Business Community > Controllers > Omada: Allow internet but block LAN2LAN (untrusted network), and allow local DNS
< Controllers

Omada: Allow internet but block LAN2LAN (untrusted network), and allow local DNS

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Omada: Allow internet but block LAN2LAN (untrusted network), and allow local DNS

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Omada: Allow internet but block LAN2LAN (untrusted network), and allow local DNS
Omada: Allow internet but block LAN2LAN (untrusted network), and allow local DNS
2024-01-26 10:49:45 - last edited 2024-01-26 12:13:53
Model: Omada Software Controller (Windows)  
Hardware Version:
Firmware Version:

How to allow internet in untrusted network, but prevent it from accessing other networks, and allow local DNS?
I have 3 rules (in order):

LAN-WAN Network:IoT IpGroup:Any Allow
LAN-LAN Network:IoT Network:A,B,C,D Deny
LAN-LAN Network:A,B,C,D Network:IoT Deny

 

What I need is to create a rule that allows all local LANs to access 172.16.0.54/32:53 TCP and UDP.
Is this possible


Am I missing something?

When I create a new LAN-LAN rule, I cannot select IP-Port group - only networks.

  0      
 
  0      
 
#1
Options
5 Reply
Re:Omada: Allow internet but block LAN2LAN (untrusted network), and allow local DNS
2024-01-26 14:06:57

  @tplecko 

 

Only some Omada gateways have LAN-LAN rules that work, but the gateways do not support IP_Group for which you need an Omada switch.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#2
Options
Re:Omada: Allow internet but block LAN2LAN (untrusted network), and allow local DNS
2024-01-26 14:48:36

  @d0ugmac1 in short, this cannot be done on the gateway. 

I have switched to tplink omada because it's everything in one place. I'm really trying, but the routers are missing basic functionality. 

 

Thanks for the answer. 

I will work around this by cloning the local DNS and exposing the clone in untrusted network. 

  0  
  0  
#3
Options
Re:Omada: Allow internet but block LAN2LAN (untrusted network), and allow local DNS
2024-01-26 15:34:47

  @tplecko 

 

If you have a 7206 or 605v2 with latest firmware you can do LAN-LAN ACLs on the gateway.  Not sure about any of the others though.  

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#4
Options
Re:Omada: Allow internet but block LAN2LAN (untrusted network), and allow local DNS
2024-01-26 16:13:59

  @d0ugmac1 

you can make lan to lan acl on all the routers but the problem is that you can close everything or open everything but not open or close individual ports. so tp-link has not realized that it must be possible to open certain ports, e.g. dns, guest portal, printer and things like that.

No, here everything is either open or everything is closed.
switc acl is an emergency solution, acl between vlans must be done on the router, not on the switch.

  1  
  1  
#5
Options
Re:Omada: Allow internet but block LAN2LAN (untrusted network), and allow local DNS
2024-01-26 16:53:50

  @MR.S exactly. 

That's basic firewall. 

  0  
  0  
#6
Options

Information

Helpful: 0

Views: 593

Replies: 5

Related Articles
 How to block countries
379 4
Block a client from the Internet in Omada-SDN
735 0
 Block all URLs, allow only a few
1651 0
 Allow Devices On Guest Network To See Specific IP
488 0
 Allow the APs themselves to redirect guests to an external captive portal
376 7
Omada block games
1088 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.