Hi, thanks again for your instructive videos. I have isolated a VLAN. However, I do want port 53 on the isolated network to be available to neighbors from an IP (in that isolated VLAN). If I try that with a Permit rule that specifically needs to open IP+Port group, it doesn't work. With just an IP Group, it does open up the entire DNS server. I just want to specifically make port 53 of that port available to the devices IN the Isolated VLAN. Am I doing something wrong? I can block the other ports again with a Deny above the Permit, but that feels duplicate.
hey there @MrJeff-sz3td, you are most welcome and thank you for the kind words. I have made some new changes with my Isolated VLAN, one is a Layer 3 Switching version (much simpler, only 1 ACL line) and the OG original one (needs 3 ACL Lines). I will assume you are doing the OG version (the 3 ACL version), just remember, the ACL I will provide below will not work if your Deny's Source is not the "Isolated VLAN". The ACL's below assume you have the exact same Source/Destination as described here: www.reddit.com/r/TPLink_Omada/comments/11tejj5/isolated_vlan_implementation_in_omada/ You need two additional Permits for the DNS Server, make sure these two are above the main "Deny" ACL for Isolated VLAN. Assumptions: * Isolated VLAN - 192.168.40.0 * DNS Server IP - 192.168.40.50 Permit Isolated To DNS Server Port 53 Policy: Permit Protocols: All Source > Network > Isolated Destination > IP Port Group > (Subnet 192.168.40.50/32, Port:53) Permit Isolated To DNS Server Port 53 Reverse Policy: Permit Protocols: All Source > IP Port Group > (Subnet 192.168.40.50/32, Port:53) Destination > Network > Isolated Good hunting! I am away from my lab at this time, so let me know if it doesn't work, so I can try it again when I get back.
@@deadmeats Thank you so much for your response and qualities. You are really a huge addition, I have already learned a lot from you. Even things that TP-Link itself could not tell/explain. I have, of course, first worked on this for over 2 days of 6-7 hours here before asking for your help. But I keep getting out somehow and port 53 stays closed. I have a feeling myself that there is a "bug" and the IP + Port Group is not working properly. Or I'm just stupid haha. In this example: Isolated VLAN: 10.0.100.1/24 DNS Server IP: 10.0.100.3 ACL: Deny Isolated to ALL + Itself Source: Network > Isolated Destination: (all networks) Permit Isolated to NET Source: Network > Isolated Destination: P Group > "10.0.100.1/32" (Gateway Isolated VLAN) Permit Isolated to NET reverse Source: IP Group > "10.0.100.1/32" (Gateway Isolated VLAN) Destination: Network > Isolated Permit DNS Port to ALL Source: (all networks) (also the Isolated VLAN selected here) Destination: IP-Port Group > "10.0.100.3/32" and Port "53" (piHole - DNS Port) Permit DNS Port to ALL reverse Source: IP-Port Group > "10.0.100.3/32" and Port "53" (piHole - DNS Port) Destination: (all networks) (also the Isolated VLAN selected here) If I then try to reach port 53 from IP 10.0.100.4, it is closed. If I try from Home VLAN, I can reach port 53 (or from any other VLAN). So only in the Isolated VLAN itself can I not reach it. ------------------------------- FROM 10.0.100.4: nmap -p 53 -Pn 10.0.100.3 Starting Nmap 7.94 ( nmap.org ) at 2024-04-25 04:45 CEST Nmap scan report for 10.0.100.3 Host is up. PORT STATE SERVICE 53/tcp filtered domain ------------------------------- If I change "IP-Port Group" to "IP Group" with 10.0.100.3/32 with no port, it does reach in isolated. (ACL Rule = Permit DNS Port to ALL and Permit DNS Port to ALL reverse) ------------------------------- FROM 10.0.100.4: nmap -p 53 -Pn 10.0.100.3 Starting Nmap 7.94 ( nmap.org ) at 2024-04-25 04:48 CEST Nmap scan report for 10.0.100.3 Host is up (0.00080s latency). PORT STATE SERVICE 53/tcp open domain Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds ------------------------------- But of course then all other ports on 10.0.100.3 are also accessible. I don't want that. If you would also like to test it sometime, that would be very nice. Just don't feel obligated and take your time. Should it not work out, no problem either. I already appreciate your thoughts. Unfortunately, I cannot use your way of L3 because my switch does not support it. But I will take that into consideration when I upgrade! Devices: ER605 v2.0 (2.2.4) // SG2008P v3.20 (3.20.1) // SG2008P v3.20 (3.20.1) and APs but for now I guess not important. Thank you!
