How to set up access control of Omada Gateway via Omada Controller (2024)

Contents

Objective

Requirements

Introduction

Configuration

Scenario 1. Only allow access internal network

Scenario 2. Allow HTTP only and block all other services

Scenario 3. Unidirectional VLAN access

Scenario 4. Bi-Directional VLAN access and only allow access the Internet

Conclusion

Objective

This article introduces how to configure the access control feature on Omada gateway via Omada Controller.

Requirements

  • Omada gateway series
  • Omada Software Controller / Hardware Controller / Cloud Based Controller

Introduction

ACL (access control list) allows a network administrator to create rules to restrict access to network resources. ACL rules filter traffic based on specified criteria such as source IP addresses, destination IP addresses, and port numbers, and determine whether to forward the matched packets.

Configuration

Some typical user scenarios are explained in detail here.

Scenario 1. Only allow access internal network

All departments are in the same network, and limit the acts of the R&D department users.

For example, to limit the acts of the R&D department users, it is required that the R&D users have no access to the internet. For other departments, there is no limitation.

How to set up access control of Omada Gateway via Omada Controller (1)

Follow the steps below to configure it, here takes ER8411 as demonstration:

Step 1. Go to Settings > Profiles > Groups. By default, there is an entry covering all IPs, and it is not editable. Click +Create New Group to add a new group entry.

How to set up access control of Omada Gateway via Omada Controller (2)

Step 2. Specify the name of the IP group as “R&D”, and select IP Group as the type.

Specify the IP subnet as 192.168.0.32/27. IP subnet represents the range of IP addresses you want. In this example, 192.168.0.32 means the IP address and /27 means the number of bits in the mask. Click Apply.

How to set up access control of Omada Gateway via Omada Controller (3)

Step 3. Go to Settings > Network Security > ACL. Under the Gateway ACL tab, click +Create New Rule.

How to set up access control of Omada Gateway via Omada Controller (4)

Specify the name as “Deny R&D”, check Enable on status. Select Direction as LAN -> WAN, the rule policy as Deny, Protocol as All, “R&D” as the source IP group, “IPGROUP_ANY” as the destination IP group. Keep the advanced settings section as default, click Create.

How to set up access control of Omada Gateway via Omada Controller (5)

Step 4. Verification

After configuration, these R&D department users cannot access the public IP at any time.

How to set up access control of Omada Gateway via Omada Controller (6)

Scenario 2. Allow HTTP only and block all other services

Here demonstrates how to restrict employees to accessing websites exclusively via HTTP on the internet at any time.

How to set up access control of Omada Gateway via Omada Controller (7)

Follow the steps below to configure it, here takes ER8411 as demonstration:

Step 1. Go to Settings > Profiles > Groups. By default, there is an entry covering all IPs, and it is not editable. Click +Create New Group to add a new group entry.

How to set up access control of Omada Gateway via Omada Controller (8)

Step 2. Specify the name of the IP-Port group as “office”, select IP-Port Group as the type and choose IP-Port Range as IP-Port Type.

Click + Add Subnet, specify the IP subnets as 192.168.0.1/24. IP subnet represents the range of IP addresses you want. In this example, 192.168.0.1 means the IP address and /24 means the number of bits in the mask.

Specify port as DNS port 53 and HTTP 80 because DNS service always works together with HTTP service. Then click Apply.

How to set up access control of Omada Gateway via Omada Controller (9)

Step 3. Go to Settings > Network Security > ACL. Under the Gateway ACL tab, click +Create New Rule.

How to set up access control of Omada Gateway via Omada Controller (10)

Specify the name of the new rule as “permitHTTP”, check Enable on status. Select Direction as LAN -> WAN, the rule policy as Permit, Protocol as All, “office” as the source IP-Port group, “IPGROUP_ANY” as the destination IP group. Keep the advanced setting section as default, click Create.

Note: Only Omada gateways with certain firmware versions can set the status of an ACL rule as disabled. Please ensure that your gateway supports the feature before adoption. The status configuration will be lost if the adopted gateway is not compatible.

How to set up access control of Omada Gateway via Omada Controller (11)

Step 4. Specify the name of the new rule as “blockother”, check Enable on status. Select Direction as LAN -> WAN, the rule policy as Deny, Protocol as All, “LAN” as the source network, “IPGROUP_ANY” as the destination IP group. Click Create.

How to set up access control of Omada Gateway via Omada Controller (12)

All rules are as shown below. Note the permit rule should be the first rule.

How to set up access control of Omada Gateway via Omada Controller (13)

Step 5. Verification

After configuration, the employees cannot access the Internet via https.

How to set up access control of Omada Gateway via Omada Controller (14)

Scenario 3. Unidirectional VLAN access

A company has two departments: R&D department and marketing department, and they are in different subnets. The R&D department has access to computers in all VLANs for data backup, while computers in the marketing department are restricted from accessing the R&D department VLAN to enhance data security.

How to set up access control of Omada Gateway via Omada Controller (15)

Follow the steps below to configure it, here takes ER8411 as demonstration:

Step 1. Go to Settings > Wired Networks > LAN Networks, and click +Create New LAN to create VLAN interfaces for the two departments.

How to set up access control of Omada Gateway via Omada Controller (16)

The following figure illustrates the creation of VLAN 10 (subnet 192.168.10.1/24) as an example.

How to set up access control of Omada Gateway via Omada Controller (17)

The same steps to create VLAN 30 (subnet 192.168.30.1/24). After saving, the network settings on the gateway as below.

How to set up access control of Omada Gateway via Omada Controller (18)

Step 2. Based on the network topology: an unmanaged switch is used to extend more Ethernet ports, so we need to change the Marketing LAN port (Port 4) to UNTAG VLAN 10 and set the PVID to VLAN 10, R&D LAN port 5 to UNTAG VLAN 30 and set the PVID to VLAN 30 respectively on the gateway.

