How to configure IPv6 Access Control on Omada Gateway

Knowledgebase
Configuration Guide
ACL
08-02-2024

Contents

Objective

Requirements

Introduction

Configuration

Block access to internal network from the internet

Allow access to internal network from the internet

Block access to the internet

Verification

Block access to internal network from the internet

Allow access to internal network from the internet

Block access to the internet

Conclusion

Objective

This article introduces how to configure the IPv6 Access Control feature on the Omada gateway via the Omada Controller.

Requirements

  • Omada Gateway series supported by Omada SDN Controller 5.13
  • Omada Software Controller / Hardware Controller / Cloud-Based Controller

Introduction

ACL (Access Control List) allows a network administrator to create rules to restrict access to network resources. ACL rules filter traffic based on specified criteria such as source IP addresses, destination IP addresses, and port numbers, and determine whether to forward the matched packets.

Configuration

Here we will introduce the configuration steps based on typical user scenarios.

Block access to internal network from the internet

Since IPv6 does not perform NAT, Omada gateways block external networks from accessing internal networks by default without requiring additional configuration by the user.

Follow the steps below to configure the feature. This section takes ER706W as an example.

Step 1. Configure WAN IPv6 connection

Go to Settings > Wired Networks > Internet, locate the WAN Ports Config section, and click the Edit icon in the Action column of the corresponding WAN port to load the WAN configuration page.

In the IPv6 section, Enable IPv6, configure the Connection Type and other parameters according to your network requirements, and then click Apply to save the settings.

Go to the Device List page, click your Omada gateway, and then you can click Details to view the WAN IPv6 connection status on the right panel.

Step 2. Configure LAN IPv6 connection

Go to Settings > Wired Networks > LAN, and click the Edit icon in the Action column to load the LAN configuration page.

Click Configure IPv6 to show more settings, configure IPv6 Interface Type and other parameters according to your network requirements, and then click Save to save the settings.

Connect the client to the LAN, and the client will obtain an IPv6 address.

Allow access to internal network from the internet

Since IPv6 does not perform NAT, Omada gateways block external networks from accessing internal networks by default. To allow access to internal network from the internet, configure IPv6 ACL to allow traffic from the external network to enter the internal network.

Follow the steps below to establish an IPv6 connection and configure Access Control. This section takes ER706W as an example.

Step 1. Configure WAN IPv6 connection

Go to Settings > Wired Networks > Internet, locate the WAN Ports Config section, and click the Edit icon in the Action column of the corresponding WAN port to load the WAN configuration page.

In the IPv6 section, Enable IPv6, configure the Connection Type and other parameters according to your network requirements, and then click Apply to save the settings.

Go to the Device List page, click your Omada gateway, and then you can click Details to view the WAN IPv6 connection status on the right panel.

Step 2. Configure LAN IPv6 connection

Go to Settings > Wired Networks > LAN, and click the Edit icon in the Action column to load the LAN configuration page.

Click Configure IPv6 to show more settings, configure IPv6 Interface Type and other parameters according to your network requirements, and then click Save to save the settings.

Connect the client to the LAN, and the client will obtain an IPv6 address.

Step 3. Configure IPv6 Group

Go to Settings > Profiles > Groups, and click +Create New Group.

Select Type as IPv6 Group, and configure the IPv6 Group my_server and the external IPv6 Group my_client.

Click Apply, and you will see the groups as shown below.

Step 4. Configure Access Control

Go to Settings > Network Security > ACL > Gateway ACL, and click Create New Rule.

In the Create New Rule section, configure the Description to allow_client_in, Status to Enable, Direction to [WAN2]IN, Policy to Permit, Protocols to ALL, Source to my_client IPv6 group, and Destination to my_server IPv6 group.

Note: Make sure your gateway firmware has been upgraded to the latest version to support this feature.

In the Advanced Settings section, Time Range is not enabled by default. Keep the default settings unless necessary.

Click Create, and you will see the rules as shown below.

Block access to the internet

By configuring Access Control, parents can restrict their children’s access to the internet.

Follow the steps below to configure this feature. This section takes ER706W as an example.

Step 1. Configure WAN IPv6 connection

Go to Settings > Wired Networks > Internet, locate the WAN Ports Config section, and click the Edit icon in the Action column of the corresponding WAN port to load the WAN configuration page.

In the IPv6 section, Enable IPv6, configure the Connection Type and other parameters according to your network requirements, and then click Apply to save the settings.

Go to the Device List page, click your Omada gateway, and then you can click Details to view the WAN IPv6 connection status on the right panel.

Step 2. Configure LAN IPv6 connection

Go to Settings > Wired Networks > LAN, and click the Edit icon in the Action column to load the LAN configuration page.

Click Configure IPv6 to show more settings, configure IPv6 Interface Type and other parameters according to your network requirements, and then click Save to save the settings.

Connect the client to the LAN, and the client will obtain an IPv6 address.

Step 3. Configure IPv6 Group

Go to Settings > Profiles > Groups, and click +Create New Group.

Select Type as IPv6 Group, and configure the IPv6 Group internet and the external IPv6 Group children_pc.

Click Apply, and you will see the groups as shown below.

Step 4. Configure Access Control

Go to Settings > Network Security > ACL > Gateway ACL, and click +Create New Rule.

In the Create New Rule section, configure the Description to block_internet_of_child, Status to Enable, Direction to LAN->WAN, Policy to Deny, Protocols to ALL, Source to children_pc IPv6 group, and Destination to internet IPv6 group.

Note: Make sure your gateway firmware has been upgraded to the latest version to support this feature.

In the Advanced Settings section, Time Range is not enabled by default. Keep the default settings unless necessary.

Click Create, and you will see the rules as shown below.

Verification

Block access to internal network from the internet

After establishing the IPv6 connection, the internal network can access the internet.

After establishing the IPv6 connection, the external network cannot access the internal network from the internet.

Allow access to internal network from the internet

After establishing the IPv6 connection, the internal network can access the internet.

After establishing the IPv6 connection, the external network cannot access the internal network from the internet without configuring Access Control. After configuring Access Control, the external network can access the internal network from the internet

Block access to the internet

Without configuring Access Control, children’s pc can access the internet. After configuring Access Control, children’s pc cannot access the internet

Conclusion

You have now successfully configured IPv6 Access Control on the Omada Gateway.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Come valuti questo documento?

Documenti correlati