How to set up Access Control of TP-Link Omada Router in Standalone and Controller

Knowledgebase
Configuration Guide
06-13-2024

User’s Application Scenario : Only allow access internal network in Standalone

A company operates multiple departments across various buildings. Each building is equipped with a SMB router in the server room and a switch on every floor.

How can I do that?

For example, to restrict the actions of those specific users on the R&D department located on Floor#3 in Building#2, it is necessary to ensure that these R&D users can only access the internal network. For other users on the R&D department, there is no limitation.

Follow the steps below to configure the ACL rule on the SMB Router in the Building#2, here takes ER8411 as demostration:

1. Go to Preferences > IP Group > IP address on the router. Click +Add to add a new IP address entry.

Specify the IP Address Range as 192.168.0.32-192.168.0.63 for the specific R&D department users, click OK.

Then specify the IP address range for all internal network.

2. Set IP Group for corresponding IP address on IP Group. By default, there is an entry “IPGROUP_ANY” covering all IPs, and cannot be edited.

3. Go to Firewall > Access Control, click +Add set up the rules as below.

The router processes rules sequentially for each packet. In the Access Control List, the rule with a smaller ID has higher priority. Since the router evaluates rules starting from the highest priority, ensure that the Allow rule have the smaller ID number than the Block rule.

4. Verification

After configuration, these R&D department users cannot access the public IP at any time.

User’s Application Scenario : Only allow access internal network in Controller

All departments are in the same network, and limit the acts of the R&D department users.

How can I do that?

For example, to limit the acts of the R&D department users, it is required that the R&D users have no access to the internet. For other departments, there is no limitation.

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Go to Settings > Profiles > Groups. By default, there is an entry covering all IPs, and it is not editable. Click +Create New Group to add a new group entry.

2. Specify the name of the IP group as “R&D”, and select IP Group as the type.

Specify the IP subnet as 192.168.0.32/27. IP subnet represents the range of IP addresses you want. In this example, 192.168.0.32 means the IP address and /27 means the number of bits in the mask. Click Apply.

3. Go to Settings > Network Security > ACL. Under the Gateway ACL tab, click +Create New Rule.

Specify the name as “Deny R&D”, check Enable on status. Select Direction as LAN -> WAN, the rule policy as Deny, Protocol as All, “R&D” as the source IP group, “IPGROUP_ANY” as the destination IP group. Keep the advanced settings section as default, click Create.

4. Verification

After configuration, these R&D department users cannot access the public IP at any time.

User’s Application Scenario : Allow HTTP only and block all other services in Standalone

The article demonstrates how to restrict employees to accessing websites exclusively via HTTP on the internet at any time.

How can I do that?

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Go to Firewall > Access Control on the router. Set up the following three entries as shown.

1) Allow HTTP service for all the Source and Destination.

2) Allow DNS service because DNS service always works together with HTTP service.

3) By default, all services are allowed in the Access Rules. In order to block other services, block All Services in the last.

The router processes rules sequentially for each packet. In the Access Control List, the rule with a smaller ID has higher priority. Since the router evaluates rules starting from the highest priority, ensure that the Allow rule have the smaller ID number than the Block rule.

2. Verification

After configuration, the employees cannot access the Internet via https.

User’s Application Scenario : Allow HTTP only and block all other services in Controller

The article demonstrates how to restrict employees to accessing websites exclusively via HTTP on the internet at any time.

How can I do that?

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Go to Settings > Profiles > Groups. By default, there is an entry covering all IPs, and it is not editable. Click +Create New Group to add a new group entry.

2. Specify the name of the IP-Port group as “office”, select IP-Port Group as the type and choose IP-Port Range as IP-Port Type.

Click + Add Subnet, specify the IP subnets as 192.168.0.1/24. IP subnet represents the range of IP addresses you want. In this example, 192.168.0.1 means the IP address and /24 means the number of bits in the mask.

Specify port as DNS port 53 and HTTP 80 because DNS service always works together with HTTP service.Then click Apply.