@@deadmeats Thank you so much for your response and qualities. You are really a huge addition, I have already learned a lot from you. Even things that TP-Link itself could not tell/explain. I have, of course, first worked on this for over 2 days of 6-7 hours here before asking for your help. But I keep getting out somehow and port 53 stays closed. I have a feeling myself that there is a "bug" and the IP + Port Group is not working properly. Or I'm just stupid haha. Isolated VLAN: 10.0.100.1/24 DNS Server IP: 10.0.100.3 ACL: Deny Isolated to ALL + Itself Source: Network > Isolated Destination: (all networks) Permit Isolated to NET Source: Network > Isolated Destination: P Group > "10.0.100.1/32" (Gateway Isolated VLAN) Permit Isolated to NET reverse Source: IP Group > "10.0.100.1/32" (Gateway Isolated VLAN) Destination: Network > Isolated Permit DNS Port to ALL Source: (all networks) (also the Isolated VLAN selected here) Destination: IP-Port Group > "10.0.100.3/32" and Port "53" (piHole - DNS Port) Permit DNS Port to ALL reverse Source: IP-Port Group > "10.0.100.3/32" and Port "53" (piHole - DNS Port) Destination: (all networks) (also the Isolated VLAN selected here) If I then try to reach port 53 from IP 10.0.100.4, it is closed. If I try from Home VLAN, I can reach port 53 (or from any other VLAN). So only in the Isolated VLAN itself can I not reach it. ------------------------------- FROM 10.0.100.4: nmap -p 53 -Pn 10.0.100.3 Starting Nmap 7.94 ( nmap.org ) at 2024-04-25 04:45 CEST Nmap scan report for 10.0.100.3 Host is up. PORT STATE SERVICE 53/tcp filtered domain ------------------------------- If I change "IP-Port Group" to "IP Group" with 10.0.100.3/32 with no port, it does reach in isolated. (ACL Rule = Permit DNS Port to ALL and Permit DNS Port to ALL reverse) ------------------------------- FROM 10.0.100.4: nmap -p 53 -Pn 10.0.100.3 Starting Nmap 7.94 ( nmap.org ) at 2024-04-25 04:48 CEST Nmap scan report for 10.0.100.3 Host is up (0.00080s latency). PORT STATE SERVICE 53/tcp open domain Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds ------------------------------- But of course then all other ports on 10.0.100.3 are also accessible. I don't want that. If you would also like to test it sometime, that would be very nice. Just don't feel obligated and take your time. Should it not work out, no problem either. I already appreciate your thoughts. Unfortunately, I cannot use your way of L3 because my switch does not support it. But I will take that into consideration when I upgrade! Devices: ER605 v2.0 (2.2.4) // SG2008P v3.20 (3.20.1) // SG2008P v3.20 (3.20.1) and APs but for now I guess not important. Thank you!
@@deadmeats Thank you so much! I responded with an extended message, but I guess it was marked as "spam". The message disappears again after posting. But in summary: Unfortunately, it doesn't work. If you look in your UA-cam Dashboard at comments, you'll see my full explanation. Thanks!
