Thank you for creating these guides. I find them very useful as I build my network. A few things I'm discovering as I continue refining my setup: 1. Permit rules must come before Deny rules. Rule processing stops once it evaluates true. 2. Switch ACLs are not stateful. If you want to allow traffic from 1 IP to another, you need to make sure to click bi-directional which will auto create the reverse rule. 3. As I suspected, blocking access to the gateway caused my IoT devices to stop working. Gateway access is required for DNS resolution and DHCP reservations. I suggest blocking specific ports (80 and 443) to avoid access to the gateway web interface.
For point 1, are you sure? Usually in firewall the rules are applied from top to bottom, and the first rule that matches the traffic overrides all the other rules below. es: Rule 1: Block VLAN 10 Rule 2 Allow: FTP If the packet is VLan10 and FPT if you follow the previus order the packet is blocketd, but if you invert the rules , the packets pass. Depends from what do you want to obtain. This is a simple example, usually the rule are more complex. I'dont know in the ACL the thing are different.
Thanks, great video. At least for me your video has the perfect level of detail. Explaining the important aspects, avoiding what does not have to be configured, and not getting slowed down with trivial things. Great. Subscribed.
Love this. I have fixed wireless, and can't get all the options that someone who isnt behind CGNat gets. So the best way for me to do it is with some smart home networking. I've had some omada gear for a while, but I haven't set it up. Just plugged it in and ran it off of the gear itself. Yesterday I installed the cdn container on UnRaid, and this video couldn't have came at a better time. Thank you.
Fantastic video! With no experience, I was able to set up the TP-Link Omada controller, router, and smart switch on our small farm. I set it up exactly like you did but with different VLAN IDs. Everything worked like a champ. I also installed some IP cameras and NVR. I think I got ahead of myself. When plugged in the NVR and IP camera into the switch it was using the Admin Network IPs. How do I get them to use the IoT network IPs? Thanks again!
Thanks for this guide. One question though: When I block access to the gateway for one VLAN, members of this VLAN cannot access the internet anymore - at least in my setup. And it makes sense to me because a switch will try to route internet IP addresses through the router and will be using the gateway address. What am I missing here? Thank you
Could you do a video specifically addressing Apple HomeKit setup with VLAN’s. Like having IOT device security. But also allowing family members to use HomePods and AppleTV with ease. Maybe even some segregated HomeKit cameras.
Thanks for the great video... I am hoping to implement my own Omada Network setup in the near future... Just waiting on the funds to purchase the Access points and switches... I am not going to use any of the TP-Link Routers... I plan on using my existing Untangle Firewall/Router setup instead... But I am going to be buying TP-Link access Points, Switches, and OC200 Controller...
I've explored some new stuff that got released in the new version of Omada. It looks like you can deny all the gateway management pages from the Gateway ACL. This goes into stateful ACL that was released in higher end routers and the option is now, it seems, available to all.
Thanks for the videos. This one and the old one filled in some gaps I had. Im completely new at this so this question my be as elementary as they come. I see how the router, switch, and controller are wired in but how is the laptop wired in for set up? Do I connect it to the other controller port or somewhere else? Thanks
I have moving over to Omaha I have 2 switch’s and an AP. I just bought the er605 v2 and I currently using openert on my wireless router. Will migrating from openwrt be a pain i am using VLANs as well with firewall rules similar to your acls.
Thanks for such a detail guide for Omada, you making me want to have a Lab now =P. Btw maybe in the future, when you think enough time has passed, you might consider doing something similar with ubiquiti, not sure if your past tutoraial were with the old ui or the new one, but your guides are really good for newbies like us.
Really good Video and guideline. I have a quick question, how can I Integration VOIP or DECT Devices? I think there is no mensch option on the Controller
hey my friend, much appreciated for the live-demo on how to set up things. Amazing. I will follow suit 100% with my omada system. The onyl question i Have: The "At&T Gateway" for me is most likely the German provider Telekom with the "Speedport Smart Typ4A" ..... Now do i need this thing? I do run a small hotel and also need phone of course. Much appreciated mate.
I can't answer your question because I do not how ISPs work outside of the USA. Here in the USA, I must use the AT&T Gateway or I will not have internet at all. In the past, we used to be able to remove the ISP provided router and use our own equipment but that's not always true anymore. So your question should be directed at your ISP who presumably will give you better answers than I could. Sorry.