3. Go to Settings > Network Security > ACL. Under the Gateway ACL tab, click +Create New Rule.

Specify the name of the new rule as “permitHTTP”, check Enable on status. Select Direction as LAN -> WAN, the rule policy as Permit, Protocol as All, “office” as the source IP-Port group, “IPGROUP_ANY” as the destination IP group. Keep the advanced setting section as default, click Create.

Note: Only Omada gateways with certain firmware versions can set the status of an ACL rule as disabled. Please ensure that your gateway supports the feature before adoption. The status configuration will be lost if the adopted gateway is not compatible.

4. Specify the name of the new rule as “blockother”, check Enable on status. Select Direction as LAN -> WAN, the rule policy as Deny, Protocol as All, “LAN” as the source network, “IPGROUP_ANY” as the destination IP group. Click Create.

All rules are as shown below. Note the permit rule should be the first rule.

5. Verification

After configuration, the employees cannot access the Internet via https.

User’s Application Scenario : Unidirectional VLAN access in Standalone

A company has two departments: R&D department and marketing department, and they are in different subnets. The R&D department has access to computers in all VLANs for data backup, while computers in the marketing department are restricted from accessing the R&D department VLAN to enhance data security.

How can I do that?

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Go to Network > LAN on the router, click +Add to create a new network, and fill in the configuration according to the network requirement. Set the IP address/subnet mask as 192.168.10.1/255.255.255.0, mode as Normal assign VLAN 10 to the network, and enable the DHCP server.

After saving, the network settings on the router as below.

2. Go to Network > VLAN to change the VLAN settings.

Normally, after creating a new network, all LAN ports of the router will remain UNTAG in the default network and will be automatically added to the TAG VLAN of the new network.

Based on the network topology: an unmanaged switch is used to extend more Ethernet ports, change the Marketing LAN port (Port 4) to UNTAG VLAN 10 and set the PVID to VLAN 10, R&D LAN port 5 to UNTAG VLAN 30 and set the PVID to VLAN 30 respectively.

3. Go to Firewall > Access Control, and click +Add button to create rule as below. Note that the "LAN -> LAN" interface signifies an inter-network traffic ACL entry. This rule prevents the marketing department from accessing the R&D department.

Note: Stateful ACL requires the supported firmware of the router.

Note: We recommend keeping the states type as default setting. If you select it manually, please refer to the following picture.

New: Match the connections of the initial state. For example, a SYN packet arrives in a TCP connection, or the router only receives traffic in one direction.

Established: Match the connections that have been established. In other words, the firewall has seen the bidirectional communication of this connection.

Invalid: Match the connections that do not behave as expected.

Related: Match the associated sub-connections of a main connection, such as a connection to a FTP data channel.

4. Verification

After configuration, devices in VLAN 10 cannot ping devices in VLAN 30, while devices in VLAN 30 can ping devices in VLAN 10.

192.168.10.100 in VLAN10 cannot ping 192.169.30.100 in VLAN30 after setting ACL.

192.168.30.100 in VLAN30 still able to access 192.168.10.100 in VLAN10.

User’s Application Scenario : Unidirectional VLAN access in Controller

A company has two departments: R&D department and marketing department, and they are in different subnets. The R&D department has access to computers in all VLANs for data backup, while computers in the marketing department are restricted from accessing the R&D department VLAN to enhance data security.

How can I do that?

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Go to Settings > Wired Networks > LAN Networks, and click +Create New LAN to create VLAN interfaces for the two departments.

After saving, the network settings on the router as below.

2. Based on the network topology: an unmanaged switch is used to extend more Ethernet ports, so we need to change the Marketing LAN port (Port 4) to UNTAG VLAN 10 and set the PVID to VLAN 10, R&D LAN port 5 to UNTAG VLAN 30 and set the PVID to VLAN 30 respectively on the router.

Click the Omada router on Devices, go to Ports on the pop-up window, click Edit on WAN/LAN3, change the PVID to 10 and click Apply.

