hey @falkens_maze , thanks for dropping by the channel. I am glad you learned something new, that's always one of my goal: impart those niche use cases ;)
Hopefully the right video to prevent me from going back to MikroTik and doing everything from scratch + spending another fortune on new l3 capable switches...
hey @victorshane4134, thanks for dropping by! I had a Mikrotik hex rb750Gr3 which I used side-by-side with my old EdgeRoute Lite ERlite3 as a back up. I gave it to my friend because it's fast and trouble-free and I just used an old Cisco/Linksys Wireless Router as a back up instead. Hope yours is still rocking it! Good hunting!
hey @ianpogi5 salamat sa pagbisita sa channel at welcome po sir. tama ka dyan, kailangan muna ma approve ng house CEO ang mga purchases hehehe. happy wife, happy life =)
Thank you for your videos. I'm learning a lot. When you set up the vlan without interface, how do you get wireless devices connected to the EAP to get an IP address, if you;re using multiple wlans/vlans?
hey @luisosorio5340, thanks for dropping by the channels. For APs (and any devices that requires multiple VLAN passing), you need to have a trunk port (Profile) that have those VLANs. If you only have one Layer 3 Switch, and you only have one "Gateway VLAN Interface", just use the default profile "All" to pass DHCP to all your wireless clients. I discussed that more and demonstrated adopting EAP in the LC68 video here (3:33 time stamp): ua-cam.com/video/mkPL5Wkxcsc/v-deo.htmlsi=lB5A1sO37sNEZVau&t=213 Good hunting!
Just found your videos this week and I am really enjoying them, particularly these where put a lot of routing in the switch The main downside I see is that if you want to use a NGFW and have protection rules based on VLANS you have to switch to rules based on the IP range of the VLANS. Am I correct in this since the trunk port from the switch to the firewall becomes an access port? If so, I like this better as you don't have to setup all the different vlans and interfaces in both the router and the switch.
hey @KevinRussellT, thanks for dropping by the channel and good to know you found the videos helpful. As for switching the rules based on IP range, I want to make sure I don't lead you astray or get you confused :). In the example I have shown here, yes, you will have to do that because all of the VLANs, other than the Management, are never defined on the Gateway/Firewall (but you still can do VLAN-based firewalls). You can find more about ACLs on my LC70 and LC71 Episode (so 3 Episodes after this, start with LC70, links below). But to make it clear, I have been showcasing a mostly switch-centric ACLs on almost all of my LAN design episodes (NewGen LAN, NeXTGen LAN, and AdvanceGen LAN) in preparation for this episode. NewGenLAN is an easier version, NeXTGen is switch-centric design and very strict, and AdvanceGen is based on Layer 3 Switching (this episode). And yeah, as I have shared with @J0hnSm1th (a few post below), I have been planning to share this architecture about 2-3 years ago, as a departure to what you can see almost everywhere on the net for so many years, ever since Home LAN became a thing. However, in the last ~10 years, Layer 3 switching is going down in price, and for the last 4 or 5 years, it has become more affordable for home users (proof: my latest video UB40, is a $75 Layer 3 Switch!!!). Btw, since Layer 3 Switching is not very common, it lacks many features i.e. InterVLAN mDNS is not supported, current SDN doesn't support DHCP reservation on Layer 3 Switching, like you mentioned, ACLs will be mostly IP-ranged based. Just be aware that Omada may not cover all your needs that you usually have from Gateways. I hope that Year 2024 is the time that more and more users start going for Layer 3 Switching for Home/HomeLAB and hopefully, make this a normal thing for Home/HomeLAB use, not just for Omada. UB40 $75 L3 Switch - ua-cam.com/video/PyIKpqCbRMA/v-deo.htmlsi=xEeWPozJqq-wOQ34 LC70 Basic Switch ACL - ua-cam.com/video/yraDD9P-PZk/v-deo.htmlsi=cfMnPCJwbQY0Fq-n LC71 Advance Switch ACL - ua-cam.com/video/rTsKcBhyyzc/v-deo.htmlsi=_u37bpL6AOmksN_Q Good hunting!
@@deadmeats great stuff! I just got my Omada software controller, er605 v2, eap610, and sh2008p live in my home network. Seems to be running great but it is wide open. DPI is fantastic but need to figure out how much space is needed for the logging as I have it on an old thin client with limited space.
Thanks for the video. I had a question about using Interface Lans and Layer 3 switches. Please correct me if I am wrong, as I am having some trouble understanding the best way to set this up. I think that even if you use an interface Lan instead of a VLAN, the Layer 3 switch will still route traffic directly across the Lans, rather than forwarding up to the router. I think this happens in the default Omada setup without any ACLs. In your NextGen network setups you segregated your interface Lans with Switch ACLs, and that did prevent traffic flow. Isn't that because you didn't have LAN->LAN Gateway ACLs set up, so by disabling the routing bypass with the Switch ACL, the packets get forwarded to the default gateway for routing and are then dropped? What I mean is, with Interface Lans and appropriate Switch ACL setups, the "router on a stick" problem can still be mitigated for everything that doesn't need a stateful firewall. Or maybe I got completely the wrong end of the (router on a) stick?
hey there @Mark-px3rq, thanks for dropping by the channel. It may seem like I have confused you on my videos so me let just try and clarify. "Network Routing" is performed at the Layer 3 and usually performed by a device called Router and in Omada, they call it Internet Gateway. Routing is performed in "Layer 3" of the network stack and deals with things like IP address. "Network Switching" is performed at the "Layer 2" and done by a device called "Switch", and deals with things like "MAC address", These two are required to have a fully functioning network. However, ACL is not, it is a functionality that grants or denies access (hence Access Control List name). This means, Routing and Switching, while impacted by ACL are completely different, they all work together and intermixed but while the two are basic building blocks of networking, ACL is not. With NeXTGen - ACL I used are Switch-based i.e. they work in the Switch but that doesn't mean "routing" happens in the switch. The ACLs are working in the Layer 2 and not in Layer 3, but the ACL is NOT responsible for "routing" because ACL is not routing, it is about granting/denying access whether there is routing or not. The easiest way to test, create a traditional Omada LAN: a) Make sure you have more than 1 VLANs defined in your Omada LAN i.e. VLAN 1, VLAN 10, VLAN 20 and all are Gateway Interface (i.e. not Layer 3 Switching) b) Make sure you are using Omada Gateway and Omada Switch c) Make sure no VLAN Interface is enabled on the Switch except for VLAN 1 (default) d) Make sure you have no ACL active. e) Plug at least one host per VLAN on the Omada Switch, including the Admin PC/Host Testing: 0. Make sure your admin pc/host is connected to the switch 1. On the admin host, open 2 (or more) consoles, do consistent ping for each host on VLAN 10 and VLAN 20 2. Remove the cable between Switch and the Router. Without the Gateway uplink, ping will fail. This means the Switch is NOT doing routing even if the Switch has all the VLANs defined on it, With Layer 3 Switching (this video's goal), this will work since Switch is responsible for InterVLAN routing. Hope this helps!
Thanks a lot for your this helpful tutorials, i highly appreciate the way you share the improvements of your environment. I have a question about configuring the router in your scenario if you would have an may be additional EAP which is connected directly there. It should also be connected via trunk to the router (not to the Layer3 switch) and the same VLANs should be available there as on your example. How should the configuration of the router ER605 looks like then? Who does the DHCP then, still the switch which uses Inter-VLAN routing? Which VLANs have to be defined at the ER605 then?
hey @timtaylor3741, thanks for dropping by. For VLANs I have defined in this video, I only have 1 VLAN defined on the Gateway (192.168.101.x) so this is the only VLAN that will be available to any device (access point, switch, PC) connecting directly to the Gateway. Devices connected to Gateway can "reach" the VLANs defined in Layer3, but the VLANs only exist on devices connected to the Layer 3 Switch. You can look at the Layer 3 as another "Gateway" outside of ER-605, and you control whether the VLANs defined in Layer3 can be reachable by Gateway using Static Routing. So having said that, assuming we have the VLANs laid out exactly in the video (VLAN 1 in Gateway, all the rest in Layer 3), the Access Point can only hand out VLAN 1 IP addresses and these will be handled directly by the gateway (DHCP server, intervlan routing, etc).
Very good video and worth the effort to try. However, how are we going to configure other vlans from accessing to the admin vlan 101 and yet admin vlan 101 can hv access to all of the rest of the vlans? In the past we did this setup on the router ACL.
hey @stan79yt, thanks for dropping by the channel. There is no change with ACL, since this is all purely Omada implementation. You can allow/deny access to VLAN 101 via Switch ACL and/or Gateway ACL, based on your use case. I cover a revised LAN design which covers ACL in later implementations of this, link below: ua-cam.com/video/yraDD9P-PZk/v-deo.html Good hunting!