Still thank you@@SPXLabs ! Do you think - using a Gateway (white turret like in your video) - there might be setting issus, as to why I only receive 80 mbit through WIFI Speedtests, but the "Gateway" itself receives 265mbit download (=i can do speedtest on the hardware itself). So, what keywords / or where would I have to look to find that out, as to why the initial Gateway has a download of 265mbit, but it only diverts one third of the download-power to the OMADA system?
WiFi bandwidth would be mostly independent of your internet connection. There are a lot of variables to consider; distance, interference, material penetration, competing frequencies and many other items. So yes it could and might but there are other factors to consider first.
Awesome video, very helpful! I've been looking at Omada for a while. Been going back and forth between it and a regular mesh 6e network like the TP-Link XE75 pro. I'm a more advanced user, but definitely not a network engineer. I have a lot of IoT devices etc. What are benefits of going the Omada route?
Thanks for the video. I just purchased an ER7212PC and the EAP670 AP for home use. I am trying to relate the way you configured PUBLIC in this video. I am very new to the Omada interface and ecosystem though, however would it be correct to say that you can literally just make a GUEST network and avoid having to add the ACL you mentioned in the video since by default, Omada will only allow those public devices to connect to internet and nothing else? Also, you would not need to block the gateway from the public as you should not be able to find it if its on Guest Network. Therefore.... I am just trying to find reasons why Guest Network is not used in the example. Hope you understand where I am coming from. Thanks heaps for the video again!
Hey can u go more into details of the in built radius of omada or api integration or using an external radius server like basically authentication on wifi my goal is to sell internet via vouchers but I don’t wana print the physical vouchers for internet access i want clients after payment to receive their vouchers via sms
Hi, great video. Just a question, is there a reason you assign an ip adress to the switch by dhpc reservation (IP Adress mode - DHCP - use fixed ip adress) instead by assign a static ip adress (IP Adress mode - Static)?
One thought about some of your rules. When blocking access from one vlan to another, but allowing it in reversed, it will only work if your switch/router supports Stateful ACL. There will be no message from the controller about this and you can spend hours tracking down connection issues that should be working according to your rules. Omada should support this since version 5.8 and some of their hardware has gotten updated firmware with added Stateful ACL support. But you will need to check the support for each of your switches.
@@SPXLabs My router just got an update to support it, but my current switch has not seen an update since 2021, so not expecting any support there. Not sure the switch even has hardware support for it, as it properly requires some additional chip support seen as it's a higher level than what switches normally operates in. A great video may be what to look for when buying switches and routers depending on the requirement. There are a lot of different devices with various support out there, which I learned the hard way. For instance simply the difference between a Smart Switch and Easy Smart Switch from TP-Link. I just looked at the "smart" part and found my self having to buy a new one 6 month later when I started with Omada. Also these weird hardware versions like v1.0, v2.0, v2.6 and so on. For the ER605 router the v1.0 has much lesser hardware. But there seams to be no difference between v2.0 and v2.6 except where in the world they are sold. TP-Link has absolutely no information about this and it can make such a huge difference. Even sellers don't always display this part, or they display the wrong version.
You might be waiting awhile for that, I've actively avoided smart home things and the few smart home things I have are ZWave. I'm not saying no, it's just unlikely I'll get into that since I don't own any smart products.
Great video, thanks. I am using software controller and dont seem to see the option of Bi-Directional, all rules defined at switch level by default are bi-directional. if you want to get one direction rule then must define it in gateway level.
Very interesting. I wonder if the software changed from when the video was created or there isn't a standard yet. Either way you seemed to have grasped it.
@@SPXLabs this actually driving me nuts, only gateway network to network works, now I cannot get my HomeAssistant (under IoT network) access my NAS (under trusted network) no matter what I do. Should have just top up a bit more for Unifi ecosystem, i guess now my only choice is to replace the firewall with pfsense although this will be overkill for my simple needs.
You make some great video content, so I really appreciate that but I have a question for you and anyone in the comments why don't we put the controller on the router instead we putting it on the switch? what's the benefits of putting it on the switch and not on the router?
Looking forward to watching this when I can get some peace and quiet :) been watching @deadmeats videos and locked down my VLANs and access to 53 was only to the pihole on the main lan ( minimising call-home for IoT and keeping devices ad-free. but got a bit lost with the firewall rules when adding a 4th vlan ( you wouldn't believe I owned an MSP lol ) Set up the omada stuff for clients, love it, the support and availability too.
