How to set up access control of Omada Gateway via Omada Controller
824 Contents
Scenario 1. Only allow access internal network
Scenario 2. Allow HTTP only and block all other services
Scenario 3. Unidirectional VLAN access
Scenario 4. Bi-Directional VLAN access and only allow access the Internet
This article introduces how to configure the access control feature on Omada gateway via Omada Controller.
- Omada gateway series
- Omada Software Controller / Hardware Controller / Cloud Based Controller
ACL (access control list) allows a network administrator to create rules to restrict access to network resources. ACL rules filter traffic based on specified criteria such as source IP addresses, destination IP addresses, and port numbers, and determine whether to forward the matched packets.
Some typical user scenarios are explained in detail here.
Scenario 1. Only allow access internal network
All departments are in the same network, and limit the acts of the R&D department users.
For example, to limit the acts of the R&D department users, it is required that the R&D users have no access to the internet. For other departments, there is no limitation.
Follow the steps below to configure it, here takes ER8411 as demonstration:
Step 1. Go to Settings > Profiles > Groups. By default, there is an entry covering all IPs, and it is not editable. Click +Create New Group to add a new group entry.
Step 2. Specify the name of the IP group as “R&D”, and select IP Group as the type.
Specify the IP subnet as 192.168.0.32/27. IP subnet represents the range of IP addresses you want. In this example, 192.168.0.32 means the IP address and /27 means the number of bits in the mask. Click Apply.
Step 3. Go to Settings > Network Security > ACL. Under the Gateway ACL tab, click +Create New Rule.
Specify the name as “Deny R&D”, check Enable on status. Select Direction as LAN -> WAN, the rule policy as Deny, Protocol as All, “R&D” as the source IP group, “IPGROUP_ANY” as the destination IP group. Keep the advanced settings section as default, click Create.
Step 4. Verification
After configuration, these R&D department users cannot access the public IP at any time.
Scenario 2. Allow HTTP only and block all other services
Here demonstrates how to restrict employees to accessing websites exclusively via HTTP on the internet at any time.
Follow the steps below to configure it, here takes ER8411 as demonstration:
Step 1. Go to Settings > Profiles > Groups. By default, there is an entry covering all IPs, and it is not editable. Click +Create New Group to add a new group entry.
Step 2. Specify the name of the IP-Port group as “office”, select IP-Port Group as the type and choose IP-Port Range as IP-Port Type.
Click + Add Subnet, specify the IP subnets as 192.168.0.1/24. IP subnet represents the range of IP addresses you want. In this example, 192.168.0.1 means the IP address and /24 means the number of bits in the mask.
Specify port as DNS port 53 and HTTP 80 because DNS service always works together with HTTP service. Then click Apply.
Step 3. Go to Settings > Network Security > ACL. Under the Gateway ACL tab, click +Create New Rule.
Specify the name of the new rule as “permitHTTP”, check Enable on status. Select Direction as LAN -> WAN, the rule policy as Permit, Protocol as All, “office” as the source IP-Port group, “IPGROUP_ANY” as the destination IP group. Keep the advanced setting section as default, click Create.
Note: Only Omada gateways with certain firmware versions can set the status of an ACL rule as disabled. Please ensure that your gateway supports the feature before adoption. The status configuration will be lost if the adopted gateway is not compatible.
Step 4. Specify the name of the new rule as “blockother”, check Enable on status. Select Direction as LAN -> WAN, the rule policy as Deny, Protocol as All, “LAN” as the source network, “IPGROUP_ANY” as the destination IP group. Click Create.
All rules are as shown below. Note the permit rule should be the first rule.
Step 5. Verification
After configuration, the employees cannot access the Internet via https.
Scenario 3. Unidirectional VLAN access
A company has two departments: R&D department and marketing department, and they are in different subnets. The R&D department has access to computers in all VLANs for data backup, while computers in the marketing department are restricted from accessing the R&D department VLAN to enhance data security.
Follow the steps below to configure it, here takes ER8411 as demonstration:
Step 1. Go to Settings > Wired Networks > LAN Networks, and click +Create New LAN to create VLAN interfaces for the two departments.