It is really a great Video. I could also use the same for My network. However, I still didn't understand the use of the port Profile L2All is created for and for which ports are you applying them. I would appreciate any help. 😀
hey there @mmo-tech, thanks for dropping by. the L2ALL profile is useful if you have multiple Layer 3 Switch environments. If you only have one Layer 3 switch, you do not have to worry about this implementation. But if you have multiple, let's say, two(2) Layer 3 Switches (A and B) in completely isolated implementation (i.e. different companies), you need to know which "All" you are working with. In L3Switch A, you have VLANs 10 and 20, and L3Switch B, you have VLANs 11 and 21. If you use a normal "All" profile, that profile will have VLANs 1, 10, 11, 20, and 21 (literally, ALL of the VLANs in the Omada). You normally do not want these type of configuration, unless you absolutely understand what you are doing because you will never want these two companies have any mix up whatsoever :). Good hunting!
hey @andrescubillos1432, welcome to the channel. The Static Route is for the Gateway/Router. So if you have a non-Omada Gateway/Router, you need to configure Static Route on that device and not on the Omada Switch. Good hunting!
Good video tutorial! Thank you very much. I have in-home game streaming from one VLAN to another, it could be alot faster if the switch can handle the inter vlan routing. But than I have another question for you: Can you cover layer 3 switching acl's in a later video? Blocking inter VLAN connect can be easy (deny private IP groups) , but allowing traffic from one VLAN to another on specific protocol/ports can be tricky without statefull ACL's. Thank you in advance!
heya @MrTelraam , thanks for dropping by the channel and glad you found this useful. and yep, i plan to cover layer 3 switching ACLs in future videos if only to address some nuances that may not be obvious, but you may not even have to wait for my video since i already have many "switch" based ACLs that cover denying intervlan traffic (and automatically) with my "NeXTGen" lan design (the XT stands for eXtra Torture) because ALL of the ACLs (both two ways and pseudo-one-way) are switch-based. When you get the chance, check out the playlist here: ua-cam.com/play/PLdbM7FkjX0_rMzsitj54Hfs2X5scnThfd.html
Heya MrTelraam, I posted a video you mentioned about Stateful ACLs and even made a write up on the official forum. I will post the link below: Use Cases: Use Case 1: Home VLAN can "ssh" to IoT VLAN but not the other way around. Use Case 2: IoT VLAN can "vnc" to Home VLAN but not the other way around. IoT is denied access to all other VLANs These 2 Use Cases will NOT be possible if Gateway ACL is used because Use Case 1, the Source is Home VLAN and on Use Case 2, the Source is the IoT VLAN. ACL Video (skip to 24:15): ua-cam.com/video/yraDD9P-PZk/v-deo.htmlsi=YDGfQ40U1kkA5dRf&t=1455 Write Up/Guide about using Switch ACL as alternative to Gateway ACL: community.tp-link.com/en/business/forum/topic/656428
@@deadmeats hi deadmeats! I really like that you take the time to even go to older comments to say you have a new video about the question asked. Great job!! I think you did a fantastic thing with the ACL's on switch level. Still it isn't a state full ACL because you have both incoming defined. The standard Home to IoT is allowed and the second rule that you allow source port vnc to destination any. It is a shame that all the routers dont have the option to define service type in Lan-Lan gateway ACL. In standalone mode the routers have this option. In this case you can define home to IoT ssh and IoT to home with gateway ACL. This is true state full, because you have only one way defined. I don't know why we cannot define these service types within Omada tho. Maybe it is something for future releases for Omada. And in combination with switch ACL's you can define which IP to IP communication is possible before it goes to the gateway. So not every device in home is open to vnc and not all devices in IoT are exposed to ssh. I don't see a feature request in the forums. Maybe I need to make one for allowance on service type within Omada.
Heya @@MrTelraam , no prob. I usually try to get back to those who are asking in case they missed it because I usually take a long time to post videos i.e. this Layer 3 video is on my to-do list for about a year or so now. As for the ACLs, is there any specific use-case you are looking for? I agree though, that Stateful ACLs is much easier to implement, but it lacks the granularity. If TP Link can add that feature for more granularity, that'll be great.
Rewatched video again and it seems like the gateway needs to either be the DHCP server for the native vlan 101 subnet or the switch interface needs to define the gateway as 192.168.101.1. Please let me know if this is a correct assumption. Apologies if I missed it!
hey @KevinRussellT, in this video, my native VLAN is 1 using IP scheme 192.168.101.x (you refer to it as native VLAN 101 subnet). Not saying you are wrong, just want to make sure I clarify my answer. And you are absolutely correct, I still use the native VLAN because we can't ever remove it from Omada. VLAN 1 is also the default "Management VLAN", it can be changed, but for now, all of my videos use VLAN 1 as Management VLAN or as I often refer to them, Admin VLAN. In this episode, I assign an IP subnet of x.101 and as you mentioned, it is using a Gateway as a DHCP server. But only for "Admin VLAN devices" (which includes ALL Omada Network devices). Good hunting!
heya @user-sg7xn1yg4n, thanks for dropping by the channel. And sorry you have issues with pinging, there are so many various reasons why a Ping can fail, to name a few, bad cable, OS block, ACL, incorrect gateway, etc. This set up makes it more complicated. I suggest you try the traditional set up first (i.e. Gateway VLAN Interface rather than this) then when you can do InterVLAN with traditional set up, disable that Gateway VLAN Interface, duplicate all the info you have there (i.e. IP address scheme, etc) and follow the steps I laid out here. Good hunting!
My dearest UA-cam-er, I hope you are doing well! I have the following question concerning this videos topic and network setup. I saw the pros and cons of this network topology but does it really help the link between the omada (gateway) modem router and the switch to be less busy? I am asking because I want that since the link between the two devices is just one active link because the router does not support link aggregation. So if you have further pros and cons of this kind of network setup I would like to know them! Thank you in advance for your time and effort into helping me out!
hey there @J0hnSm1th, thanks for gracing my channel with your comment. I am an old-school LAN guy so I prefer this approach over what you can see very common on the Internet today; whether it be Omada, Unifi, pfsense/opnsense, mikrotik, etc. All of the current solutions that you see is making use of the Firewall/WAN router as their LAN router for home use (and office use). But I always wanted to have a separation of responsibility between WAN facing router, as well as the LAN router. I wanted to push this idea a long time ago, about 2-3years ago now. However, in order to push this idea, I have to help my viewers, at least those who constantly watch my videos, to see the tribulations and challenges of using an Internet Gateway (i.e. ER605 and its much upgraded brothers) for LAN routing. I also have to give solutions for most common use of the Gateway: ACLs and so I spent the last two years sharing Switch ACLs, and revisions of NewGenLAN and NeXTGen LAN. I have tried to show that while Router-on-Stick is a great blessing, the current implementation using Firewall/VPN/NAT Gateway just won't cut it for East-West traffic (i.e. LAN traffic). Sure, there are many newer devices that offer fast InterVLAN routing nowadays but for East-West traffic, nothing beats Switch. For Pros: the main Pro is that your LAN traffic is fast, really fast! You can have redundancy (LACP ftw! pricier model offers VRRP), more routable ports (switch have more ports), and your Switch usually have beefier hardware! For Cons: you will lose Gateway-specific functionalities such as Stateful ACLs (that is why I introduced granular ACLs for Switch), DHCP reservation (you will need to set static IP), and mDNS (mDNS will still work, but must be within the same VLAN when using Layer 3 Switch). What are the other Gateway-specific functionalities? VPN! You can still use your Gateway for VPN purpose but you can't expect your Layer 3 Switch to do this. Your Layer 3 Switch can't do NAT, so again, you will still need your Gateway for Internet. And also, Layer 3 switch means you are adding a "layer of complexity". Sorry for the long answer. Good hunting!
hey @necatibilen4130, thanks for dropping by the channel. if you would like to set a limit, you don't need an L3 for it but what you need to do is Bandwidth Control and there are many ways to do it. I discuss several ways to do it here: ua-cam.com/video/JiJNuF-gMgc/v-deo.htmlsi=yDdNGQHONqqZECTR&t=383 Good hunting!
Hello my dear, really great video!! But is it possible that the routing (without you suspecting it) goes through the router? I wasn't able to trace it without the router. Maybe you can test it by unplugging the router! I couldn't establish static routing with just the switches alone. Its a T-link Bug i think
hey @Iceflash75, thanks for dropping by the channel and thanks for the kind words. As for your observation, maybe I have not explained it well, but the "Static Route" is the reason why the Layer 2-only VLANs (non-Interface) have access to the Internet. Meaning, they need to go to the Gateway/Router to be able to access the Internet. So what you are seeing is the "normal behavior" because the Static Route is meant to connect the Gateway and the Switch. If you remove the Static Route, then all VLANs defined in the Layer-3 switch will just communicate within the switch. It is ok to turn off the Static Route (or limit which VLAN can go the Internet) if you don't need to. I hope that makes it clear :) Happy Hunting!