Thanks for explaining OMADA setup. I used your vide to setup my network. It works fine now but I have a problem. I think the issue was not covered in your video. I needed to reset one of my EAPs. After the reset, SDN controller can't see EAP anymore. I believe this is because the controller (and gateway and a switch) are working on VLAN 10. The Discovery Utility does not see the EAP (in fact it does not see any devices). My setup use these IP addresses for gateway, OC200 and a switch: 192.168.10.1/2/3. My PC gets IP address 192.168.10.30 (via DHCP). I also tried using "DHCP Option 138" without any success. Admittedly I am fairly new to SDN networking. How do you add EAP (or other devices to that matter) with your configuration?
You need to plug in your EAP to the same vlan as your oc200 during initial setup. Or reconfigure a port on your switch to be on the same vlan as the oc200 or temporarily change the port to all
@SPXLabs Thanks a lot. The EAP (via unmanaged switch) was connected to the right port, except... it was not connected at all. At some point, I messed up cable connections to the switch (small ELAN mounting box housing my TP-LINK hardware makes life difficult). Your reply made me check port status and it showed that the port had no connection. The rest was easy.
THANK YOU for this detailed guide! Based on my experience with the Omada ecosystem, the firmware and software stability is not really as good compared to Unifi.
Everything on this video for setting up went great, but does anyone know why the main default wired lan network profile works fine for the wired Internet but when you set up a Wi-Fi Lan network it doesn't work?
Hi there, thank you for the video! I have few question on min 15:04 , i just bought SG2428P with cloud controller. I have configure with different vlan (10,20,30) at my fortigate port1, which connected directly to the switch port1. But seems like the switch stay offline unless i connect the switch to the fortigate port2 (the default 192.168.1.99). What do i need to configure in order to make it work using fortigate port1?
Haven't played with it too much. It's all default settings right now. However, it is missing some features like Country IP blocking, IPS/IDS, and the firewall section is clunky.
@@SPXLabs btw bro your guide on the omada ecosystem is great, i am also considering this for my clients Deployments. By the way, if security side is not that stable, it still works even if i dont buy their omada router as long as there is a controller? My plan is to buy Fortigate Firewall/Router for more advanced security features
@@davidesguerra7837 The router is the firewall/router/vpn/does everything. The controller... controls/setups other devices in one place so you dont' have to do it in standalone mode.
Is there any video on setting up TP-Link EAP multiple mash access points together to work as one and use one central access point ACL to work across all Access points throughout the home? also don't have to sign extra VLAN and I can work off that one central access point VLAN. I hope this question makes sense
I currently do not have a video showing off meshing. You will need the Omada controller software for that. You do not need to create vlans for multiple access points. Just need to do it once.
@@SPXLabs cool thank you for all this great feedback and videos also I am new to TP-Link Omada system so still learning. so let me get this clear? so just setup Vlan from controller in the Wi-Fi and it will work for all access point and all the access points will adopt the setting from the controller as well Correct?
The SSIDs are linked to a VLAN you create during the wireless network setup. Then each vlan is tagged with certain ACL rules. So if you setup a vlan on a specific ID, then yes all access points will use those settings.
Hey can you make a video that will show how to set up an entire vlan to only us a VPN like Nord for example. I got this to work for pFsence but can't get it working in Omada. thanks
@@SPXLabs That would be sick if you can get it working. But I don't have high hopes since you can not select what wan an interface can use. But let me know.
OMG I need help!! So confused. I have newly built home. I ran ethernet to every TV and computer location. The TV's will not work when they are plugged in. I can plug in the computer and run a fantastic speed test. Then move the plug to the TV, and the TV says "NOPE", try again. They swill not connect. It says to please connect to the ethernet even though it's plugged in. I have the ER605 Router and the Jetstream SG2428P for the switch. what is causing this??
@@SPXLabs Would be very useful if you did but I will leave the decision to you. Really need some assistance on the RSSI settings/Load balance settings and Advanced under the APs because sometimes my phone/laptop sticks to a specific band and does not drop off when i move to a different location.
Hi, We have 3 houses on the property, and I first installed 1 "EAP610 outdoor" connected via cable to the ISP router (House 1). Got great wifi speed OUTSIDE all 3 houses, but inside in house 2 and 3 the signal drops by 90+ %. Bought a second "EAP610 outdoor" (as adviced by dealer). I hope to put the second EAP610 on house 2 (wirelessly)-is this possible and if so how? Got no support via TP-link support chatbot. Any suggestions greatly appreciated.