Note: changing the port’s PVID requires the supported firmware.

3. Go to Settings > Network Security > ACL. Under the Gateway ACL tab, click +Create New Rule.

Specify the name of the new rule as “blockvlan10tovlan30”, check Enable on status. Select Direction as LAN -> LAN, the rule policy as Deny, Protocol as All, “vlan10” as the source Network, “vlan30” as the destination Network. Keep the advanced setting section as default, click Create.

Note: We recommend keeping the states type as default setting. If you select it manually, please refer to the following picture.

Match State New: Match the connections of the initial state. For example, a SYN packet arrives in a TCP connection, or the router only receives traffic in one direction.

Match State Established: Match the connections that have been established. In other words, the firewall has seen the bidirectional communication of this connection.

Match State Related: Match the associated sub-connections of a main connection, such as a connection to a FTP data channel.

Match State Invalid: Match the connections that do not behave as expected.

4. Verification

After configuration, devices in VLAN 10 cannot ping devices in VLAN 30, while devices in VLAN 30 can ping devices in VLAN 10.

User’s Application Scenario : Bi-Directional VLAN access in Standalone

A company prohibits employees in the R&D department and the Marketing department from accessing each other’s resources, but an administrator in R&D department can access Marketing department.

How can I do that?

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Create multiple networks on the router

1) Go to Network > LAN on the web interface of the router, click +Add to create a new network, and fill in the configuration according to the network requirement. Set the IP address/subnet mask as 192.168.10.1/255.255.255.0, mode as Normal assign VLAN 10 to the network, and enable the DHCP server.

After saving, the network settings on the router as below.

2) Go to Network > VLAN to confirm the settings on each port.

Normally, after creating a new network, all LAN ports of the router will remain UNTAG in the default network and will be automatically added to the TAG VLAN of the new network.

Since a managed switch connects to the router, keep the default setting for each port.

2. Create VLAN on the switch

1) Go to L2 Features > VLAN > 802.1Q VLAN > VLAN Config on the web interface of managed switch, create VLAN 10 and VLAN 30; add Untagged port 3-5 and Tagged uplink port 1 to VLAN 10; add Untagged port 6-8 and Tagged uplink port 1 to VLAN 30.

2) Go to L2 Features > VLAN > 802.1Q VLAN > Port Config on the switch, set the PVID value as 10 for port 3-5, 30 for port 6-8 respectively. After that, please click on the top-right web page to save the configuration.

3. Configure ACL on the router

1) Go to Preferences > IP Group > IP address on the router. Click +Add to add a new IP address entry for the administrator in R&D department.

Specify the IP subnet as 192.168.30.100/32. IP subnet represents the range of IP addresses. In this example, 192.168.30.100 means the IP address and /32 means the number of bits in the mask. Click OK.

By default, there is an entry “IP_LAN” covering all IPs on the router, and it is not editable.

2) Set IP Group for corresponding IP address on IP Group.

3) Go to Firewall > Access Control on the router, and click +Add button to create rule as below.

Direction ALL includes WAN in, LAN->WAN, LAN->LAN. Note Direction ALL requires the router to upgrade to the latest firmware.

Then create block rule between VLAN10 and VLAN30.

The router processes rules sequentially for each packet. In the Access Control List, the rule with a smaller ID has higher priority. Since the router evaluates rules starting from the highest priority, ensure that the Allow rule have the smaller ID number than the Block rule. All rules should as below:

4. Verification

After the above configuration, VLAN10 and VLAN30 cannot access each other while the admin with 192.168.30.100 is able to access VLAN10.

192.168.10.100 in VLAN10 cannot ping 192.168.30.100 in VLAN30

The admin with 192.168.30.100 is able to access 192.168.10.100 in VLAN10.

User’s Application Scenario : Bi-Directional VLAN access and Only allow access the Internet in Controller

A company prohibits employees in the R&D department and the Marketing department from accessing each other’s resources, but an administrator in R&D department can access Marketing department.