@deadmeats Hi, thank you very much for your response! Of course, you are right!! I apologize, I didn't express myself well. What I mean is that I can't enter static routes without a connected T-Link router. This applies to VLANs as well. All routes I enter do not appear in the "Routing Table" (Omada or CLI). It doesn't matter whether I enter the route in Omada, directly on the switch in Omada, or in the standalone switch in the GUI or CLI. My setup is a Fritzbox as the router and an L2 L3 T-Link switch (SG2016P V1.20.0). If I enter the static route on the Fritzbox, everything works immediately. That's my observation... Of course, I could be wrong... I would appreciate it if you could tell me if I'm wrong... Best regards... 🙂
hey @@Iceflash75 , the Omada's option (Transmission > Routing > Static Routing) works on the Omada Gateway. If you don't have an Omada Gateway, i think (not sure) you can't use this option. What you did, entering static route in Fritzbox is the right approach. If you you would like to experiment on the switch, you can try this: add a static route from your Layer 3 switch to your "non-Omada" Gateway/Router (Fritzbox) (Devices > Switch > Config > Static Route). Note that i tried this about 3 yrs ago so it may have changed so refer to updated manual. say if you have 192.168.0.1 for your fritzbox, you need to add this as the next hop. also, if you want all other traffic (i.e. internet) to go to fritzbox, you may need to add 0.0.0.0/0 pointing to 192.168.0.1 in your configuration. I dont recommend this option btw ;) but it's good to know in case you have multiple layer 3 switches connected together since the same idea, theoretically, should work. i am not familiar with Fritzbox nor how Omada will work/discover routes with non-Omada Gateway so you will have to do some testing/digging. edit note: noticed you mentioned you already tried the Static Routing with Fritz Box so removed my comment about adding Static Route in Fritz Box ;) Happy hunting!
@@deadmeats Hello @deadmeats, thank you for your response and your time! I don't want to keep you any longer because you're doing a great job with your videos! I just have 2 more questions: One for myself: Why did I buy an L3 switch that can route VLANs if it's not doing that? :-) For you: I'm curious to know if, when you unplug the T-Link router, does the routing between the VLANs on the switch still work? Thanks for your time!! Best regards!
hey@@Iceflash75 , you are most welcome and you are not keeping me from anything. However, I do have to run away and do some stuff so my reply time is erratic so apologies for delay. I had to finish my other video (which I just upload an hour or so ago) which has been taking up my time. anyway, as for your question: i fully agree. my switches has been doing interval routing for a long time, but I never really posted any video because I would like to make sure the regular viewers see what are the challenges for the Router on Stick before I jump into it (you can see my videos about NewGen LAN redesign last November and December). I think someone asked about switch routing in one of those videos, but I gave a safe answer instead (use the Gateway) because I am not sure I can reply on a timely manner and may have caused them significant delay. btw, if you are serious about L3 switching, just note of the "limitations" :) as for your second question, yes I did that and the routing for ALL Layer 2-only VLANs still work. Of course, all traffic destined to the Admin/Management VLAN died. You can also quickly test this by: a) removing/adding static route for each Layer 2-only VLANs that you defined as Layer 3. I have demonstrated this in the video I just uploaded, which applies for Camera VLAN. b) setting the uplink profile as a single VLAN as can be seen at 14:19 Port 1 of the Layer 3 switch. You will notice that I am not using a Trunk profile, instead, the Switch link that connects to the Gateway is configured as an access port: there is only one VLAN! You can also do packet capture and check if the gateway layer 2 header is being replaced by the router mac address. Hope it helps, thanks for dropping by the channel again. Good hunting!
@@deadmeats thank you, unfortunately that does not change anything and ipv6 address are assigned to every device in lans/vlans. Seems to be some kind of bug on Omada.
@@TheSmietnisko hey there, sorry to hear about that. I will leave a link where you can raise a ticket to TP Link. Also, when you get the chance, just make sure your devices are not doing SLAAC. TP Link Support: www.tp-link.com/us/support/contact-technical-support/ SLAAC Info: www.networkacademy.io/ccna/ipv6/stateless-address-autoconfiguration-slaac Good hunting!!!
Thanks, that works! But can I create rules now? I have created 2 VLAN networks "Home" and "Server". Everything works. How can I set it up so that HOME has access to SERVER but SERVER does NOT have access to HOME? If I create an ACL-Switch rule that blocks Server->Home, then Home no longer has access to Server? This rule blocks "Bi-directional" :(
Hey @DSeimann, yes you can make rules. I have addressed the challenge you mentioned about "bidirectional". I covered the ACL in a long-form video (link below) but I also have a short write up (not covering the whole vide) that I made over at TP Link and reddit. I added here a short summary of what that ACL covers: "Use Case 1 Home VLAN can "ssh" to IoT VLAN but not the other way around. Use Case 2: IoT VLAN can "vnc" to Home VLAN but not the other way around IoT is denied access to all other VLANs
These 2 Use Cases will NOT be possible if Gateway ACL is used because Use Case 1, the Source is Home VLAN and on Use Case 2, the Source is the IoT VLAN." Layer 3 Switch ACL video: ua-cam.com/video/yraDD9P-PZk/v-deo.html Partial Write Up: community.tp-link.com/en/business/forum/topic/656428?page=1
heya@@DSeimann , i finally got the chance to check it out and I have replied there. Copy/pasting my reply there here as well: There are two ways to go about this. I agree with Clive that if you want a non-granular (IP Port Group-based) ACL, then you have to use Gateway ACL.If you go the Gatewat ACL route, you can never have Granular (IP Port-Group-based) ACL meaning, your Source from one ACL Rule can NEVER be a Destination with another ACL Rule. You can request a feature to support IP Port Group for Gateway ACL if you need to. The second way is, just go fuill Switch ACL and follow my posted guide. In your ACL, in your question why it works that way, it is because it's supposed to work that way. If you want Server to have "granular" access to home, I edited your posted ACLs, and inserted ACL Line 2 and edited ACL Line 3 (your old ACL 2) to demonstrate this. it will allow your Home to SSH to Server devices, BUT also allowing Server devices to FTP to Home devices (assuming there's an FTP server/service running in Home VLAN 100) . This can never be done with Gateway ACLs (maybe in the future it will). Switch ACLs: ACL1 - Permit Home devices to SSH to Server devices Permit Home SSH to Server Policy: Permit Protocols: All Source > IP Port Group > (Subnet 192.168.100.0/24, Port: 22) Destination > IP Group > (Subnet 192.168.200.0/24) ACL 2 - Permit Server devices to FTP to Home devices Permit Server FTP to Home Policy: Permit Protocols: All Source > IP Group > (Subnet 192.168.100.0/24) Destination > IP Port Group > (Subnet 192.168.200.0/24, Port: 21) ACL 3 - Deny Home devices to access Server resources Deny Home to Server Policy: Deny Protocols: All Source > IP Group > (Subnet 192.168.100.0/24) Destination > IP Group > (Subnet 192.168.200.0/24) Remember this tip, which I covered in my past ACL videos: Default is Permit All, You allow what you Deny, and Whitelisting (Deny some/Permit Some). Look at all "Sources" in those 3 ACLs and you will see what is "common". ALL the Permit's Source is the Deny's Source aka Home (in my example IoT)! In your original ACL, you Denied "Server to Home" (VLAN 200) and then "Permitted Home to Server" (VL:AN 100) but there is no need to Permit Home because (remember the tip) the default is Permit All and the only Permit you need to do is IP Port Group (remember the tip Whitelisting). Because if you Permit everything anyway, there is no need for ACL (remember the tip: you allow what you Deny). Now another tip using the ACLs above, I used SSH and FTP, but you can use any protocols, known or custom one. If you would like to "observe" the functionalities of the ACLs, change ACL #2 from Port 21/FTP to Port 22/ssh. For testing, always have ACL 3 as ON. Now play around with ACL 1 and 2, turning them On/Off, Off/On, On/On, Off/Off or however you want. Each time you turn On or Off an ACL, do an SSH From Home to Server, then from Server to Home. Observe how they work. Work slowly, and be patient because ACLs can sometimes take time. So start with just ACL 3 On, then wait a bit: ssh (on either). Then Turn On ACL x, then wait a bit: ssh (on either). Rinse/repeat. Hopefully this will get you more familiarized with how the ACLs are structured and how they work. I hope I don't get you confused even more. I know this is a confusing subject, I have been covering Omada ACLs for 3-4 years now and I think some of my viewers did get it but for the most part, I still don't know how to properly explain it :) :) :). I came up with it because there was no Stateful ACL for the longest time and so many users complained they can't do stuff but I keep telling showing how to do stuff but I keep failing haha :) Check this video and maybe it can also shed some light. Sorry for late reply, and Good hunting!
Good day sir! Ganda ng setup para ma less burden ni Router lalo if low-end lang din pero question ko is How about defining my ACL'S? Para customize yung VLAN na allowed to communicate to each other? Should I use padin ba the normal -> Switch ACL -> then Custom ports ba? Tapos i-select ko lang yung DISTRIBUTION SWITCH PORTS? Kasi dun naka define yung mga SVI's? Thankyou sir! :)
hello @user-rr4op5lj5l , tama ka sir, less load kay router. As for ACL, tama ka ulit. Meron akong video na in-upload kanina lang regarding ACL. Kung kailangan mo ng guide, check mo lang, pero korek ka doon sa sinabi mo! tnx sa pagbisita sa channel sir! Good hunting!