@@SPXLabs What I meant is, why not change the port of the oc200 to Admin vlan which was the default one? You kept the port profile to All but why is that? Would it break something to change it to Admin?
Hmmm. Okay but, and humor me hear. Why not just by regular jetstream stuff that's not connected to a cloud controller? But back to your question, I can't promise anything. I would not hold your breath on it. I'd have to kind of learn how to do everything without the controllers help and it takes time. Also, there are other things I would rather work on or do. Sorry to be so blunt and standoff-ish. I don't do TH-cam full time, so it's not easy for me to just make content whenever.
@@SPXLabs because the feature sets and hardware are not the same and sometimes you have to buy the omada stuff to get the features or ports you want even if you dont want to use the cloud controller. it's annoying. ubiquiti does that BS and it's annoying to see tp-link do it too.
Thank you for sharing, easy to build from zero. I have 2 networks: Parents and Kids, there are printers connected to Parents network. ACL defined so far KidsBlockAllVlans KidsBlockGateway ParentsAllowAccessKids. I would like users from Kids network have access to printers. How can I do it?
I'm not 100% sure off the top of my head but a little quick silly way would be to put the printer in it's own VLAN and allow all VLANs access to it lol. I think there may be a way to have a rule to that specific IP, kind of how we block access to the vlan gateway IP but in reverse. I think.
It may not be new today but when compared to the 2022 setup guide that option did not exist during setup. So after updating all the firmware to what was the latest at the time of filming, it was definitely new.
Hell Iam in trouble i have tplink ER 604 VPN ROUTER i cannot be used whatsapp call . Can you help me to configure my router unblock whatsapp call 📞 🙄 🙏
@@SPXLabs thanks I am living in united arb imerets here is government ban video or and adiou call on social media networks . So how i can unblock social media calls 📞
Thanks for sharing! Are EAP ACL required if you already setup the same at switch level?
That is a good point. No it is not required.
Thank you for creating these guides. I find them very useful as I build my network. A few things I'm discovering as I continue refining my setup:
1. Permit rules must come before Deny rules. Rule processing stops once it evaluates true.
2. Switch ACLs are not stateful. If you want to allow traffic from 1 IP to another, you need to make sure to click bi-directional which will auto create the reverse rule.
3. As I suspected, blocking access to the gateway caused my IoT devices to stop working. Gateway access is required for DNS resolution and DHCP reservations. I suggest blocking specific ports (80 and 443) to avoid access to the gateway web interface.
We learn together! Thanks for sharing those 3 points
For point 1, are you sure? Usually in firewall the rules are applied from top to bottom, and the first rule that matches the traffic overrides all the other rules below. es:
Rule 1: Block VLAN 10
Rule 2 Allow: FTP
If the packet is VLan10 and FPT if you follow the previus order the packet is blocketd, but if you invert the rules , the packets pass. Depends from what do you want to obtain.
This is a simple example, usually the rule are more complex. I'dont know in the ACL the thing are different.
Thanks! I have 9 Omada devices in my setup and really love learning new things. This is exactly why I enjoy doing a homelab 😊
Nice that's a lot of Omada. Hope it helps you out tremendously
Thanks, great video. At least for me your video has the perfect level of detail. Explaining the important aspects, avoiding what does not have to be configured, and not getting slowed down with trivial things. Great. Subscribed.
Love this. I have fixed wireless, and can't get all the options that someone who isnt behind CGNat gets. So the best way for me to do it is with some smart home networking. I've had some omada gear for a while, but I haven't set it up. Just plugged it in and ran it off of the gear itself. Yesterday I installed the cdn container on UnRaid, and this video couldn't have came at a better time. Thank you.
Thanks for a great video. I watched to learn Omada VLAN stuff but found your various ACL examples very useful as well.
Fantastic video! With no experience, I was able to set up the TP-Link Omada controller, router, and smart switch on our small farm. I set it up exactly like you did but with different VLAN IDs. Everything worked like a champ. I also installed some IP cameras and NVR. I think I got ahead of myself. When plugged in the NVR and IP camera into the switch it was using the Admin Network IPs. How do I get them to use the IoT network IPs? Thanks again!
You change the ports on the switch to IoT instead of All
Thanks for this guide. One question though:
When I block access to the gateway for one VLAN, members of this VLAN cannot access the internet anymore - at least in my setup. And it makes sense to me because a switch will try to route internet IP addresses through the router and will be using the gateway address.
