Application scenario

The objective of this configuration is to restrict access from the IoT devices to the LAN network. This means that devices connected to the IoT network, such as smart devices or sensors, will not be able to communicate with or access devices within the LAN network, which typically consists of computers, servers, and other devices used by users.

On the other hand, the LAN network retains the ability to access and communicate with the IoT devices. This allows users within the LAN network to control and interact with the IoT devices, gather data, or perform monitoring tasks.

Applicable Devices

ER605 V2

TL-SG2210MP V4

EAP660 HD V3

Omada Software Controller V5.9

Configuration Scheme

To meet these requirements, we can configure unidirectional/Stateful ACL rules on the router to block IoT devices from accessing the LAN and allow the LAN to access the IoT devices. The configuration overview is as follows:

1) Create a VLAN interface

2) Create Stateful ACL rule

3) Create SSID with VLAN for IOT devices

4) Verification

Configuration Procedure

Before starting the configuration, we need to manage the Omada devices using the controller. If you encounter any issues with adoption, please refer to the following FAQs for troubleshooting:

• What should I do when the Omada Software Controller (V4) fails to discover the devices?
• What Should I Do if Omada Software Controller OC200 Cannot Adopt Omada EAP

Step 1. Go to Settings> Wired networks> LAN to click +Create New LAN to create VLAN interfaces for IOT devices.

Step 2. Go to Settings> Network Security> ACL> Gateway ACL to create a new rule

Direction: LAN-> LAN

Policy: Deny

Protocols: All

Source: IOT

Destination: LAN

States Type: Auto

Note: We recommend keeping the states type as Auto. If you select Manual, please refer to the following picture.

Match State New: Match the connections of the initial state. For example, a SYN packet arrives in a TCP connection, or the router only receives traffic in one direction.

Match State Established: Match the connections that have been established. In other words, the firewall has seen the bidirectional communication of this connection.

Match State Related: Match the associated sub-connections of a main connection, such as a connection to a FTP data channel.

Match State Invalid: Match the connections that do not behave as expected.

Step 3. Go to Settings> Wireless network> WLAN> to click Create new SSID and set VLAN ID as 20 for IOT devices.

Step 4. Verification

The cellphone is connecting the 'IOT' SSID with the IP address 192.168.20.99, while the computer has the IP address 192.168.0.100. The cellphone is unable to ping the computer, but the computer can ping the cellphone.