Sir how about may dalawa akong distribution switch? Isa primary isa backup then sa baba apat na access switch? Also sir yung "Port Profile"101VLAN (which admin also yung UPLINK ng L3 switch mo na connected sa ROUTER) naka check as TAG dun lahat nung VLAN na ginawa mo?
I am trying to figure out if I have SG3428MP omada L2+ switch + OC200 + AEP610. Could I make similar setup if I use not omada but a normal ASUS router. I feel performance of the 4core 1.8GHz router is better and I already have it. (I purchase ER707-M2, but my disappointment was that there is no link aggregation and my ASUS has. Now I have 2.5Gbs connected to my ISP modem, but I cannot get more than 1 GB to my switch. This another reson I like to use Asus RT-X86U router )?
hello @svetoslavvalchanov5080, welcome to the channel and thanks for dropping by. The Omada Gateway (which includes ER707-M2) is a Gateway Router and in TP Link world , this means, it can not support trunk ports. I am not familiar with your Asus router, but your SG3428MP is a Switch. It can not do the "WAN" function of your Asus Router. However, your switch can do Layer 3 Switching so you can definitely use your SG3428MP to adapt the settings I am showing here. You will need to configure your Asus router to have static routes pointing to your L3 Switch so that your L3 Switch clients can have internet access. I have a video that will reflect your set up, but instead of using an Asus Router, I am using a non-Omada Router. You will need to adopt the settings of my non-Omada router to your Asus router, but the general steps are the same. You can find the video here: ua-cam.com/video/D7al4Yw21bI/v-deo.htmlsi=2aEqibZqGuvh4TFK You can find a write up about it here: community.tp-link.com/en/business/forum/topic/667126 Good hunting!
Paano kaya sir pag yung setup gusto ko sana ma achieve yung kagaya sainyo kaso L3 ko dalawang DISTRIBUTION SWITCH? primary & secondary DSW / 2 tier design. Questions: 1. Saan ako mag define ng SVI DHCP scope? Sa primary lang ba o both ng Distribution switches? 2. Pag nag static routing para ba piliin na yung primary DSW ko na doon dumaan babaan ko nalang METRIC? Sample Static Route Metric Config: Primary DSW = 1 Secondary DSW = 2
hey @davidesguerra7837, pwede ka naman mag karoon ng 2 (or more) L3 switches. Pero ang alam ko, walang automatic fai-over or re-routing yung mga L3 Switch ng Omada ngayon (siguro sa future, meron na, o baka meron di ko lang alam). Kahit idagdag mo ang metric, pag nag fail ang primary route, di pa rin mag switch sa secondary route lahat ng dependent devices i.e. laptops, etc. 1. Sa isang Switch ka lang mag define ng DHCP scope para maiwasan ang conflict. Wala kasing DHCP reservation si L3 switch. 2. Na mention ko nga sa intro post ko, pwede mo baguhin ang metric mo pero sa experience ko lang (limited testing lang), di ko alam pano mag fail-over sa secondary link. Pwede ka mag design based sa LAG/LACP or even STP/RSTP. Pero kung goal mo ay magkaroon ng "hot" back up L3 switch, di ko pa ito nakitang gumana. Pero, di naman ako expert dyan so check mo lang sa TP Link, baka naman meron silang settings. Di ko kasi masyado ito na test. Okidoks!!!
Hello! I am new to the world of virtual networks. I have an omada setup. I made my vlans (Main, surveillance, IoT, Guest). I made ACL rules in the gateway because with the rules in the switch I could not get communication between vlans. Currently, only the Main Network can see everyone else. However, I have a Synology server on the main network that I don't know how to make visible to devices on the IoT network. For example TV, receiver... Help...Give advice how to build my rules? Is there any chance I can contact you personally, e.g. email?
hey user-wk8yg1nl6e, thanks for dropping by the channel and welcome to Omada and networking. First, let me just say you need a managed switch to have VLANs when using Omada Gateways. I can't really provide any support/answer outside of UA-cam because I don't often use my personal email, unless I am actively applying for a job :). I don't use Facebook or any Social Media often (I do have Twitter, Instagram. etc. that I use, maybe 10x at MOST in a YEAR). I visit Reddit and TP Link about 2x a week. If you need support, I highly suggest you reach out to official TP Link Tech Team, as well as their forum. Next is reddit, not just reddit TP Link but reddit network subs. Or check out the more popular channels, they offer Network Consulting and Installation. As for your inquiry, Gateway ACLs are, in its current versions, an all-or-nothing stateful ACL. With Gateway ACL, you can allow VLANs to have two-way communication (i.e. Main to IoT) initiated/started only, and always, from VLAN A to VLAN B but never initiated/started from VLAN B to VLAN A. To allow communication using specific protocol (i.e your TV, receiver), you need to use switch ACL and allow only protocols that you need to pass thru (you need to research your devices what protocols they use). I have many ACL videos already, you can refer to my CS5 Video but if you want to go deep, check out my NeXTGen LAN EP38. My NewGenLAN EP34 and later iterations also cover ACLs but the CS5 and EP38 should be a good intro. I'll put both links below. CS5 About Switch ACL: ua-cam.com/video/-ftA6ZARukk/v-deo.html NeXTGen LAN: ua-cam.com/video/pNrdLjBXPYQ/v-deo.html Good hunting!
Hello! Thanks for the response! I understand your refusal of personal communications. It's just that there are no people around me who understand about virtual networks and there is no one to ask. By the way, I have already watched quite a few of your videos, which are really very helpful! About my setup, it consists of ER605 gateway, OC200 controller, and the switch is TL-SG2016P. Synology has connected to the switch through two link aggregation ports. It itself runs on the main VLAN, and it has a home assistant on it, like a virtual machine that runs on the IoT VLAN. Here too I lost the SMB server connection to the assistant and can't do backups. Do you think that in order to have access from specific devices from the different virtual networks to Synology I need a new switch and set up ACLs in it? Greetings from Bulgaria!@@deadmeats
heya@@ЕмилДимитров-е3ю , not sure why you lost access to your NAS, it could be a lot of things and of course, it can be due to ACLs. As you mentioned, you have your Synology in the Main VLAN and you have several options. The simplest one is move your Synology to IoT VLAN (highly recommended). The other option is, add multiple VLANs to your LAG/LACP Synology link that spans both Main and IoT (not recommended btw, but it's an option). Another option is make a perimeter network. And of course, the other option is use Switch ACL but you need to identify what traffic is allowed "both ways". You need to identify the logical network ports of your VM. I suggest you check out CS5 video, you can find it here (8min time stamp) which shows how to allow such scenario: ua-cam.com/video/-ftA6ZARukk/v-deo.htmlsi=oEZvopQg6Fn4sOoy&t=480 Happy hunting!
Hello. For now, I solved the problem by breaking the aggregated connection between Synology and the switch. I connected one network card of the server to the main vlan and the other to IoT. All the rules I've created are gateway level, since at the switch, I can't get the main network to see the others. Just by telling the IoT not to access the Primary (albeit one-way), the Primary no longer has access to the IoT either. Even a reverse rule with root permission to IoT doesn't solve the problem... @@deadmeats
hey @emmanuelessien8174, thanks for dropping by the channel. If you need immediate assistance, I highly suggest you submit a ticket to TP Link, the link is listed below. If you have any questions, just post it in the comment and I'll get back to it when I can. Note that I don't usually visit my YT account, I usually check it 1x-2x a week at the most so I suggest you contact TP Link for support, or if you can wait, use TP Link forum or reddit forum; I use a different account when viewing UA-cam :).... www.tp-link.com/us/support/contact-technical-support/?type=smb#E-mail-Support www.reddit.com/r/TPLink_Omada/ www.reddit.com/r/HomeNetworking/ Happy Hunting!
heya @sethb.pooten8305, welcome to channel and thanks for feedback. For muffled audio, I already upgraded my mic from the basic one to a better one, I don't really plan to change this, at least not yet. As for the way I speak, I can't really change much the way I speak, but I did add close-captioning.
Brilliant. I've been running Omada for more than a year and I didn't know it was possible to set up the switches as if they were a layer 3 device.
hey @falkens_maze , thanks for dropping by the channel. I am glad you learned something new, that's always one of my goal: impart those niche use cases ;)
Hopefully the right video to prevent me from going back to MikroTik and doing everything from scratch + spending another fortune on new l3 capable switches...
hey @victorshane4134, thanks for dropping by! I had a Mikrotik hex rb750Gr3 which I used side-by-side with my old EdgeRoute Lite ERlite3 as a back up. I gave it to my friend because it's fast and trouble-free and I just used an old Cisco/Linksys Wireless Router as a back up instead. Hope yours is still rocking it!
Good hunting!
Thank you for this good tutorial!
heya @TheSadiqus , thanks for dropping by the channel and you are most welcome!
Good video man, keep going !
heya @JasonsLabVideos thank you for dropping by the channel and thanks for the comments! hope you found something useful in this video.