What am I missing here?
Thank you
Could you do a video specifically addressing Apple HomeKit setup with VLAN’s. Like having IOT device security. But also allowing family members to use HomePods and AppleTV with ease. Maybe even some segregated HomeKit cameras.
Thanks for the great video! I was looking to set this up at my house and your video gave very useful information!!
Thanks for the great video... I am hoping to implement my own Omada Network setup in the near future... Just waiting on the funds to purchase the Access points and switches... I am not going to use any of the TP-Link Routers... I plan on using my existing Untangle Firewall/Router setup instead... But I am going to be buying TP-Link access Points, Switches, and OC200 Controller...
Nice. There are definitely better firewall options than the built in one for Omada routers
I've explored some new stuff that got released in the new version of Omada. It looks like you can deny all the gateway management pages from the Gateway ACL. This goes into stateful ACL that was released in higher end routers and the option is now, it seems, available to all.
Thanks for the videos. This one and the old one filled in some gaps I had. Im completely new at this so this question my be as elementary as they come. I see how the router, switch, and controller are wired in but how is the laptop wired in for set up? Do I connect it to the other controller port or somewhere else? Thanks
You can connect it to the controller secondary port or into the switch
@@SPXLabs Wow! Thanks for the fast reply.
I try
That was great basic setup and explanation.
Keep up the great work :)
I’m hoping to avoid doing this again anytime soon lol. But thank you
I have moving over to Omaha I have 2 switch’s and an AP. I just bought the er605 v2 and I currently using openert on my wireless router. Will migrating from openwrt be a pain i am using VLANs as well with firewall rules similar to your acls.
Great video, question have you ever setup OSPF or VRRP with Omada? That would be a great video session.
Nope. I don’t even know what that is
Thanks for such a detail guide for Omada, you making me want to have a Lab now =P. Btw maybe in the future, when you think enough time has passed, you might consider doing something similar with ubiquiti, not sure if your past tutoraial were with the old ui or the new one, but your guides are really good for newbies like us.
No problem. hahaha oh no, no way! I personally would follow @mactelecomnetworks guide on that side of the house.
Released this early by accident.... Here are Chapters
Intro 0:00
Sponsor 1:05
Plug Everything In 1:19
NMAP to discover devices 1:43
Controller Setup 2:54
Network Layout 5:37
Change Default Subnet 6:38
Set Static IPs 9:56
Update Devices 11:24
Pre-Network Creation 13:39
Create Subnets/VLANs 14:38
Create ACLs 18:29
Wireless Setup 25:42
Create Wireless Networks 27:12
Wireless Bandwidth Limit 30:20
Wireless ACL 31:15
Testing The Setup 33:44
Fix DNS 35:52
Pornography Test 37:26
Configure Ports 37:42
Final Remarks 41:00
Really good Video and guideline. I have a quick question, how can I Integration VOIP or DECT Devices? I think there is no mensch option on the Controller
Sorry I don't know :/
excellent work, perfect guide. thank you so much
hey my friend, much appreciated for the live-demo on how to set up things. Amazing. I will follow suit 100% with my omada system. The onyl question i Have: The "At&T Gateway" for me is most likely the German provider Telekom with the "Speedport Smart Typ4A" ..... Now do i need this thing? I do run a small hotel and also need phone of course. Much appreciated mate.
I can't answer your question because I do not how ISPs work outside of the USA. Here in the USA, I must use the AT&T Gateway or I will not have internet at all. In the past, we used to be able to remove the ISP provided router and use our own equipment but that's not always true anymore. So your question should be directed at your ISP who presumably will give you better answers than I could. Sorry.
Still thank you@@SPXLabs !
Do you think - using a Gateway (white turret like in your video) - there might be setting issus, as to why I only receive 80 mbit through WIFI Speedtests, but the "Gateway" itself receives 265mbit download (=i can do speedtest on the hardware itself).
So, what keywords / or where would I have to look to find that out, as to why the initial Gateway has a download of 265mbit, but it only diverts one third of the download-power to the OMADA system?
WiFi bandwidth would be mostly independent of your internet connection. There are a lot of variables to consider; distance, interference, material penetration, competing frequencies and many other items. So yes it could and might but there are other factors to consider first.
Hi, thanks for the video. How do you setup IPv6?
