Omada Pro Logo official website Vigi Logo official website
Contact Us

How to Allow Specific Public IPs to Access an Internal Server on Omada Gateways

Knowledgebase
Configuration Guide
BookmarksCopy Link
06-19-2026
298

Introduction

Requirements

Configuration

Configuration for Standalone Mode

Configuration for Controller Mode

Conclusion

QA

Introduction

When hosting an internal server behind an Omada Gateway, such as a web server, exposing it to the Internet can pose security risks. This guide demonstrates how to allow only specific public IP addresses to access an internal server, while blocking all other public traffic.

Requirements

  • Omada Gateway

Network Topology

Demo topology for this article.

Note: For this guide, an ER605, OC200 hardware controller, and Linux-based internal Web Server running on port 8080 were used. Follow the same steps for a software and cloud controller.

Configuration

Configuration for Standalone Mode

Step 1. Go to Transmission > NAT > Virtual Servers to map the internal server port to the WAN interface. In this example, there is an internal web server on 192.168.0.102:8080.

Virtual server configuration page.

Step 2. Go to Preferences > Service Type and create a custom service type defining the specific protocol and port used by the internal server. Select Source Port Range to be 0-65535 and set the Destination Port Range to the port used by the internal server, which is 8080 in this example.

Service type preferences page.

Step 3. Go to Preferences > IP Group > IP Address to define the target IP addresses. Create two IP addresses: one for the allowed client’s external IP (Allowed_Client) and one for the internal server’s local IP (Internal_Server).

Creating IP address for allowed external client

Creating IP address for internal web server.

Note: Ensure the IP address of the external client and internal server are either set statically or have a DHCP reservation so the IP address does not change.

Step 4. Go to Preferences > IP Group > IP Group to create two IP groups for each respective IP address that was created.

Creating IP group for allowed external client.

Creating IP group for internal web server.

Step 5. Go to Firewall > Access Control to create two firewall policies. First, create an Allow rule mapping the source “Allowed_Client” IP Group to the destination “Internal_Server” IP Group using the Service Type created on the respective “WAN IN” interface with an ID of 1.

Allow ACL from external client to internal server.

Next, create a Block rule mapping source “IPGROUP_ANY” IP Group to destination “Internal_Server” IP group using the Service Type created on the respective “WAN IN” interface with an ID of 2.

Note: In Controller Mode, “Service Type” has been replaced with “Protocols.”

Block ACL from all to internal server.

Note: ACL rules are processed sequentially, from the lowest ID number to the highest ID number. This is why the Allow rule needs to go before the Block rule.

Step 6. Verify only the external client (66.249.64.2) can access the internal server (192.168.0.102:8080) by accessing the WAN port IP address with the correct port of the internal server (66.249.64.3:8080)

Accessing internal server from external client.

When external client is changed to a different IP address (66.249.64.4), they can no longer access the internal server due to the ACL rule only allowing 66.249.64.2:

External client blocked from accessing internal server.

Configuration for Controller Mode

Step 1. Go to Network Config > Transmission > NAT > Port Forwarding to map the internal server port to the WAN interface. In this example, there is an internal web server on 192.168.0.102:8080.

Port forwarding settings.

Port forwarding configuration page.

Step 2. Go to Network Config > Groups to create an IP Group for the external client (66.249.64.2) and an IP-Port Group for the internal web server (192.168.0.102:8080).

IP groups setting.

Allowed client IP group.

Internal server IP port group.

Note: Ensure the IP address of the external client and internal server are either set statically or have a DHCP reservation so the IP address does not change.

Step 3. Go to Network Config > ACL > Gateway ACL to create two firewall policies.

ACL settings.

First, create a Permit rule mapping the source “Allowed_Client” IP Group to the destination “Internal_Server” IP-Port Group on the respective “WAN IN” interface for “All” Protocols.

Allow client to server ACL settings.

Next, create a Deny rule mapping source “IPGROUP_ANY” IP Group to destination “Internal_Server” IP-Port Group on the respective “WAN IN” interface. “All” Protocols is selected for complete isolation.

Block all other external clients to internal server.

Step 4. Verify only the external client (66.249.64.2) can access the internal server (192.168.0.102:8080) by accessing the WAN port IP address with the correct port of the internal server (66.249.64.3:8080)

Accessing internal server from external client.

When external client is changed to a different IP address (66.249.64.4), they can no longer access the internal server due to the ACL rule only allowing external client 66.249.64.2:

External client blocked from accessing internal server.

Conclusion

We have successfully allowed a specific public IP address to access an internal server.

QA

Q1: What if I use IP-Group instead of IP-Port Group in Controller Mode?

A1: If a standard IP Group is used, the ACL rule will target all ports on that host instead of isolating the port used for the internal server.

Q2: What if the external client suddenly loses access to the internal server?

A2: Check if the external client’s public IP address has changed or if it is set dynamically. The IP address needs to match the same one that was set as the IP profile.

Get to know more details of each function and configuration please go to Support Home to download the manual of your product.

Please Rate this Document

Related Documents

How to use an Omada gateway to restrict specific clients from visiting specific URLs

Configuration Guide
04-08-2026
9150

How to set up Access Control of TP-Link Omada Router in Standalone and Controller

Configuration Guide
06-13-2024
49616

What is the difference between Internal Antenna Mode and External Antenna Mode for Omada EAP?

Configuration Guide
10-31-2025
17538

How to configure IPv6 Access Control on Omada Gateway

Configuration Guide
ACL
08-02-2024
37380

How to Configure Load Balancing on Omada Gateways

Configuration Guide
03-17-2026
11595

SuscripciónTP-Link toma en serio su privacidad. Para obtener más detalles sobre las prácticas de privacidad de TP-Link, consulte la Política de privacidad de TP-Link.

Email Error

Síguenos

About
Press
Learning Center
TP-Link Omada Omada Pro VIGI

Copyright © 2026 por TP-LINK TECHNOLOGIES DE MEXICO S.A. de C.V. Todos los derechos reservados.

Este sitio web utiliza cookies para mejorar la navegación en el sitio web, analizar las actividades en línea y tener la mejor experiencia de usuario posible en nuestro sitio web. Puedes oponerte al uso de cookies en cualquier momento. Puede encontrar más información en nuestra política de privacidad . No volver a mostrar

Your Privacy Choices

Este sitio web utiliza cookies para mejorar la navegación en el sitio web, analizar las actividades en línea y tener la mejor experiencia de usuario posible en nuestro sitio web. Puedes oponerte al uso de cookies en cualquier momento. Puede encontrar más información en nuestra política de privacidad . No volver a mostrar

Basic Cookies

These cookies are necessary for the website to function and cannot be deactivated in your systems.

TP-Link

SESSION, JSESSIONID, accepted_local_switcher, tp_privacy_banner, tp_privacy_base, tp_privacy_marketing, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

Youtube

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Zendesk

OptanonConsent, __cf_bm, __cfruid, _cfuvid, _help_center_session, _pendo___sg__.<container-id>, _pendo_meta.<container-id>, _pendo_visitorId.<container-id>, _zendesk_authenticated, _zendesk_cookie, _zendesk_session, _zendesk_shared_session, ajs_anonymous_id, cf_clearance

Analysis and Marketing Cookies

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Google Analytics & Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads & DoubleClick

test_cookie, _gcl_au