Great man!! Thanks!!!
heya @sams-ingenieria , thanks for dropping by the channel.
Salamat po! Bossing parang gusto ko maging adventurous kaso yari ako kay missis sa pagbili ng mga bagong equipment. :D
hey @ianpogi5 salamat sa pagbisita sa channel at welcome po sir. tama ka dyan, kailangan muna ma approve ng house CEO ang mga purchases hehehe. happy wife, happy life =)
Thank you for your videos. I'm learning a lot. When you set up the vlan without interface, how do you get wireless devices connected to the EAP to get an IP address, if you;re using multiple wlans/vlans?
hey @luisosorio5340, thanks for dropping by the channels. For APs (and any devices that requires multiple VLAN passing), you need to have a trunk port (Profile) that have those VLANs. If you only have one Layer 3 Switch, and you only have one "Gateway VLAN Interface", just use the default profile "All" to pass DHCP to all your wireless clients. I discussed that more and demonstrated adopting EAP in the LC68 video here (3:33 time stamp): ua-cam.com/video/mkPL5Wkxcsc/v-deo.htmlsi=lB5A1sO37sNEZVau&t=213
Good hunting!
Just found your videos this week and I am really enjoying them, particularly these where put a lot of routing in the switch The main downside I see is that if you want to use a NGFW and have protection rules based on VLANS you have to switch to rules based on the IP range of the VLANS. Am I correct in this since the trunk port from the switch to the firewall becomes an access port? If so, I like this better as you don't have to setup all the different vlans and interfaces in both the router and the switch.
hey @KevinRussellT, thanks for dropping by the channel and good to know you found the videos helpful. As for switching the rules based on IP range, I want to make sure I don't lead you astray or get you confused :). In the example I have shown here, yes, you will have to do that because all of the VLANs, other than the Management, are never defined on the Gateway/Firewall (but you still can do VLAN-based firewalls). You can find more about ACLs on my LC70 and LC71 Episode (so 3 Episodes after this, start with LC70, links below). But to make it clear, I have been showcasing a mostly switch-centric ACLs on almost all of my LAN design episodes (NewGen LAN, NeXTGen LAN, and AdvanceGen LAN) in preparation for this episode. NewGenLAN is an easier version, NeXTGen is switch-centric design and very strict, and AdvanceGen is based on Layer 3 Switching (this episode).
And yeah, as I have shared with @J0hnSm1th (a few post below), I have been planning to share this architecture about 2-3 years ago, as a departure to what you can see almost everywhere on the net for so many years, ever since Home LAN became a thing. However, in the last ~10 years, Layer 3 switching is going down in price, and for the last 4 or 5 years, it has become more affordable for home users (proof: my latest video UB40, is a $75 Layer 3 Switch!!!). Btw, since Layer 3 Switching is not very common, it lacks many features i.e. InterVLAN mDNS is not supported, current SDN doesn't support DHCP reservation on Layer 3 Switching, like you mentioned, ACLs will be mostly IP-ranged based. Just be aware that Omada may not cover all your needs that you usually have from Gateways.
I hope that Year 2024 is the time that more and more users start going for Layer 3 Switching for Home/HomeLAB and hopefully, make this a normal thing for Home/HomeLAB use, not just for Omada.
UB40 $75 L3 Switch - ua-cam.com/video/PyIKpqCbRMA/v-deo.htmlsi=xEeWPozJqq-wOQ34
LC70 Basic Switch ACL - ua-cam.com/video/yraDD9P-PZk/v-deo.htmlsi=cfMnPCJwbQY0Fq-n
LC71 Advance Switch ACL - ua-cam.com/video/rTsKcBhyyzc/v-deo.htmlsi=_u37bpL6AOmksN_Q
Good hunting!
@@deadmeats great stuff! I just got my Omada software controller, er605 v2, eap610, and sh2008p live in my home network. Seems to be running great but it is wide open. DPI is fantastic but need to figure out how much space is needed for the logging as I have it on an old thin client with limited space.
@@KevinRussellT nice, good to know man.
Thanks for the video. I had a question about using Interface Lans and Layer 3 switches. Please correct me if I am wrong, as I am having some trouble understanding the best way to set this up.
I think that even if you use an interface Lan instead of a VLAN, the Layer 3 switch will still route traffic directly across the Lans, rather than forwarding up to the router. I think this happens in the default Omada setup without any ACLs.
In your NextGen network setups you segregated your interface Lans with Switch ACLs, and that did prevent traffic flow. Isn't that because you didn't have LAN->LAN Gateway ACLs set up, so by disabling the routing bypass with the Switch ACL, the packets get forwarded to the default gateway for routing and are then dropped?
What I mean is, with Interface Lans and appropriate Switch ACL setups, the "router on a stick" problem can still be mitigated for everything that doesn't need a stateful firewall.
Or maybe I got completely the wrong end of the (router on a) stick?
hey there @Mark-px3rq, thanks for dropping by the channel. It may seem like I have confused you on my videos so me let just try and clarify. "Network Routing" is performed at the Layer 3 and usually performed by a device called Router and in Omada, they call it Internet Gateway. Routing is performed in "Layer 3" of the network stack and deals with things like IP address. "Network Switching" is performed at the "Layer 2" and done by a device called "Switch", and deals with things like "MAC address", These two are required to have a fully functioning network. However, ACL is not, it is a functionality that grants or denies access (hence Access Control List name). This means, Routing and Switching, while impacted by ACL are completely different, they all work together and intermixed but while the two are basic building blocks of networking, ACL is not.
With NeXTGen - ACL I used are Switch-based i.e. they work in the Switch but that doesn't mean "routing" happens in the switch. The ACLs are working in the Layer 2 and not in Layer 3, but the ACL is NOT responsible for "routing" because ACL is not routing, it is about granting/denying access whether there is routing or not.
The easiest way to test, create a traditional Omada LAN:
a) Make sure you have more than 1 VLANs defined in your Omada LAN i.e. VLAN 1, VLAN 10, VLAN 20 and all are Gateway Interface (i.e. not Layer 3 Switching)
b) Make sure you are using Omada Gateway and Omada Switch
c) Make sure no VLAN Interface is enabled on the Switch except for VLAN 1 (default)
d) Make sure you have no ACL active.
e) Plug at least one host per VLAN on the Omada Switch, including the Admin PC/Host
Testing:
0. Make sure your admin pc/host is connected to the switch
1. On the admin host, open 2 (or more) consoles, do consistent ping for each host on VLAN 10 and VLAN 20
2. Remove the cable between Switch and the Router. Without the Gateway uplink, ping will fail. This means the Switch is NOT doing routing even if the Switch has all the VLANs defined on it, With Layer 3 Switching (this video's goal), this will work since Switch is responsible for InterVLAN routing.
Hope this helps!
Thanks a lot for your this helpful tutorials, i highly appreciate the way you share the improvements of your environment. I have a question about configuring the router in your scenario if you would have an may be additional EAP which is connected directly there. It should also be connected via trunk to the router (not to the Layer3 switch) and the same VLANs should be available there as on your example. How should the configuration of the router ER605 looks like then? Who does the DHCP then, still the switch which uses Inter-VLAN routing? Which VLANs have to be defined at the ER605 then?
hey @timtaylor3741, thanks for dropping by. For VLANs I have defined in this video, I only have 1 VLAN defined on the Gateway (192.168.101.x) so this is the only VLAN that will be available to any device (access point, switch, PC) connecting directly to the Gateway. Devices connected to Gateway can "reach" the VLANs defined in Layer3, but the VLANs only exist on devices connected to the Layer 3 Switch. You can look at the Layer 3 as another "Gateway" outside of ER-605, and you control whether the VLANs defined in Layer3 can be reachable by Gateway using Static Routing.
So having said that, assuming we have the VLANs laid out exactly in the video (VLAN 1 in Gateway, all the rest in Layer 3), the Access Point can only hand out VLAN 1 IP addresses and these will be handled directly by the gateway (DHCP server, intervlan routing, etc).
Very good video and worth the effort to try.
However, how are we going to configure other vlans from accessing to the admin vlan 101 and yet admin vlan 101 can hv access to all of the rest of the vlans? In the past we did this setup on the router ACL.
hey @stan79yt, thanks for dropping by the channel. There is no change with ACL, since this is all purely Omada implementation. You can allow/deny access to VLAN 101 via Switch ACL and/or Gateway ACL, based on your use case. I cover a revised LAN design which covers ACL in later implementations of this, link below:
ua-cam.com/video/yraDD9P-PZk/v-deo.html
Good hunting!
It is really a great Video. I could also use the same for My network. However, I still didn't understand the use of the port Profile L2All is created for and for which ports are you applying them. I would appreciate any help. 😀
hey there @mmo-tech, thanks for dropping by. the L2ALL profile is useful if you have multiple Layer 3 Switch environments. If you only have one Layer 3 switch, you do not have to worry about this implementation. But if you have multiple, let's say, two(2) Layer 3 Switches (A and B) in completely isolated implementation (i.e. different companies), you need to know which "All" you are working with. In L3Switch A, you have VLANs 10 and 20, and L3Switch B, you have VLANs 11 and 21. If you use a normal "All" profile, that profile will have VLANs 1, 10, 11, 20, and 21 (literally, ALL of the VLANs in the Omada). You normally do not want these type of configuration, unless you absolutely understand what you are doing because you will never want these two companies have any mix up whatsoever :).
