
Is that kind of bug in Omada?

 

I'm sorry for Polish language on screenshot.
It shows setting up a new OpenVPN server in Omada controller:

 

 

 

Greetings

  0      
  0      
#1
Options
10 Reply
Re:OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.
2024-11-15 02:26:18

Hi @Wyciu 

Thanks for posting in our business forum.

Wyciu wrote

Hello!

I got problem, witch contloler Omada, i gues.
I'm using router ER707-M2 v1.0, two switches T1600G-52P and a few APs adopted to Omada Software Controler.

Omada version: 5.14.32.3

Into router is configured three VLAN:

 

- Default (vlan 1)
- Kamery - (vlan 20)
- And VLAN for wi-fi (vlan 130)

 

Inside LAN, every roules works fine, network "Default" can't see "Kamery" and wi-fi, network.

But when i configured OpenVPN server, i can accces to any of this VLANs. Even when i set only one of this three as visible.

 

How should i do this corectly?
Is that kind of bug in Omada?

 

I'm sorry for Polish language on screenshot.
It shows setting up a new OpenVPN server in Omada controller:

 

 

 

Greetings

So, it is on Split Tunnel mode, and you've selected one of the LANs.

Do you have ACL configured for VLAN isolation prior to the VPN?

What IP do you configure for the OVPN clients?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.
2024-11-15 04:57:12

  @Clive_A Thank you for your attention.

 

 

I have configured VLANs like this:

 

 


And OpenVPN like this:

 

 

 

Where have i made a mistake?

 

I heven't created ALC roules for OpenVPN. How should I do this?

I configured only Gateway ACLs for VLANS inside local networks. And all it works fine.

  0  
  0  
#3
Options
Re:OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.
2024-11-15 06:15:21

Hi @Wyciu 

Thanks for posting in our business forum.

Wyciu wrote

  @Clive_A Thank you for your attention.

 

 

I have configured VLANs like this:

 

 

 


And OpenVPN like this:

 

 

 

 

Where have i made a mistake?

 

I heven't created ALC roules for OpenVPN. How should I do this?

I configured only Gateway ACLs for VLANS inside local networks. And all it works fine.

There is no config issue as far as I can tell like my previous reply.

So, what would be the IP address you can access over the VPN tunnel to another VLAN interface?

Will you be able to ping the remote device and vice versa in the VLAN (interface)?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.
2024-11-15 07:40:59

  @Wyciu 

 

Hi,

 

If I recall correctly in my configuration I was doing ACLs to Deny connection between VPN network and some VLANs (to do so I had to add IP Group which covered VPN's IP Pool).

 

Also, I do remember that in VPN's configuration I have switched from Network Interfaces to IP ranges:

 

This worked better with Permitting/Denying traffic.

 

I'm not an expert, that was more like testing result on my side - some hit or miss reconfiguration - but if you need some support in your local language I can try to help.

 

Cheers

  0  
  0  
#5
Options
Re:OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.
2024-11-15 07:41:01

  @Clive_A 

 

For example IP: 192.168.20.81, is address one of IP camera. I can, from OpenVPN tunel, "See" this camera. Another cameras in this VLAN, every clients in "Default" VLAN are visible.


Now I can't see wi-fi devices, because I turned on guest network option, so devices can't see each other.

I can ping to network 192.168.160.0/24, in both directions - to VLAN 1. (I can't test ping from VLAN 20 because there are only cameras).

 

I need to setup my OpenVPN tunel, to may connect only witch IPs in VLAN 1 for this moment.  I mean one direction only - From 192.168.160.0/24 => 192.168.100.0/22.

  0  
  0  
#6
Options
Re:OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.
2024-11-15 07:45:08

Hi @Wyciu 

Thanks for posting in our business forum.

Wyciu wrote

  @Clive_A 

 

For example IP: 192.168.20.81, is address one of IP camera. I can, from OpenVPN tunel, "See" this camera. Another cameras in this VLAN, every clients in "Default" VLAN are visible.


Now I can't see wi-fi devices, because I turned on guest network option, so devices can't see each other.

I can ping to network 192.168.160.0/24, in both directions - to VLAN 1. (I can't test ping from VLAN 20 because there are only cameras).

 

I need to setup my OpenVPN tunel, to may connect only witch IPs in VLAN 1 for this moment.  I mean one direction only - From 192.168.160.0/24 => 192.168.100.0/22.

You selected the local network as default, so it allows the 192.168.160.0/24 to access the 192.168.100.0/22. That's expected.

 

You mean you have communications between 192.168.160.0/24 to 192.168.20.0/24?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#7
Options
Re:OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.
2024-11-15 07:55:21

  @Clive_A 

 

Yes. This is this problem.
I'm using Ubuntu as OS for Omada Controler Software.

 

PS: RaRu solution doesn't works.

  0  
  0  
#8
Options
Re:OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.
2024-11-15 08:05:00 - last edited 2024-11-15 08:05:13

Hi @Wyciu 

Thanks for posting in our business forum.

Wyciu wrote

  @Clive_A 

 

Yes. This is this problem.
I'm using Ubuntu as OS for Omada Controler Software.

 

PS: RaRu solution doesn't works.

Something that I tried in the past. Create a VLAN interface which uses the same subnet as you have for the OVPN.

And go to ACL and create the ACL based on your desire. Will that work? I cannot recall this kind of setup but I remember it somehow worked for others.

Give it a try?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#9
Options
Re:OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.
2024-11-16 07:07:33

  @Clive_A 

 

It seems that even this tip doesn't work.
I at all possible to set up Omada like this example?

It will really help me in work.

  0  
  0  
#10
Options
Re:OpenVPN client can access to all my local network VLAN, whatever with one VLAN I setup as visible.
2024-11-18 03:30:01

Hi @Wyciu 

Thanks for posting in our business forum.

Wyciu wrote

  @Clive_A 

 

It seems that even this tip doesn't work.
I at all possible to set up Omada like this example?

It will really help me in work.

If that does not work, there is no way to do it.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#11
Options