Awesome video, very helpful! I've been looking at Omada for a while. Been going back and forth between it and a regular mesh 6e network like the TP-Link XE75 pro. I'm a more advanced user, but definitely not a network engineer. I have a lot of IoT devices etc. What are benefits of going the Omada route?
More control over the network.
Thanks for the video. I just purchased an ER7212PC and the EAP670 AP for home use. I am trying to relate the way you configured PUBLIC in this video. I am very new to the Omada interface and ecosystem though, however would it be correct to say that you can literally just make a GUEST network and avoid having to add the ACL you mentioned in the video since by default, Omada will only allow those public devices to connect to internet and nothing else? Also, you would not need to block the gateway from the public as you should not be able to find it if its on Guest Network. Therefore.... I am just trying to find reasons why Guest Network is not used in the example. Hope you understand where I am coming from. Thanks heaps for the video again!
You could just use Guest. If I just used Guest then it wouldn't make the video good for demonstrative purposes.
@@SPXLabs ah I see, thanks for that! Greatly appreciate your response 🙏🏼
Hey can u go more into details of the in built radius of omada or api integration or using an external radius server like basically authentication on wifi my goal is to sell internet via vouchers but I don’t wana print the physical vouchers for internet access i want clients after payment to receive their vouchers via sms
Hi, great video. Just a question, is there a reason you assign an ip adress to the switch by dhpc reservation (IP Adress mode - DHCP - use fixed ip adress) instead by assign a static ip adress (IP Adress mode - Static)?
Not a particular reason no.
Great Shirt! Interesting, thanks, looks like a lot of work for you to get this done
It was I hope to never do it again.
One thought about some of your rules. When blocking access from one vlan to another, but allowing it in reversed, it will only work if your switch/router supports Stateful ACL. There will be no message from the controller about this and you can spend hours tracking down connection issues that should be working according to your rules. Omada should support this since version 5.8 and some of their hardware has gotten updated firmware with added Stateful ACL support. But you will need to check the support for each of your switches.
That's a good point and only something I've recently become aware of. I'll have to read more about that because stateful acls are new words to me.
@@SPXLabs My router just got an update to support it, but my current switch has not seen an update since 2021, so not expecting any support there. Not sure the switch even has hardware support for it, as it properly requires some additional chip support seen as it's a higher level than what switches normally operates in. A great video may be what to look for when buying switches and routers depending on the requirement. There are a lot of different devices with various support out there, which I learned the hard way. For instance simply the difference between a Smart Switch and Easy Smart Switch from TP-Link. I just looked at the "smart" part and found my self having to buy a new one 6 month later when I started with Omada. Also these weird hardware versions like v1.0, v2.0, v2.6 and so on. For the ER605 router the v1.0 has much lesser hardware. But there seams to be no difference between v2.0 and v2.6 except where in the world they are sold. TP-Link has absolutely no information about this and it can make such a huge difference. Even sellers don't always display this part, or they display the wrong version.
Great video, maybe in the next one address setting up mDNS for smart home applications such as HomeKit and ChromeCast?
You might be waiting awhile for that, I've actively avoided smart home things and the few smart home things I have are ZWave. I'm not saying no, it's just unlikely I'll get into that since I don't own any smart products.
Great video, thanks. I am using software controller and dont seem to see the option of Bi-Directional, all rules defined at switch level by default are bi-directional. if you want to get one direction rule then must define it in gateway level.
Very interesting. I wonder if the software changed from when the video was created or there isn't a standard yet. Either way you seemed to have grasped it.
@@SPXLabs this actually driving me nuts, only gateway network to network works, now I cannot get my HomeAssistant (under IoT network) access my NAS (under trusted network) no matter what I do. Should have just top up a bit more for Unifi ecosystem, i guess now my only choice is to replace the firewall with pfsense although this will be overkill for my simple needs.
@@fferdianlimHave you attempted to reach out ot TP-Link themselves. Your hardware should still be under warranty and their support is free.
Can you do a video on how to make the Xbox or ps5 ip bypass firewall as DMZ
About the Network security: What is default if there are no rules set by the admin? What is default? Is all traffic allowed? Or nothing? Thanks.
Wide open
@@SPXLabsThanks
Quick question: is there a way to implement MAC filtering on switch ACL? I've been trying with no success.
You make some great video content, so I really appreciate that but I have a question for you and anyone in the comments why don't we put the controller on the router instead we putting it on the switch? what's the benefits of putting it on the switch and not on the router?
The switch has PoE and the router does not.