Good hunting!
Thanks for this great tutorial! I have a question, at 21:54, are you configuring that static route inside the switch or the router?
hey @andrescubillos1432, welcome to the channel. The Static Route is for the Gateway/Router. So if you have a non-Omada Gateway/Router, you need to configure Static Route on that device and not on the Omada Switch.
Good hunting!
Good video tutorial! Thank you very much.
I have in-home game streaming from one VLAN to another, it could be alot faster if the switch can handle the inter vlan routing. But than I have another question for you:
Can you cover layer 3 switching acl's in a later video? Blocking inter VLAN connect can be easy (deny private IP groups) , but allowing traffic from one VLAN to another on specific protocol/ports can be tricky without statefull ACL's. Thank you in advance!
heya @MrTelraam , thanks for dropping by the channel and glad you found this useful. and yep, i plan to cover layer 3 switching ACLs in future videos if only to address some nuances that may not be obvious, but you may not even have to wait for my video since i already have many "switch" based ACLs that cover denying intervlan traffic (and automatically) with my "NeXTGen" lan design (the XT stands for eXtra Torture) because ALL of the ACLs (both two ways and pseudo-one-way) are switch-based. When you get the chance, check out the playlist here: ua-cam.com/play/PLdbM7FkjX0_rMzsitj54Hfs2X5scnThfd.html
Heya MrTelraam, I posted a video you mentioned about Stateful ACLs and even made a write up on the official forum. I will post the link below:
Use Cases:
Use Case 1: Home VLAN can "ssh" to IoT VLAN but not the other way around.
Use Case 2: IoT VLAN can "vnc" to Home VLAN but not the other way around. IoT is denied access to all other VLANs
These 2 Use Cases will NOT be possible if Gateway ACL is used because Use Case 1, the Source is Home VLAN and on Use Case 2, the Source is the IoT VLAN.
ACL Video (skip to 24:15): ua-cam.com/video/yraDD9P-PZk/v-deo.htmlsi=YDGfQ40U1kkA5dRf&t=1455
Write Up/Guide about using Switch ACL as alternative to Gateway ACL: community.tp-link.com/en/business/forum/topic/656428
@@deadmeats hi deadmeats! I really like that you take the time to even go to older comments to say you have a new video about the question asked. Great job!!
I think you did a fantastic thing with the ACL's on switch level. Still it isn't a state full ACL because you have both incoming defined. The standard Home to IoT is allowed and the second rule that you allow source port vnc to destination any.
It is a shame that all the routers dont have the option to define service type in Lan-Lan gateway ACL. In standalone mode the routers have this option. In this case you can define home to IoT ssh and IoT to home with gateway ACL. This is true state full, because you have only one way defined.
I don't know why we cannot define these service types within Omada tho. Maybe it is something for future releases for Omada. And in combination with switch ACL's you can define which IP to IP communication is possible before it goes to the gateway. So not every device in home is open to vnc and not all devices in IoT are exposed to ssh.
I don't see a feature request in the forums. Maybe I need to make one for allowance on service type within Omada.
Heya @@MrTelraam , no prob. I usually try to get back to those who are asking in case they missed it because I usually take a long time to post videos i.e. this Layer 3 video is on my to-do list for about a year or so now. As for the ACLs, is there any specific use-case you are looking for? I agree though, that Stateful ACLs is much easier to implement, but it lacks the granularity. If TP Link can add that feature for more granularity, that'll be great.
Rewatched video again and it seems like the gateway needs to either be the DHCP server for the native vlan 101 subnet or the switch interface needs to define the gateway as 192.168.101.1. Please let me know if this is a correct assumption. Apologies if I missed it!
hey @KevinRussellT, in this video, my native VLAN is 1 using IP scheme 192.168.101.x (you refer to it as native VLAN 101 subnet). Not saying you are wrong, just want to make sure I clarify my answer. And you are absolutely correct, I still use the native VLAN because we can't ever remove it from Omada. VLAN 1 is also the default "Management VLAN", it can be changed, but for now, all of my videos use VLAN 1 as Management VLAN or as I often refer to them, Admin VLAN. In this episode, I assign an IP subnet of x.101 and as you mentioned, it is using a Gateway as a DHCP server. But only for "Admin VLAN devices" (which includes ALL Omada Network devices).
Good hunting!
Thanks for the video! it help much, but some how i cant ping to others vlan that i created
heya @user-sg7xn1yg4n, thanks for dropping by the channel. And sorry you have issues with pinging, there are so many various reasons why a Ping can fail, to name a few, bad cable, OS block, ACL, incorrect gateway, etc. This set up makes it more complicated. I suggest you try the traditional set up first (i.e. Gateway VLAN Interface rather than this) then when you can do InterVLAN with traditional set up, disable that Gateway VLAN Interface, duplicate all the info you have there (i.e. IP address scheme, etc) and follow the steps I laid out here.
Good hunting!
My dearest UA-cam-er, I hope you are doing well!
I have the following question concerning this videos topic and network setup. I saw the pros and cons of this network topology but does it really help the link between the omada (gateway) modem router and the switch to be less busy? I am asking because I want that since the link between the two devices is just one active link because the router does not support link aggregation. So if you have further pros and cons of this kind of network setup I would like to know them! Thank you in advance for your time and effort into helping me out!
hey there @J0hnSm1th, thanks for gracing my channel with your comment. I am an old-school LAN guy so I prefer this approach over what you can see very common on the Internet today; whether it be Omada, Unifi, pfsense/opnsense, mikrotik, etc. All of the current solutions that you see is making use of the Firewall/WAN router as their LAN router for home use (and office use).
But I always wanted to have a separation of responsibility between WAN facing router, as well as the LAN router. I wanted to push this idea a long time ago, about 2-3years ago now. However, in order to push this idea, I have to help my viewers, at least those who constantly watch my videos, to see the tribulations and challenges of using an Internet Gateway (i.e. ER605 and its much upgraded brothers) for LAN routing. I also have to give solutions for most common use of the Gateway: ACLs and so I spent the last two years sharing Switch ACLs, and revisions of NewGenLAN and NeXTGen LAN. I have tried to show that while Router-on-Stick is a great blessing, the current implementation using Firewall/VPN/NAT Gateway just won't cut it for East-West traffic (i.e. LAN traffic). Sure, there are many newer devices that offer fast InterVLAN routing nowadays but for East-West traffic, nothing beats Switch.
For Pros: the main Pro is that your LAN traffic is fast, really fast! You can have redundancy (LACP ftw! pricier model offers VRRP), more routable ports (switch have more ports), and your Switch usually have beefier hardware!
For Cons: you will lose Gateway-specific functionalities such as Stateful ACLs (that is why I introduced granular ACLs for Switch), DHCP reservation (you will need to set static IP), and mDNS (mDNS will still work, but must be within the same VLAN when using Layer 3 Switch).
What are the other Gateway-specific functionalities? VPN! You can still use your Gateway for VPN purpose but you can't expect your Layer 3 Switch to do this. Your Layer 3 Switch can't do NAT, so again, you will still need your Gateway for Internet. And also, Layer 3 switch means you are adding a "layer of complexity".
Sorry for the long answer.
Good hunting!
Thank you so very much for your kind and quite elaborate answer!!! This is exactly what I was looking for!!! Keep up the great work!!! 😉 ✌️
@@J0hnSm1th Thank you sir!!!
I cannot set a speed limit for more than one PC connected to the same port. Does L3 provide this? I would appreciate your answer. thanks
hey @necatibilen4130, thanks for dropping by the channel. if you would like to set a limit, you don't need an L3 for it but what you need to do is Bandwidth Control and there are many ways to do it. I discuss several ways to do it here: ua-cam.com/video/JiJNuF-gMgc/v-deo.htmlsi=yDdNGQHONqqZECTR&t=383
Good hunting!
Hello my dear, really great video!! But is it possible that the routing (without you suspecting it) goes through the router? I wasn't able to trace it without the router. Maybe you can test it by unplugging the router! I couldn't establish static routing with just the switches alone. Its a T-link Bug i think
hey @Iceflash75, thanks for dropping by the channel and thanks for the kind words. As for your observation, maybe I have not explained it well, but the "Static Route" is the reason why the Layer 2-only VLANs (non-Interface) have access to the Internet. Meaning, they need to go to the Gateway/Router to be able to access the Internet. So what you are seeing is the "normal behavior" because the Static Route is meant to connect the Gateway and the Switch. If you remove the Static Route, then all VLANs defined in the Layer-3 switch will just communicate within the switch. It is ok to turn off the Static Route (or limit which VLAN can go the Internet) if you don't need to. I hope that makes it clear :)
Happy Hunting!
@deadmeats Hi, thank you very much for your response!
Of course, you are right!!
I apologize, I didn't express myself well.
