Please Rate this Document

How to set up Access Control of TP-Link Omada Router in Standalone and Controller

Knowledgebase
FAQ
2024-06-13

使用者場景 :在獨立模式下僅允許存取內部網路

一間公司分別在不同大樓裡管理不同部門,每棟大樓的機房內各有一台SMB路由器,且每層樓皆有放一台交換器。

 

我可以怎麼做?

例如要限制位於大樓2的3樓研發部門特定使用者,必須確保這些研發人員只能存取內部網路,但對於同部門的其它成員則無此限制。

以下步驟在大樓2的SMB路由器上設定ACL規則,這邊以ER8411為範例:

1. 前往 偏好設定> IP群組> IP位址,點擊+Add 新增新的IP位址項目。

指定研發部門特定使用者的IP位址範圍192.168.0.32-192.168.0.63,然後點擊OK。.

接著指定所有內部網路的IP位址範圍。

2. 在IP Group內為相對應的設定IP群組,預設會有一個“IPGROUP_ANY”項目,此項目涵蓋所有IP且無法編輯。

3. 前往 防火牆>存取控制,點擊 +新增按照以下規則設定。

路由器依序處理每個封包的規則,在存取列表中,ID較小的規則具有較高的優先級。由於路由器從最高優先級的規則開始評估,請確保允許規則的ID號碼小於阻止規則的ID號碼。

4. 驗證

完成設定後,研發部門的使用者在任何時間都無法存取外部IP。

 

使用者場景Ⅱ:在獨立模式下,僅允許HTTP服務,並阻止所有其他服務。

這篇文章說明如何限制員工在任何時間僅透過HTTP存取網際網路上的網站。

 

我可以做什麼?

按照下列步驟設定,這裡以ER8411為例:

1. 前往> Access Control,設定下列三個項目。

1) 允許所有來源和目的地的HTTP service

2) 允許 DNS service因為DNS服務是與HTTP服務一起工作。

3) 預設所有服務在存取規則中都是允許的。為了阻止其他服務,block All Services放在最後。

路由器依次處理每個封包的規則。在存取控制列表中,ID較小號碼排序有較高的優先權。由於路由器從最高優先級開始評估規則,確保允許規則的ID號碼比阻擋規則的ID號碼小。.

2. 驗證

設定後,員工無法透過HTTPS存取網路。

 

使用者場景Ⅲ: Unidirectional VLAN access in Standalone

A company has two departments: R&D department and marketing department, and they are in different subnets. The R&D department has access to computers in all VLANs for data backup, while computers in the marketing department are restricted from accessing the R&D department VLAN to enhance data security.

 

How can I do that?

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Go to Network > LAN on the router, click +Add to create a new network, and fill in the configuration according to the network requirement. Set the IP address/subnet mask as 192.168.10.1/255.255.255.0, mode as Normal assign VLAN 10 to the network, and enable the DHCP server.

After saving, the network settings on the router as below.

2. Go to Network > VLAN to change the VLAN settings.

Normally, after creating a new network, all LAN ports of the router will remain UNTAG in the default network and will be automatically added to the TAG VLAN of the new network.

Based on the network topology: an unmanaged switch is used to extend more Ethernet ports, change the Marketing LAN port (Port 4) to UNTAG VLAN 10 and set the PVID to VLAN 10, R&D LAN port 5 to UNTAG VLAN 30 and set the PVID to VLAN 30 respectively.

3. Go to Firewall > Access Control, and click +Add button to create rule as below. Note that the "LAN -> LAN" interface signifies an inter-network traffic ACL entry. This rule prevents the marketing department from accessing the R&D department.

Note: Stateful ACL requires the supported firmware of the router.

Note: We recommend keeping the states type as default setting. If you select it manually, please refer to the following picture.

New: Match the connections of the initial state. For example, a SYN packet arrives in a TCP connection, or the router only receives traffic in one direction.

Established: Match the connections that have been established. In other words, the firewall has seen the bidirectional communication of this connection.

Invalid: Match the connections that do not behave as expected.

Related: Match the associated sub-connections of a main connection, such as a connection to a FTP data channel.

4. Verification

After configuration, devices in VLAN 10 cannot ping devices in VLAN 30, while devices in VLAN 30 can ping devices in VLAN 10.

192.168.10.100 in VLAN10 cannot ping 192.169.30.100 in VLAN30 after setting ACL.

192.168.30.100 in VLAN30 still able to access 192.168.10.100 in VLAN10.

 

User’s Application Scenario Ⅳ:Bi-Directional VLAN access in Standalone

A company prohibits employees in the R&D department and the Marketing department from accessing each other’s resources, but an administrator in R&D department can access Marketing department.