@@MrJeff-sz3td heya, no worries. I will have some time this weekend to test, but looking at your ACL, you missed a critical step with the Isolated VLAN. As I mentioned in my first reply, "make sure these two are above the main "Deny" ACL for Isolated VLAN." Your main Deny is the very first/top line. This means, all your Permit will be ignored. ACLs work from top to bottom. Your "Deny Isolated to ALL + Itself" should be the very last line of the ACL related to that VLAN. If you follow the Isolated VLAN Switch ACLs in the guide I link in the first post, you will see that Switch ACLs 5, 6, and 7 already allows Internet. You only need to modify or add ACLs 5 and 6, and never touch ACL 7. ACL 7 is what makes Isolated VLAN an Isolated VLAN. ACLs 5, 6 (or anything before it) is your "exemptions" to that Isolated VLAN. I hope I didn't confuse you more, but here's the link again: www.reddit.com/r/TPLink_Omada/comments/11tejj5/isolated_vlan_implementation_in_omada/ I also have the exact same topic in the TP Link Omada forum: community.tp-link.com/en/business/forum/topic/603136 Here are some other tips I usually mention in my ACL videos and forum posts: * Gateway ACL operates on the "Gateway" level and Switch ACL operates on the "Switch" level and EAP works on the EAP level. They work independent of each other. * ACL works to the closest device first i.e. if you have Gateway Switch AP Client connection, if you have a "Deny" on AP, then no permit on Switch or Gateway will override that AP ACL. Similarly, if you have a Permit at Switch, but the traffic has to go thru the Gateway and Gateway has Deny, then it will not work. Visualize each device as a checkpoint and how you have them interconnected in your network. * The ACLs work from top to bottom. * "Permit ALL" is the default Policy. * For Granular ACLs, think of it as Whitelisting. Good hunting!!!
hey Zerrudo_ , thanks for dropping by the channel and thanks for the feedback on audio. Is it too loud? Too soft? I already changed my mic and I sometimes adjust the volume based on volume level i.e. I turn it down/up a notch. I also added manual Subtitle to make sure I clarify what I am saying in the video. Hope that helps!
Hi, thanks again for your instructive videos. I have isolated a VLAN. However, I do want port 53 on the isolated network to be available to neighbors from an IP (in that isolated VLAN). If I try that with a Permit rule that specifically needs to open IP+Port group, it doesn't work. With just an IP Group, it does open up the entire DNS server. I just want to specifically make port 53 of that port available to the devices IN the Isolated VLAN.
Am I doing something wrong? I can block the other ports again with a Deny above the Permit, but that feels duplicate.
hey there @MrJeff-sz3td, you are most welcome and thank you for the kind words. I have made some new changes with my Isolated VLAN, one is a Layer 3 Switching version (much simpler, only 1 ACL line) and the OG original one (needs 3 ACL Lines). I will assume you are doing the OG version (the 3 ACL version), just remember, the ACL I will provide below will not work if your Deny's Source is not the "Isolated VLAN". The ACL's below assume you have the exact same Source/Destination as described here: www.reddit.com/r/TPLink_Omada/comments/11tejj5/isolated_vlan_implementation_in_omada/
You need two additional Permits for the DNS Server, make sure these two are above the main "Deny" ACL for Isolated VLAN.
Assumptions:
* Isolated VLAN - 192.168.40.0
* DNS Server IP - 192.168.40.50
Permit Isolated To DNS Server Port 53
Policy: Permit
Protocols: All
Source > Network > Isolated
Destination > IP Port Group > (Subnet 192.168.40.50/32, Port:53)
Permit Isolated To DNS Server Port 53 Reverse
Policy: Permit
Protocols: All
Source > IP Port Group > (Subnet 192.168.40.50/32, Port:53)
Destination > Network > Isolated
Good hunting! I am away from my lab at this time, so let me know if it doesn't work, so I can try it again when I get back.
@@deadmeats Thank you so much for your response and qualities. You are really a huge addition, I have already learned a lot from you. Even things that TP-Link itself could not tell/explain.
I have, of course, first worked on this for over 2 days of 6-7 hours here before asking for your help. But I keep getting out somehow and port 53 stays closed. I have a feeling myself that there is a "bug" and the IP + Port Group is not working properly. Or I'm just stupid haha.