What I mean is that I can't enter static routes without a connected T-Link router. This applies to VLANs as well.
All routes I enter do not appear in the "Routing Table" (Omada or CLI).
It doesn't matter whether I enter the route in Omada, directly on the switch in Omada, or in the standalone switch in the GUI or CLI.
My setup is a Fritzbox as the router and an L2 L3 T-Link switch (SG2016P V1.20.0).
If I enter the static route on the Fritzbox, everything works immediately.
That's my observation...
Of course, I could be wrong... I would appreciate it if you could tell me if I'm wrong...
Best regards... 🙂
hey @@Iceflash75 , the Omada's option (Transmission > Routing > Static Routing) works on the Omada Gateway. If you don't have an Omada Gateway, i think (not sure) you can't use this option. What you did, entering static route in Fritzbox is the right approach. If you you would like to experiment on the switch, you can try this:
add a static route from your Layer 3 switch to your "non-Omada" Gateway/Router (Fritzbox) (Devices > Switch > Config > Static Route). Note that i tried this about 3 yrs ago so it may have changed so refer to updated manual. say if you have 192.168.0.1 for your fritzbox, you need to add this as the next hop. also, if you want all other traffic (i.e. internet) to go to fritzbox, you may need to add 0.0.0.0/0 pointing to 192.168.0.1 in your configuration. I dont recommend this option btw ;) but it's good to know in case you have multiple layer 3 switches connected together since the same idea, theoretically, should work. i am not familiar with Fritzbox nor how Omada will work/discover routes with non-Omada Gateway so you will have to do some testing/digging.
edit note: noticed you mentioned you already tried the Static Routing with Fritz Box so removed my comment about adding Static Route in Fritz Box ;)
Happy hunting!
@@deadmeats Hello @deadmeats,
thank you for your response and your time! I don't want to keep you any longer because you're doing a great job with your videos!
I just have 2 more questions:
One for myself: Why did I buy an L3 switch that can route VLANs if it's not doing that? :-)
For you: I'm curious to know if, when you unplug the T-Link router, does the routing between the VLANs on the switch still work?
Thanks for your time!!
Best regards!
hey@@Iceflash75 , you are most welcome and you are not keeping me from anything. However, I do have to run away and do some stuff so my reply time is erratic so apologies for delay. I had to finish my other video (which I just upload an hour or so ago) which has been taking up my time.
anyway, as for your question: i fully agree. my switches has been doing interval routing for a long time, but I never really posted any video because I would like to make sure the regular viewers see what are the challenges for the Router on Stick before I jump into it (you can see my videos about NewGen LAN redesign last November and December). I think someone asked about switch routing in one of those videos, but I gave a safe answer instead (use the Gateway) because I am not sure I can reply on a timely manner and may have caused them significant delay. btw, if you are serious about L3 switching, just note of the "limitations" :)
as for your second question, yes I did that and the routing for ALL Layer 2-only VLANs still work. Of course, all traffic destined to the Admin/Management VLAN died. You can also quickly test this by: a) removing/adding static route for each Layer 2-only VLANs that you defined as Layer 3. I have demonstrated this in the video I just uploaded, which applies for Camera VLAN. b) setting the uplink profile as a single VLAN as can be seen at 14:19 Port 1 of the Layer 3 switch. You will notice that I am not using a Trunk profile, instead, the Switch link that connects to the Gateway is configured as an access port: there is only one VLAN! You can also do packet capture and check if the gateway layer 2 header is being replaced by the router mac address.
Hope it helps, thanks for dropping by the channel again. Good hunting!
At 19:55 we can see that your PC not obtain ipv6 address. Can you please share way to disable ipv6 on Omadas Lan?
hey @TheSmietnisko, thanks for dropping by the channel. You can disable IPv6 by leaving it unchecked. You can find that option at 6:54
Good hunting!
@@deadmeats thank you, unfortunately that does not change anything and ipv6 address are assigned to every device in lans/vlans. Seems to be some kind of bug on Omada.
@@TheSmietnisko hey there, sorry to hear about that. I will leave a link where you can raise a ticket to TP Link. Also, when you get the chance, just make sure your devices are not doing SLAAC.
TP Link Support:
www.tp-link.com/us/support/contact-technical-support/
SLAAC Info:
www.networkacademy.io/ccna/ipv6/stateless-address-autoconfiguration-slaac
Good hunting!!!
Thanks, that works!
But can I create rules now? I have created 2 VLAN networks "Home" and "Server". Everything works. How can I set it up so that HOME has access to SERVER but SERVER does NOT have access to HOME? If I create an ACL-Switch rule that blocks Server->Home, then Home no longer has access to Server? This rule blocks "Bi-directional" :(
Hey @DSeimann, yes you can make rules. I have addressed the challenge you mentioned about "bidirectional". I covered the ACL in a long-form video (link below) but I also have a short write up (not covering the whole vide) that I made over at TP Link and reddit. I added here a short summary of what that ACL covers:
"Use Case 1
Home VLAN can "ssh" to IoT VLAN but not the other way around.
Use Case 2:
IoT VLAN can "vnc" to Home VLAN but not the other way around
IoT is denied access to all other VLANs
These 2 Use Cases will NOT be possible if Gateway ACL is used because Use Case 1, the Source is Home VLAN and on Use Case 2, the Source is the IoT VLAN."
Layer 3 Switch ACL video: ua-cam.com/video/yraDD9P-PZk/v-deo.html
Partial Write Up: community.tp-link.com/en/business/forum/topic/656428?page=1
@@deadmeats Thanks for your answer. I sent you a detailed report in the Omada forum about my problem with ACL
heya@@DSeimann , i finally got the chance to check it out and I have replied there. Copy/pasting my reply there here as well:
There are two ways to go about this. I agree with Clive that if you want a non-granular (IP Port Group-based) ACL, then you have to use Gateway ACL.If you go the Gatewat ACL route, you can never have Granular (IP Port-Group-based) ACL meaning, your Source from one ACL Rule can NEVER be a Destination with another ACL Rule. You can request a feature to support IP Port Group for Gateway ACL if you need to.
The second way is, just go fuill Switch ACL and follow my posted guide. In your ACL, in your question why it works that way, it is because it's supposed to work that way. If you want Server to have "granular" access to home, I edited your posted ACLs, and inserted ACL Line 2 and edited ACL Line 3 (your old ACL 2) to demonstrate this. it will allow your Home to SSH to Server devices, BUT also allowing Server devices to FTP to Home devices (assuming there's an FTP server/service running in Home VLAN 100) . This can never be done with Gateway ACLs (maybe in the future it will).
Switch ACLs:
ACL1 - Permit Home devices to SSH to Server devices
Permit Home SSH to Server
Policy: Permit
Protocols: All
Source > IP Port Group > (Subnet 192.168.100.0/24, Port: 22)
Destination > IP Group > (Subnet 192.168.200.0/24)
ACL 2 - Permit Server devices to FTP to Home devices
Permit Server FTP to Home
Policy: Permit
Protocols: All
Source > IP Group > (Subnet 192.168.100.0/24)
Destination > IP Port Group > (Subnet 192.168.200.0/24, Port: 21)
ACL 3 - Deny Home devices to access Server resources
Deny Home to Server
Policy: Deny
Protocols: All
Source > IP Group > (Subnet 192.168.100.0/24)
Destination > IP Group > (Subnet 192.168.200.0/24)
Remember this tip, which I covered in my past ACL videos: Default is Permit All, You allow what you Deny, and Whitelisting (Deny some/Permit Some).
Look at all "Sources" in those 3 ACLs and you will see what is "common". ALL the Permit's Source is the Deny's Source aka Home (in my example IoT)! In your original ACL, you Denied "Server to Home" (VLAN 200) and then "Permitted Home to Server" (VL:AN 100) but there is no need to Permit Home because (remember the tip) the default is Permit All and the only Permit you need to do is IP Port Group (remember the tip Whitelisting). Because if you Permit everything anyway, there is no need for ACL (remember the tip: you allow what you Deny).
Now another tip using the ACLs above, I used SSH and FTP, but you can use any protocols, known or custom one. If you would like to "observe" the functionalities of the ACLs, change ACL #2 from Port 21/FTP to Port 22/ssh. For testing, always have ACL 3 as ON. Now play around with ACL 1 and 2, turning them On/Off, Off/On, On/On, Off/Off or however you want. Each time you turn On or Off an ACL, do an SSH From Home to Server, then from Server to Home. Observe how they work. Work slowly, and be patient because ACLs can sometimes take time. So start with just ACL 3 On, then wait a bit: ssh (on either). Then Turn On ACL x, then wait a bit: ssh (on either). Rinse/repeat. Hopefully this will get you more familiarized with how the ACLs are structured and how they work.
I hope I don't get you confused even more. I know this is a confusing subject, I have been covering Omada ACLs for 3-4 years now and I think some of my viewers did get it but for the most part, I still don't know how to properly explain it :) :) :). I came up with it because there was no Stateful ACL for the longest time and so many users complained they can't do stuff but I keep telling showing how to do stuff but I keep failing haha :)
Check this video and maybe it can also shed some light. Sorry for late reply, and Good hunting!