 

How can I do that?

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Create multiple networks on the router

1) Go to Network > LAN on the web interface of the router, click +Add to create a new network, and fill in the configuration according to the network requirement. Set the IP address/subnet mask as 192.168.10.1/255.255.255.0, mode as Normal assign VLAN 10 to the network, and enable the DHCP server.

After saving, the network settings on the router as below.

2) Go to Network > VLAN to confirm the settings on each port.

Normally, after creating a new network, all LAN ports of the router will remain UNTAG in the default network and will be automatically added to the TAG VLAN of the new network.

Since a managed switch connects to the router, keep the default setting for each port.

2. Create VLAN on the switch

1) Go to L2 Features > VLAN > 802.1Q VLAN > VLAN Config on the web interface of managed switch, create VLAN 10 and VLAN 30; add Untagged port 3-5 and Tagged uplink port 1 to VLAN 10; add Untagged port 6-8 and Tagged uplink port 1 to VLAN 30.

2) Go to L2 Features > VLAN > 802.1Q VLAN > Port Config on the switch, set the PVID value as 10 for port 3-5, 30 for port 6-8 respectively. After that, please click on the top-right web page to save the configuration.

3. Configure ACL on the router

1) Go to Preferences > IP Group > IP address on the router. Click +Add to add a new IP address entry for the administrator in R&D department.

Specify the IP subnet as 192.168.30.100/32. IP subnet represents the range of IP addresses. In this example, 192.168.30.100 means the IP address and /32 means the number of bits in the mask. Click OK.

By default, there is an entry “IP_LAN” covering all IPs on the router, and it is not editable.

2) Set IP Group for corresponding IP address on IP Group.

3) Go to Firewall > Access Control on the router, and click +Add button to create rule as below.

Direction ALL includes WAN in, LAN->WAN, LAN->LAN. Note Direction ALL requires the router to upgrade to the latest firmware.

Then create block rule between VLAN10 and VLAN30.

The router processes rules sequentially for each packet. In the Access Control List, the rule with a smaller ID has higher priority. Since the router evaluates rules starting from the highest priority, ensure that the Allow rule have the smaller ID number than the Block rule. All rules should as below:

4. Verification

After the above configuration, VLAN10 and VLAN30 cannot access each other while the admin with 192.168.30.100 is able to access VLAN10.

192.168.10.100 in VLAN10 cannot ping 192.168.30.100 in VLAN30

The admin with 192.168.30.100 is able to access 192.168.10.100 in VLAN10.

User’s Application Scenario : Only allow access the Internet in Standalone

To enhance security, a company has implemented measures to prevent visitors in the guest room from accessing both the office and the server room.

 

How can I do that?

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Create multiple networks on the router

1) Go to Network > LAN on the web interface of the router, click +Add to create a new network, and fill in the configuration according to the network requirement. Set the IP address/subnet mask as 192.168.10.1/255.255.255.0, mode as Normal assign VLAN 10 to the network, and enable the DHCP server.

After saving, the network settings on the router as below.

2) Go to Network > VLAN to confirm the settings on each port.

Normally, after creating a new network, all LAN ports of the router will remain UNTAG in the default network and will be automatically added to the TAG VLAN of the new network.

Since an easy smart switch connects to the router, keep the default setting for each port.

2. Create VLAN on the switch

1) Go to the VLAN > 802.1Q VLAN to load the following page on the easy smart switch. Enable 802.1Q VLAN function. Add uplink port 1 as Tagged port and port 10-16 to VLAN 10, then click Apply.

Note: Only after enabling the 802.1Q VLAN feature, VLANs can be added or modified.

2) Go to VLAN > 802.1Q VLAN PVID Setting to load the following page. By default, PVID of all the ports are 1. Specify the PVID of port 10-16 as 10 and click Apply.

3. Configure ACL on the router

1) Go to Firewall > Access Control on the router, and click +Add button to create rule as below. Note that the "LAN -> LAN" interface signifies an inter-network traffic ACL entry.

“!vlan10” means all network interface except VLAN10. When a network is created, the system automatically generates a network name by adding an exclamation mark (“!”) at the beginning. This exclamation mark signifies that the network includes all interfaces except the one specified.

“Me” means all interface gateway IP, here means default LAN 192.168.0.1 and VLAN10 gateway 192.168.10.1.

2. Verification

After configuration, the devices in guest room cannot access the devices in office and the server room.

192.168.10.100 in VLAN10 cannot ping 192.168.0.100 in VLAN1, and cannot ping VLAN1’s gateway.

192.168.10.100 in VLAN10 cannot ping VLAN10’s gateway IP, but still able to ping public DNS 1.1.1.1

 

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Related Documents