How to implement unidirectional VLAN access through ACL configuration on the Omada Gateway in Controller mode
Application scenario
The objective of this configuration is to restrict access from the IoT devices to the LAN network. This means that devices connected to the IoT network, such as smart devices or sensors, will not be able to communicate with or access devices within the LAN network, which typically consists of computers, servers, and other devices used by users.
On the other hand, the LAN network retains the ability to access and communicate with the IoT devices. This allows users within the LAN network to control and interact with the IoT devices, gather data, or perform monitoring tasks.
Applicable Devices
ER605 V2
TL-SG2210MP V4
EAP660 HD V3
Omada Software Controller V5.9
Configuration Scheme
To meet these requirements, we can configure unidirectional/Stateful ACL rules on the router to block IoT devices from accessing the LAN and allow the LAN to access the IoT devices. The configuration overview is as follows:
1) Create a VLAN interface
2) Create Stateful ACL rule
3) Create SSID with VLAN for IOT devices
4) Verification
Configuration Procedure
Before starting the configuration, we need to manage the Omada devices using the controller. If you encounter any issues with adoption, please refer to the following FAQs for troubleshooting:
- What should I do when the Omada Software Controller (V4) fails to discover the devices?
- What Should I Do if Omada Software Controller OC200 Cannot Adopt Omada EAP
Step 1. Go to Settings> Wired networks> LAN to click +Create New LAN to create VLAN interfaces for IOT devices.
Step 2. Go to Settings> Network Security> ACL> Gateway ACL to create a new rule
Direction: LAN-> LAN
Policy: Deny
Protocols: All
Source: IOT
Destination: LAN
States Type: Auto
Note: We recommend keeping the states type as Auto. If you select Manual, please refer to the following picture.
Match State New: Match the connections of the initial state. For example, a SYN packet arrives in a TCP connection, or the router only receives traffic in one direction.
Match State Established: Match the connections that have been established. In other words, the firewall has seen the bidirectional communication of this connection.
Match State Related: Match the associated sub-connections of a main connection, such as a connection to a FTP data channel.
Match State Invalid: Match the connections that do not behave as expected.
Step 3. Go to Settings> Wireless network> WLAN> to click Create new SSID and set VLAN ID as 20 for IOT devices.
Step 4. Verification
The cellphone is connecting the 'IOT' SSID with the IP address 192.168.20.99, while the computer has the IP address 192.168.0.100. The cellphone is unable to ping the computer, but the computer can ping the cellphone.