Good day sir! Ganda ng setup para ma less burden ni Router lalo if low-end lang din pero question ko is
How about defining my ACL'S? Para customize yung VLAN na allowed to communicate to each other?
Should I use padin ba the normal -> Switch ACL -> then Custom ports ba? Tapos i-select ko lang yung DISTRIBUTION SWITCH PORTS? Kasi dun naka define yung mga SVI's? Thankyou sir! :)
hello @user-rr4op5lj5l , tama ka sir, less load kay router. As for ACL, tama ka ulit. Meron akong video na in-upload kanina lang regarding ACL. Kung kailangan mo ng guide, check mo lang, pero korek ka doon sa sinabi mo! tnx sa pagbisita sa channel sir!
Good hunting!
Sir how about may dalawa akong distribution switch? Isa primary isa backup then sa baba apat na access switch?
Also sir yung "Port Profile"101VLAN (which admin also yung UPLINK ng L3 switch mo na connected sa ROUTER) naka check as TAG dun lahat nung VLAN na ginawa mo?
I am trying to figure out if I have SG3428MP omada L2+ switch + OC200 + AEP610. Could I make similar setup if I use not omada but a normal ASUS router. I feel performance of the 4core 1.8GHz router is better and I already have it. (I purchase ER707-M2, but my disappointment was that there is no link aggregation and my ASUS has. Now I have 2.5Gbs connected to my ISP modem, but I cannot get more than 1 GB to my switch. This another reson I like to use Asus RT-X86U router )?
hello @svetoslavvalchanov5080, welcome to the channel and thanks for dropping by. The Omada Gateway (which includes ER707-M2) is a Gateway Router and in TP Link world , this means, it can not support trunk ports. I am not familiar with your Asus router, but your SG3428MP is a Switch. It can not do the "WAN" function of your Asus Router. However, your switch can do Layer 3 Switching so you can definitely use your SG3428MP to adapt the settings I am showing here. You will need to configure your Asus router to have static routes pointing to your L3 Switch so that your L3 Switch clients can have internet access. I have a video that will reflect your set up, but instead of using an Asus Router, I am using a non-Omada Router. You will need to adopt the settings of my non-Omada router to your Asus router, but the general steps are the same. You can find the video here:
ua-cam.com/video/D7al4Yw21bI/v-deo.htmlsi=2aEqibZqGuvh4TFK
You can find a write up about it here:
community.tp-link.com/en/business/forum/topic/667126
Good hunting!
Paano kaya sir pag yung setup gusto ko sana ma achieve yung kagaya sainyo kaso L3 ko dalawang DISTRIBUTION SWITCH?
primary & secondary DSW / 2 tier design.
Questions:
1. Saan ako mag define ng SVI DHCP scope? Sa primary lang ba o both ng Distribution switches?
2. Pag nag static routing para ba piliin na yung primary DSW ko na doon dumaan babaan ko nalang METRIC?
Sample Static Route Metric Config:
Primary DSW = 1
Secondary DSW = 2
hey @davidesguerra7837, pwede ka naman mag karoon ng 2 (or more) L3 switches. Pero ang alam ko, walang automatic fai-over or re-routing yung mga L3 Switch ng Omada ngayon (siguro sa future, meron na, o baka meron di ko lang alam). Kahit idagdag mo ang metric, pag nag fail ang primary route, di pa rin mag switch sa secondary route lahat ng dependent devices i.e. laptops, etc.
1. Sa isang Switch ka lang mag define ng DHCP scope para maiwasan ang conflict. Wala kasing DHCP reservation si L3 switch.
2. Na mention ko nga sa intro post ko, pwede mo baguhin ang metric mo pero sa experience ko lang (limited testing lang), di ko alam pano mag fail-over sa secondary link. Pwede ka mag design based sa LAG/LACP or even STP/RSTP. Pero kung goal mo ay magkaroon ng "hot" back up L3 switch, di ko pa ito nakitang gumana. Pero, di naman ako expert dyan so check mo lang sa TP Link, baka naman meron silang settings. Di ko kasi masyado ito na test.
Okidoks!!!
Hello!
I am new to the world of virtual networks. I have an omada setup. I made my vlans (Main, surveillance, IoT, Guest). I made ACL rules in the gateway because with the rules in the switch I could not get communication between vlans.
Currently, only the Main Network can see everyone else. However, I have a Synology server on the main network that I don't know how to make visible to devices on the IoT network. For example TV, receiver... Help...Give advice how to build my rules? Is there any chance I can contact you personally, e.g. email?
hey user-wk8yg1nl6e, thanks for dropping by the channel and welcome to Omada and networking. First, let me just say you need a managed switch to have VLANs when using Omada Gateways. I can't really provide any support/answer outside of UA-cam because I don't often use my personal email, unless I am actively applying for a job :). I don't use Facebook or any Social Media often (I do have Twitter, Instagram. etc. that I use, maybe 10x at MOST in a YEAR). I visit Reddit and TP Link about 2x a week. If you need support, I highly suggest you reach out to official TP Link Tech Team, as well as their forum. Next is reddit, not just reddit TP Link but reddit network subs. Or check out the more popular channels, they offer Network Consulting and Installation.
As for your inquiry, Gateway ACLs are, in its current versions, an all-or-nothing stateful ACL. With Gateway ACL, you can allow VLANs to have two-way communication (i.e. Main to IoT) initiated/started only, and always, from VLAN A to VLAN B but never initiated/started from VLAN B to VLAN A.
To allow communication using specific protocol (i.e your TV, receiver), you need to use switch ACL and allow only protocols that you need to pass thru (you need to research your devices what protocols they use). I have many ACL videos already, you can refer to my CS5 Video but if you want to go deep, check out my NeXTGen LAN EP38. My NewGenLAN EP34 and later iterations also cover ACLs but the CS5 and EP38 should be a good intro. I'll put both links below.
CS5 About Switch ACL: ua-cam.com/video/-ftA6ZARukk/v-deo.html
NeXTGen LAN: ua-cam.com/video/pNrdLjBXPYQ/v-deo.html
Good hunting!
Hello! Thanks for the response! I understand your refusal of personal communications. It's just that there are no people around me who understand about virtual networks and there is no one to ask. By the way, I have already watched quite a few of your videos, which are really very helpful! About my setup, it consists of ER605 gateway, OC200 controller, and the switch is TL-SG2016P. Synology has connected to the switch through two link aggregation ports. It itself runs on the main VLAN, and it has a home assistant on it, like a virtual machine that runs on the IoT VLAN. Here too I lost the SMB server connection to the assistant and can't do backups. Do you think that in order to have access from specific devices from the different virtual networks to Synology I need a new switch and set up ACLs in it? Greetings from Bulgaria!@@deadmeats
heya@@ЕмилДимитров-е3ю , not sure why you lost access to your NAS, it could be a lot of things and of course, it can be due to ACLs. As you mentioned, you have your Synology in the Main VLAN and you have several options. The simplest one is move your Synology to IoT VLAN (highly recommended). The other option is, add multiple VLANs to your LAG/LACP Synology link that spans both Main and IoT (not recommended btw, but it's an option). Another option is make a perimeter network. And of course, the other option is use Switch ACL but you need to identify what traffic is allowed "both ways". You need to identify the logical network ports of your VM. I suggest you check out CS5 video, you can find it here (8min time stamp) which shows how to allow such scenario: ua-cam.com/video/-ftA6ZARukk/v-deo.htmlsi=oEZvopQg6Fn4sOoy&t=480
Happy hunting!
Hello. For now, I solved the problem by breaking the aggregated connection between Synology and the switch. I connected one network card of the server to the main vlan and the other to IoT. All the rules I've created are gateway level, since at the switch, I can't get the main network to see the others. Just by telling the IoT not to access the Primary (albeit one-way), the Primary no longer has access to the IoT either. Even a reverse rule with root permission to IoT doesn't solve the problem...
@@deadmeats
I will like to chat with you.. I need an assistant with my er605 and c200.. please write to me. Thank you
hey @emmanuelessien8174, thanks for dropping by the channel. If you need immediate assistance, I highly suggest you submit a ticket to TP Link, the link is listed below. If you have any questions, just post it in the comment and I'll get back to it when I can. Note that I don't usually visit my YT account, I usually check it 1x-2x a week at the most so I suggest you contact TP Link for support, or if you can wait, use TP Link forum or reddit forum; I use a different account when viewing UA-cam :)....
www.tp-link.com/us/support/contact-technical-support/?type=smb#E-mail-Support
www.reddit.com/r/TPLink_Omada/
www.reddit.com/r/HomeNetworking/
Happy Hunting!
Really hard to understand for normal english speaking folks. Very muffled and coupled with the dialect difficult to follow.
heya @sethb.pooten8305, welcome to channel and thanks for feedback. For muffled audio, I already upgraded my mic from the basic one to a better one, I don't really plan to change this, at least not yet. As for the way I speak, I can't really change much the way I speak, but I did add close-captioning.