@@SPXLabs i see but if I powered it from a power source then it doesn't matter I can hook it up to the router, correct?
Yes. The controller requires poe so you would need a poe injector.
Looking forward to watching this when I can get some peace and quiet :)
been watching @deadmeats videos and locked down my VLANs and access to 53 was only to the pihole on the main lan ( minimising call-home for IoT and keeping devices ad-free. but got a bit lost with the firewall rules when adding a 4th vlan ( you wouldn't believe I owned an MSP lol ) Set up the omada stuff for clients, love it, the support and availability too.
It's a long one and there are a ton of details. I originally had very very quiet music but then decided to remove it completely just in case.
Thanks for explaining OMADA setup. I used your vide to setup my network. It works fine now but I have a problem. I think the issue was not covered in your video. I needed to reset one of my EAPs. After the reset, SDN controller can't see EAP anymore. I believe this is because the controller (and gateway and a switch) are working on VLAN 10. The Discovery Utility does not see the EAP (in fact it does not see any devices). My setup use these IP addresses for gateway, OC200 and a switch: 192.168.10.1/2/3. My PC gets IP address 192.168.10.30 (via DHCP). I also tried using "DHCP Option 138" without any success. Admittedly I am fairly new to SDN networking. How do you add EAP (or other devices to that matter) with your configuration?
You need to plug in your EAP to the same vlan as your oc200 during initial setup. Or reconfigure a port on your switch to be on the same vlan as the oc200 or temporarily change the port to all
@SPXLabs Thanks a lot. The EAP (via unmanaged switch) was connected to the right port, except... it was not connected at all. At some point, I messed up cable connections to the switch (small ELAN mounting box housing my TP-LINK hardware makes life difficult). Your reply made me check port status and it showed that the port had no connection. The rest was easy.
@liloatut nice. It’s always something simple that gets us lol. Nice work brother
Can you do a video helping me setup my TP-Link Omada equipment at my house?
Sure, that will be $10,000 USD.
4K60 NICE!
Did you test the 10GT speed in your router?
great video
What are those SFP RJ45 modules ?
are those from TP-link / FS / Microtik ?
More than likely FS but I’ve switched those out for TPLINK branded modules
@@SPXLabs Thank you. I am looking for compatible module for 7212PC.
Great video! Will you also do EAP setups if they are located accross the internet? Thanks!
Unfortunately not. I don't have anyone who would be able to support hosting remote stuff.
THANK YOU for this detailed guide! Based on my experience with the Omada ecosystem, the firmware and software stability is not really as good compared to Unifi.
No Problem. To be determined, I'll make note of things and compile them in one big video.
Everything on this video for setting up went great, but does anyone know why the main default wired lan network profile works fine for the wired Internet but when you set up a Wi-Fi Lan network it doesn't work?
Great vid! Why not plug the controller right into the router?
Router doesn’t have PoE
@@SPXLabs Got it! Thanks! Just got the same TP-Link router and 2 switches, I guess I can do the software server without the controller.
That is correct!
What did you use for the DAC uplinks? I’m having trouble with sfp+ modules that just don’t work
10G SFP+ DAC: bit.ly/3TkzKjm and FS SFP+ to RJ45, however I am switching to SFP+ to RJ45 from TP-Link ones amzn.to/3LIt7oz
Hi there, thank you for the video!
I have few question on min 15:04 , i just bought SG2428P with cloud controller. I have configure with different vlan (10,20,30) at my fortigate port1, which connected directly to the switch port1. But seems like the switch stay offline unless i connect the switch to the fortigate port2 (the default 192.168.1.99). What do i need to configure in order to make it work using fortigate port1?
How about the security bro of the router? Whats your initial opinion
Haven't played with it too much. It's all default settings right now. However, it is missing some features like Country IP blocking, IPS/IDS, and the firewall section is clunky.
@@SPXLabs btw bro your guide on the omada ecosystem is great, i am also considering this for my clients Deployments. By the way, if security side is not that stable, it still works even if i dont buy their omada router as long as there is a controller? My plan is to buy Fortigate Firewall/Router for more advanced security features
@@davidesguerra7837 The router is the firewall/router/vpn/does everything. The controller... controls/setups other devices in one place so you dont' have to do it in standalone mode.
@@SPXLabs i see bro. I think so far it does the basic security (at least)
Hi, Could you do a demonstration setup of VLANs on TP-Link Omada and a Synology NAS?