In this example:
Isolated VLAN: 10.0.100.1/24
DNS Server IP: 10.0.100.3
ACL:
Deny Isolated to ALL + Itself
Source: Network > Isolated
Destination: (all networks)
Permit Isolated to NET
Source: Network > Isolated
Destination: P Group > "10.0.100.1/32" (Gateway Isolated VLAN)
Permit Isolated to NET reverse
Source: IP Group > "10.0.100.1/32" (Gateway Isolated VLAN)
Destination: Network > Isolated
Permit DNS Port to ALL
Source: (all networks) (also the Isolated VLAN selected here)
Destination: IP-Port Group > "10.0.100.3/32" and Port "53" (piHole - DNS Port)
Permit DNS Port to ALL reverse
Source: IP-Port Group > "10.0.100.3/32" and Port "53" (piHole - DNS Port)
Destination: (all networks) (also the Isolated VLAN selected here)
If I then try to reach port 53 from IP 10.0.100.4, it is closed. If I try from Home VLAN, I can reach port 53 (or from any other VLAN). So only in the Isolated VLAN itself can I not reach it.
-------------------------------
FROM 10.0.100.4:
nmap -p 53 -Pn 10.0.100.3
Starting Nmap 7.94 ( nmap.org ) at 2024-04-25 04:45 CEST
Nmap scan report for 10.0.100.3
Host is up.
PORT STATE SERVICE
53/tcp filtered domain
-------------------------------
If I change "IP-Port Group" to "IP Group" with 10.0.100.3/32 with no port, it does reach in isolated. (ACL Rule = Permit DNS Port to ALL and Permit DNS Port to ALL reverse)
-------------------------------
FROM 10.0.100.4:
nmap -p 53 -Pn 10.0.100.3
Starting Nmap 7.94 ( nmap.org ) at 2024-04-25 04:48 CEST
Nmap scan report for 10.0.100.3
Host is up (0.00080s latency).
PORT STATE SERVICE
53/tcp open domain
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
-------------------------------
But of course then all other ports on 10.0.100.3 are also accessible. I don't want that.
If you would also like to test it sometime, that would be very nice. Just don't feel obligated and take your time. Should it not work out, no problem either. I already appreciate your thoughts.
Unfortunately, I cannot use your way of L3 because my switch does not support it. But I will take that into consideration when I upgrade!
Devices: ER605 v2.0 (2.2.4) // SG2008P v3.20 (3.20.1) // SG2008P v3.20 (3.20.1) and APs but for now I guess not important.
Thank you!
@@deadmeats Thank you so much for your response and qualities. You are really a huge addition, I have already learned a lot from you. Even things that TP-Link itself could not tell/explain.
I have, of course, first worked on this for over 2 days of 6-7 hours here before asking for your help. But I keep getting out somehow and port 53 stays closed. I have a feeling myself that there is a "bug" and the IP + Port Group is not working properly. Or I'm just stupid haha.
Isolated VLAN: 10.0.100.1/24
DNS Server IP: 10.0.100.3
ACL:
Deny Isolated to ALL + Itself
Source: Network > Isolated
Destination: (all networks)
Permit Isolated to NET
Source: Network > Isolated
Destination: P Group > "10.0.100.1/32" (Gateway Isolated VLAN)
Permit Isolated to NET reverse
Source: IP Group > "10.0.100.1/32" (Gateway Isolated VLAN)
Destination: Network > Isolated
Permit DNS Port to ALL
Source: (all networks) (also the Isolated VLAN selected here)
Destination: IP-Port Group > "10.0.100.3/32" and Port "53" (piHole - DNS Port)
Permit DNS Port to ALL reverse
Source: IP-Port Group > "10.0.100.3/32" and Port "53" (piHole - DNS Port)
Destination: (all networks) (also the Isolated VLAN selected here)
If I then try to reach port 53 from IP 10.0.100.4, it is closed. If I try from Home VLAN, I can reach port 53 (or from any other VLAN). So only in the Isolated VLAN itself can I not reach it.