The following figure illustrates the creation of VLAN 10 (subnet 192.168.10.1/24) as an example.
The same steps to create VLAN 30 (subnet 192.168.30.1/24). After saving, the network settings on the gateway as below.
Step 2. Based on the network topology: an unmanaged switch is used to extend more Ethernet ports, so we need to change the Marketing LAN port (Port 4) to UNTAG VLAN 10 and set the PVID to VLAN 10, R&D LAN port 5 to UNTAG VLAN 30 and set the PVID to VLAN 30 respectively on the gateway.
Go to the private configuration page of the gateway, go to Ports on the pop-up window, click Edit on WAN/LAN3, change the PVID to 10 and click Apply.
Note: changing the port’s PVID requires the supported firmware.
Step 3. Go to Settings > Network Security > ACL. Under the Gateway ACL tab, click +Create New Rule.
Specify the name of the new rule as “blockvlan10tovlan30”, check Enable on status. Select Direction as LAN -> LAN, the rule policy as Deny, Protocol as All, “vlan10” as the source Network, “vlan30” as the destination Network. Keep the advanced setting section as default, click Create.
Note: We recommend keeping the states type as default setting. If you select it manually, please refer to the following picture.
Match State New: Match the connections of the initial state. For example, a SYN packet arrives in a TCP connection, or the gateway only receives traffic in one direction.
Match State Established: Match the connections that have been established. In other words, the firewall has seen the bidirectional communication of this connection.
Match State Related: Match the associated sub-connections of a main connection, such as a connection to a FTP data channel.
Match State Invalid: Match the connections that do not behave as expected.
Step 4. Verification
After configuration, devices in VLAN 10 cannot ping devices in VLAN 30, while devices in VLAN 30 can ping devices in VLAN 10.
Scenario 4. Bi-Directional VLAN access and only allow access the Internet
A company prohibits employees in the R&D department and the Marketing department from accessing each other’s resources, but an administrator in R&D department can access Marketing department.
Follow the steps below to configure it, here takes ER8411 as demonstration:
Step 1. Go to Settings > Wired Networks > LAN Networks, and click +Create New LAN to create VLAN interfaces for the two departments.
The following figure illustrates the creation of VLAN 10 (subnet 192.168.10.1/24) as an example.
The same steps to create VLAN 30 (subnet 192.168.30.1/24). After saving, the network settings on the gateway as below.
Step 2. Go to Settings > Wired Networks > LAN > Profiles, we can see all profiles as below.
When a network is created, the system will automatically create a profile with the same name and configure the network as the native network for the profile. In this profile, the network itself is configured as the Untagged Networks, while no networks are configured as Tagged Networks. The profile can be viewed and deleted, but not edited.
And the profile ALL will automatically add the new network as tagged.
Step 3. Click the switch on Devices, go to Ports on the pop-up window, click Edit on port 3 and then apply Profile vlan10. Next do the same process for other ports. Once finish, connect computers to the switch correspondingly.
Step 4. Go to Settings > Network Security > ACL. Under the Gateway ACL tab, click +Create New Rule.
Specify the name of the new rule as “bidirection”, check Enable on status. Select Direction as LAN -> LAN, the rule policy as Deny, Protocol as All, “vlan10” as the source Network, “vlan30” as the destination Network. Enable Bi-Directional on Advanced settings, click Create.
Then it will generate verse rule automatically.
Step 5. Next create another block rule from vlan10&vlan30 to gateway management page.
Specify the name of the new rule as “blockGUI”, check Enable on status. Select Direction as LAN -> LAN, the rule policy as Deny, Protocol as All, “vlan10”and “vlan30” as the source Network, “Gateway management page” as the destination type. Keep the advanced settings as default, click Create.
Step 6. Verification
After the above configuration, VLAN10 cannot access VLAN30.
VLAN30 cannot access VLAN10
Cannot access the gateway IP on each interface.
You have now successfully configured access control on the Omada gateway.
Get to know more details of each function and configuration please go to Download Center to download the manual of your product.
Είναι χρήσιμο αυτό το FAQ;
Τα σχόλιά σας συμβάλλουν στη βελτίωση αυτού του ιστότοπου.
1.0_01_normal_20231207030929b.png)