How can I do that?

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Go to Settings > Wired Networks > LAN Networks, and click +Create New LAN to create VLAN interfaces for the two departments.

After saving, the network settings on the router as below.

2. Go to Settings > Wired Networks > LAN > Profiles, we can see all profiles as below.

When a network is created, the system will automatically create a profile with the same name and configure the network as the native network for the profile. In this profile, the network itself is configured as the Untagged Networks, while no networks are configured as Tagged Networks. The profile can be viewed and deleted, but not edited.

And the profile ALL will automatically add the new network as tagged.

3. Click the switch on Devices, go to Ports on the pop-up window, click Edit on port 3 and then apply Profile vlan10. Next do the same process for other ports. Once finish, connect computers to the switch correspondingly.

4. Go to Settings > Network Security > ACL. Under the Gateway ACL tab, click +Create New Rule.

Specify the name of the new rule as “bidirection”, check Enable on status. Select Direction as LAN -> LAN, the rule policy as Deny, Protocol as All, “vlan10” as the source Network, “vlan30” as the destination Network. Enable Bi-Directional on Advanced settings, click Create.

Then it will generate verse rule automatically.

5. Next create another block rule from vlan10&vlan30 to gateway management page.

Specify the name of the new rule as “blockGUI”, check Enable on status. Select Direction as LAN -> LAN, the rule policy as Deny, Protocol as All, “vlan10”and “vlan30” as the source Network, “Gateway management page” as the destination type. Keep the advanced settings as default, click Create.

6. Verification

After the above configuration, VLAN10 cannot access VLAN30.

VLAN30 cannot access VLAN10

Cannot access the gateway IP on each interface.

User’s Application Scenario : Only allow access the Internet in Standalone

To enhance security, a company has implemented measures to prevent visitors in the guest room from accessing both the office and the server room.

How can I do that?

Follow the steps below to configure it, here takes ER8411 as demostration:

1. Create multiple networks on the router

1) Go to Network > LAN on the web interface of the router, click +Add to create a new network, and fill in the configuration according to the network requirement. Set the IP address/subnet mask as 192.168.10.1/255.255.255.0, mode as Normal assign VLAN 10 to the network, and enable the DHCP server.

After saving, the network settings on the router as below.

2) Go to Network > VLAN to confirm the settings on each port.

Normally, after creating a new network, all LAN ports of the router will remain UNTAG in the default network and will be automatically added to the TAG VLAN of the new network.

Since an easy smart switch connects to the router, keep the default setting for each port.

2. Create VLAN on the switch

1) Go to the VLAN > 802.1Q VLAN to load the following page on the easy smart switch. Enable 802.1Q VLAN function. Add uplink port 1 as Tagged port and port 10-16 to VLAN 10, then click Apply.

Note: Only after enabling the 802.1Q VLAN feature, VLANs can be added or modified.

2) Go to VLAN > 802.1Q VLAN PVID Setting to load the following page. By default, PVID of all the ports are 1. Specify the PVID of port 10-16 as 10 and click Apply.

3. Configure ACL on the router

1) Go to Firewall > Access Control on the router, and click +Add button to create rule as below. Note that the "LAN -> LAN" interface signifies an inter-network traffic ACL entry.

“!vlan10” means all network interface except VLAN10. When a network is created, the system automatically generates a network name by adding an exclamation mark (“!”) at the beginning. This exclamation mark signifies that the network includes all interfaces except the one specified.

“Me” means all interface gateway IP, here means default LAN 192.168.0.1 and VLAN10 gateway 192.168.10.1.

2. Verification

After configuration, the devices in guest room cannot access the devices in office and the server room.

192.168.10.100 in VLAN10 cannot ping 192.168.0.100 in VLAN1, and cannot ping VLAN1’s gateway.

192.168.10.100 in VLAN10 cannot ping VLAN10’s gateway IP, but still able to ping public DNS 1.1.1.1

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Please Rate this Document