Omada Switch ACLs for established state
Hi there,
just started my Omada SDN Setup. The main parts are:
* Controller OC200 v1.0 (Firmware 1.7.3 Build 20201119 Rel.63433, Controller Version 4.2.8)
* Gateway TL-R605 v1.0 (Firmware 1.0.0)
* Switch TL-SG2008P v1.0 (Firmware 1.0.0)
I wonder how to configure the following (pretty common I guess) setup:
* VLAN 1 as main VLAN
* VLAN 2 as IoT VLAN
1. I want to deny traffic from VLAN 2 to VLAN 1 (this worked pretty easy by adding a switch ACL rule for that)
2. I still want to allow (initiated) traffic from VLAN 1 to VLAN 2 so that I can for example access my IP camera
But for this to work I need something that is normally referred to as a firewall rule, that allows established connections from VLAN 2 to VLAN 1. How can this be done? I cannot find it in Omada. I also try to set it up by running all the devices in standalone mode, be even there I could not find a way to create an ACL rule that matches on established connection.
Any help would be appreciated.
Christian
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
tekneon wrote
@thekwasti I actually don't think that the TL-R605 is fit for handling a statefull firewall and keep an acceptable throughput.
I have my omada hardware for a year now and got tired of waiting for TP-Link to be tired of ignoring this request. I invested into a mini computer able to run PFSense and finally reached my goal of correctly separating my vlans and even more. Now that I have it working and that I have see the wire range of features PFSense offers, I strongly doubt that TPLink can offer even a small part of those features with the TL-R605. At least at this rate.
@tekneon It is quite possibly a hardware limitation. Although, it must already have a stateful firewall running on the wan ports.
I think it would be unreasonable expectation for a $60 device to support the full range of features that a software firewall running on a PC can offer. Also, when dealing with remote always-on installations a software firewall isn't always the best solution. Mini-PCs have this habit of failing when run 24/7. Especially when the climate conditions aren't ideal.
That being said, only supporting stateless ACLs between LAN segments seems like a pretty deal-breaking limitation.
- Copy Link
- Report Inappropriate Content
Is this already on the development roadmap? Would be really nice to hear something back from TP-Link at least to know whether it's worth the wait or should we switch... as can be seen from this and the mentioned thread this is quite the dealbreaker not just for home users, this makes it unusable for businesses even more so.
- Copy Link
- Report Inappropriate Content
Cant find the post now (unfortunately) but I had seen on Reddit that one of the users was in contact with TP Link support, apparently this is due in a firewall and VLAN changes very soon..
I cant remember if it was v5 or v6 controller but they indicated that support said "due soon". My gut feeling is v6 controller might bring this, perhaps that is just hope!
- Copy Link
- Report Inappropriate Content
@Philbert I found it or something similar, for others' future reference:
r/TPLink_Omada/comments/wwrg14/er605_is_incapable_of_doing_unidirectional_vlan/
We have consulted our senior engineer about this, and we would improve the SPI firewall function in the next firmware.
- Copy Link
- Report Inappropriate Content
Is it possible to get the established/related ACL by replacing ER605 with a device running OPNSense, while keeping all other Omada devices?
- Copy Link
- Report Inappropriate Content
WesWalker wrote
Is it possible to get the established/related ACL by replacing ER605 with a device running OPNSense, while keeping all other Omada devices?
Yes. You will need to transfer the config for dhcp and the network to the opnsense as well.
In this scenario, the omada controller will still show all your devices(because the switches and waps will see them) and manage your wireless config.
- Copy Link
- Report Inappropriate Content
I can confirm this is now working after recent update.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Router ER-7206 version 1.2.3 Build 20221104 Rel.41500
OC200 controller
Version:5.6.4
Build: 1.20.1 Build 20220921 Rel.35880
- Copy Link
- Report Inappropriate Content
@chrisro how have you managed to combine gateway and switch ACLs. I have blocked intervlan communication on the switch level and adding ACL for existing state for intervlan communication doesn't bring desired effect. My setting are as follows:
Gateway ACL:
LAN->LAN
permit
all protocols
Network->Network
IOT->Main
States Type: Auto
Switch ACL:
deny
all protocols
Network->Network
IOT->Main
ACL binding: All ports
Did I miss something?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 11
Views: 12544
Replies: 38