Contact Us
Worldwide / English
Get a Demo
Search

How to implement unidirectional VLAN access through ACL configuration on the Omada Gateway in Controller mode

Configuration Guide
Updated 09-19-2023 08:51:30 AM Number of views for this article32421
This Article Applies to: 

Application scenario

The objective of this configuration is to restrict access from the IoT devices to the LAN network. This means that devices connected to the IoT network, such as smart devices or sensors, will not be able to communicate with or access devices within the LAN network, which typically consists of computers, servers, and other devices used by users.

On the other hand, the LAN network retains the ability to access and communicate with the IoT devices. This allows users within the LAN network to control and interact with the IoT devices, gather data, or perform monitoring tasks.

Applicable Devices

ER605 V2

TL-SG2210MP V4

EAP660 HD V3

Omada Software Controller V5.9

Configuration Scheme

To meet these requirements, we can configure unidirectional/Stateful ACL rules on the router to block IoT devices from accessing the LAN and allow the LAN to access the IoT devices. The configuration overview is as follows:

1) Create a VLAN interface

2) Create Stateful ACL rule

3) Create SSID with VLAN for IOT devices

4) Verification

Configuration Procedure

Before starting the configuration, we need to manage the Omada devices using the controller. If you encounter any issues with adoption, please refer to the following FAQs for troubleshooting:

Step 1. Go to Settings> Wired networks> LAN to click +Create New LAN to create VLAN interfaces for IOT devices.

Step 2. Go to Settings> Network Security> ACL> Gateway ACL to create a new rule

Direction: LAN-> LAN

Policy: Deny

Protocols: All

Source: IOT

Destination: LAN

States Type: Auto

Note: We recommend keeping the states type as Auto. If you select Manual, please refer to the following picture.

Match State New: Match the connections of the initial state. For example, a SYN packet arrives in a TCP connection, or the router only receives traffic in one direction.

Match State Established: Match the connections that have been established. In other words, the firewall has seen the bidirectional communication of this connection.

Match State Related: Match the associated sub-connections of a main connection, such as a connection to a FTP data channel.

Match State Invalid: Match the connections that do not behave as expected.

Step 3. Go to Settings> Wireless network> WLAN> to click Create new SSID and set VLAN ID as 20 for IOT devices.

Step 4. Verification

The cellphone is connecting the 'IOT' SSID with the IP address 192.168.20.99, while the computer has the IP address 192.168.0.100. The cellphone is unable to ping the computer, but the computer can ping the cellphone.

Is this faq useful?

Your feedback helps improve this site.

Recommended Products

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

From United States?

Get products, events and services for your region.

GO Other Option

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

Basic Cookies

These cookies are necessary for the website to function and cannot be deactivated in your systems.

TP-Link

SESSION, JSESSIONID, accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

Youtube

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Zendesk

OptanonConsent, __cf_bm, __cfruid, _cfuvid, _help_center_session, _pendo___sg__.<container-id>, _pendo_meta.<container-id>, _pendo_visitorId.<container-id>, _zendesk_authenticated, _zendesk_cookie, _zendesk_session, _zendesk_shared_session, ajs_anonymous_id, cf_clearance

Analysis and Marketing Cookies

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Google Analytics & Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads & DoubleClick

test_cookie, _gcl_au