-------------------------------
FROM 10.0.100.4:
nmap -p 53 -Pn 10.0.100.3
Starting Nmap 7.94 ( nmap.org ) at 2024-04-25 04:45 CEST
Nmap scan report for 10.0.100.3
Host is up.
PORT STATE SERVICE
53/tcp filtered domain
-------------------------------
If I change "IP-Port Group" to "IP Group" with 10.0.100.3/32 with no port, it does reach in isolated. (ACL Rule = Permit DNS Port to ALL and Permit DNS Port to ALL reverse)
-------------------------------
FROM 10.0.100.4:
nmap -p 53 -Pn 10.0.100.3
Starting Nmap 7.94 ( nmap.org ) at 2024-04-25 04:48 CEST
Nmap scan report for 10.0.100.3
Host is up (0.00080s latency).
PORT STATE SERVICE
53/tcp open domain
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
-------------------------------
But of course then all other ports on 10.0.100.3 are also accessible. I don't want that.
If you would also like to test it sometime, that would be very nice. Just don't feel obligated and take your time. Should it not work out, no problem either. I already appreciate your thoughts.
Unfortunately, I cannot use your way of L3 because my switch does not support it. But I will take that into consideration when I upgrade!
Devices: ER605 v2.0 (2.2.4) // SG2008P v3.20 (3.20.1) // SG2008P v3.20 (3.20.1) and APs but for now I guess not important.
Thank you!
@@deadmeats Thank you so much! I responded with an extended message, but I guess it was marked as "spam". The message disappears again after posting.
But in summary: Unfortunately, it doesn't work. If you look in your UA-cam Dashboard at comments, you'll see my full explanation.
Thanks!
@@MrJeff-sz3td heya, no worries. I will have some time this weekend to test, but looking at your ACL, you missed a critical step with the Isolated VLAN. As I mentioned in my first reply, "make sure these two are above the main "Deny" ACL for Isolated VLAN." Your main Deny is the very first/top line. This means, all your Permit will be ignored. ACLs work from top to bottom. Your "Deny Isolated to ALL + Itself" should be the very last line of the ACL related to that VLAN. If you follow the Isolated VLAN Switch ACLs in the guide I link in the first post, you will see that Switch ACLs 5, 6, and 7 already allows Internet. You only need to modify or add ACLs 5 and 6, and never touch ACL 7. ACL 7 is what makes Isolated VLAN an Isolated VLAN. ACLs 5, 6 (or anything before it) is your "exemptions" to that Isolated VLAN. I hope I didn't confuse you more, but here's the link again:
www.reddit.com/r/TPLink_Omada/comments/11tejj5/isolated_vlan_implementation_in_omada/
I also have the exact same topic in the TP Link Omada forum: community.tp-link.com/en/business/forum/topic/603136
Here are some other tips I usually mention in my ACL videos and forum posts:
* Gateway ACL operates on the "Gateway" level and Switch ACL operates on the "Switch" level and EAP works on the EAP level. They work independent of each other.
* ACL works to the closest device first i.e. if you have Gateway Switch AP Client connection, if you have a "Deny" on AP, then no permit on Switch or Gateway will override that AP ACL. Similarly, if you have a Permit at Switch, but the traffic has to go thru the Gateway and Gateway has Deny, then it will not work. Visualize each device as a checkpoint and how you have them interconnected in your network.
* The ACLs work from top to bottom.
* "Permit ALL" is the default Policy.
* For Granular ACLs, think of it as Whitelisting.
Good hunting!!!
dude your audio... its like I'm eavesdropping through a poorly insulated wall
hey Zerrudo_ , thanks for dropping by the channel and thanks for the feedback on audio. Is it too loud? Too soft? I already changed my mic and I sometimes adjust the volume based on volume level i.e. I turn it down/up a notch. I also added manual Subtitle to make sure I clarify what I am saying in the video. Hope that helps!