Go to the private configuration page of the gateway, go to Ports on the pop-up window, click Edit on WAN/LAN3, change the PVID to 10 and click Apply.

Note: changing the port’s PVID requires the supported firmware.

How to set up access control of Omada Gateway via Omada Controller (19)

Step 3. Go to Settings > Network Security > ACL. Under the Gateway ACL tab, click +Create New Rule.

How to set up access control of Omada Gateway via Omada Controller (20)

Specify the name of the new rule as “blockvlan10tovlan30”, check Enable on status. Select Direction as LAN -> LAN, the rule policy as Deny, Protocol as All, “vlan10” as the source Network, “vlan30” as the destination Network. Keep the advanced setting section as default, click Create.

How to set up access control of Omada Gateway via Omada Controller (21)

Note: We recommend keeping the states type as default setting. If you select it manually, please refer to the following picture.

How to set up access control of Omada Gateway via Omada Controller (22)

Match State New: Match the connections of the initial state. For example, a SYN packet arrives in a TCP connection, or the gateway only receives traffic in one direction.

Match State Established: Match the connections that have been established. In other words, the firewall has seen the bidirectional communication of this connection.

Match State Related: Match the associated sub-connections of a main connection, such as a connection to a FTP data channel.

Match State Invalid: Match the connections that do not behave as expected.

Step 4. Verification

After configuration, devices in VLAN 10 cannot ping devices in VLAN 30, while devices in VLAN 30 can ping devices in VLAN 10.

How to set up access control of Omada Gateway via Omada Controller (23)

How to set up access control of Omada Gateway via Omada Controller (24)

Scenario 4. Bi-Directional VLAN access and only allow access the Internet

A company prohibits employees in the R&D department and the Marketing department from accessing each other’s resources, but an administrator in R&D department can access Marketing department.

How to set up access control of Omada Gateway via Omada Controller (25)

Follow the steps below to configure it, here takes ER8411 as demonstration:

Step 1. Go to Settings > Wired Networks > LAN Networks, and click +Create New LAN to create VLAN interfaces for the two departments.

How to set up access control of Omada Gateway via Omada Controller (26)

The following figure illustrates the creation of VLAN 10 (subnet 192.168.10.1/24) as an example.

How to set up access control of Omada Gateway via Omada Controller (27)

The same steps to create VLAN 30 (subnet 192.168.30.1/24). After saving, the network settings on the gateway as below.

How to set up access control of Omada Gateway via Omada Controller (28)

Step 2. Go to Settings > Wired Networks > LAN > Profiles, we can see all profiles as below.

How to set up access control of Omada Gateway via Omada Controller (29)

When a network is created, the system will automatically create a profile with the same name and configure the network as the native network for the profile. In this profile, the network itself is configured as the Untagged Networks, while no networks are configured as Tagged Networks. The profile can be viewed and deleted, but not edited.

How to set up access control of Omada Gateway via Omada Controller (30)

And the profile ALL will automatically add the new network as tagged.

How to set up access control of Omada Gateway via Omada Controller (31)

Step 3. Click the switch on Devices, go to Ports on the pop-up window, click Edit on port 3 and then apply Profile vlan10. Next do the same process for other ports. Once finish, connect computers to the switch correspondingly.

How to set up access control of Omada Gateway via Omada Controller (32)How to set up access control of Omada Gateway via Omada Controller (33)

Step 4. Go to Settings > Network Security > ACL. Under the Gateway ACL tab, click +Create New Rule.

How to set up access control of Omada Gateway via Omada Controller (34)

Specify the name of the new rule as “bidirection”, check Enable on status. Select Direction as LAN -> LAN, the rule policy as Deny, Protocol as All, “vlan10” as the source Network, “vlan30” as the destination Network. Enable Bi-Directional on Advanced settings, click Create.

How to set up access control of Omada Gateway via Omada Controller (35)

Then it will generate verse rule automatically.

How to set up access control of Omada Gateway via Omada Controller (36)

Step 5. Next create another block rule from vlan10&vlan30 to gateway management page.

Specify the name of the new rule as “blockGUI”, check Enable on status. Select Direction as LAN -> LAN, the rule policy as Deny, Protocol as All, “vlan10”and “vlan30” as the source Network, “Gateway management page” as the destination type. Keep the advanced settings as default, click Create.

How to set up access control of Omada Gateway via Omada Controller (37)

Step 6. Verification

After the above configuration, VLAN10 cannot access VLAN30.

How to set up access control of Omada Gateway via Omada Controller (38)

VLAN30 cannot access VLAN10

How to set up access control of Omada Gateway via Omada Controller (39)

Cannot access the gateway IP on each interface.

How to set up access control of Omada Gateway via Omada Controller (40)

Conclusion

You have now successfully configured access control on the Omada gateway.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

How to set up access control of Omada Gateway via Omada Controller (2024)

References

Top Articles
Latest Posts
Article information

Author: Nathanial Hackett

Last Updated:

Views: 5929

Rating: 4.1 / 5 (72 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Nathanial Hackett

Birthday: 1997-10-09

Address: Apt. 935 264 Abshire Canyon, South Nerissachester, NM 01800

Phone: +9752624861224

Job: Forward Technology Assistant

Hobby: Listening to music, Shopping, Vacation, Baton twirling, Flower arranging, Blacksmithing, Do it yourself

Introduction: My name is Nathanial Hackett, I am a lovely, curious, smiling, lively, thoughtful, courageous, lively person who loves writing and wants to share my knowledge and understanding with you.