This video shows setting up VLANs. I’m sorry but I don’t own or have access to Synology equipment so I cannot make a video setting one up.
Thanks for your reply, as I have followed your settings and then lost access to my DS920+ . None the less I did learn a lot from your videos🍻
@coraedread1655 yeah sorry I wasn’t more helpful. Best guess as to why you lost access is there was not a route between vlans
thanks Greats
Excellent Vid. Thanks a lot!!👌👍
37:28 best moment
What ipcam do you use ?
I have a mix of ubiquiti G3s and G4 Pros. amzn.to/3Q1WIMM
sir..do have set up regarding the game priority...like mobile legend it always crashing and lag..please do some video tutorial
Amazing tutorial :D ty
I saw you change the IP Address on the controller OC200 my OC300 I dont have that controller tab and cant figure out how to change it to a static IP
Maybe update the software? There shouldn’t be any difference
@SPXLabs yeah all up to date can't figure it out, about to reset controller
I don’t think resetting it will help. Maybe the newest version changed locations
@@SPXLabs So i figured it out I found it under the global view it was missing the the default site view Thanks for the help
Nice work!
How would you configure a tp link wireless router as an access point on a tp link network switch with a tp link router/firewall/vpn device?
Don’t know. I don’t own any.
Is there any video on setting up TP-Link EAP multiple mash access points together to work as one and use one central access point ACL to work across all Access points throughout the home? also don't have to sign extra VLAN and I can work off that one
central access point VLAN. I hope this question makes sense
I currently do not have a video showing off meshing. You will need the Omada controller software for that.
You do not need to create vlans for multiple access points. Just need to do it once.
@@SPXLabs cool thank you for all this great feedback and videos also I am new to TP-Link Omada system so still learning. so let me get this clear? so just setup Vlan from controller in the Wi-Fi and it will work for all access point and all the access points will adopt the setting from the controller as well Correct?
The SSIDs are linked to a VLAN you create during the wireless network setup. Then each vlan is tagged with certain ACL rules. So if you setup a vlan on a specific ID, then yes all access points will use those settings.
@@SPXLabs thank you for all of the great feedback, and info
Hey can you make a video that will show how to set up an entire vlan to only us a VPN like Nord for example. I got this to work for pFsence but can't get it working in Omada. thanks
I’ve tried with OpenVPN in the past and it didn’t work. However, with wireguard I’d be willing to try again.
@@SPXLabs
That would be sick if you can get it working. But I don't have high hopes since you can not select what wan an interface can use. But let me know.
Well right now wireguard isn’t working at all. I’ve been working with tp link support for a week and we haven’t figured out how to fix it yet
@@SPXLabs
Ya I was talking with them last night for hours and got no where. I hope they add these feature in the future.
Are the fans still silent under load?
Yes and no
OMG I need help!! So confused. I have newly built home. I ran ethernet to every TV and computer location. The TV's will not work when they are plugged in. I can plug in the computer and run a fantastic speed test. Then move the plug to the TV, and the TV says "NOPE", try again. They swill not connect. It says to please connect to the ethernet even though it's plugged in. I have the ER605 Router and the Jetstream SG2428P for the switch. what is causing this??
Maybe a crossover cable vs straight through
Awesome Video! can you also do one for Radio settings and Advanced for EAPs in omada controller
I Will think about it. But I doubt I will commit.
@@SPXLabs Would be very useful if you did but I will leave the decision to you. Really need some assistance on the RSSI settings/Load balance settings and Advanced under the APs because sometimes my phone/laptop sticks to a specific band and does not drop off when i move to a different location.
Hi, We have 3 houses on the property, and I first installed 1 "EAP610 outdoor" connected via cable to the ISP router (House 1). Got great wifi speed OUTSIDE all 3 houses, but inside in house 2 and 3 the signal drops by 90+ %. Bought a second "EAP610 outdoor" (as adviced by dealer). I hope to put the second EAP610 on house 2 (wirelessly)-is this possible and if so how? Got no support via TP-link support chatbot. Any suggestions greatly appreciated.
No it will not work as part of the mesh network if it is not plugged into a switch and configured to be on the same network/vlan.
@@SPXLabs Thanks for info. As a total noob, I thought building mesh networks was possible "wirelessly"
You can do that with a repeater but repeater networks are garbage
Your switch ACLs as shown wont work. Switch ACLs arent stateful so even if you allow Lab to IPcam, it cant talk back.
Thx for the comment. Could explain a problem I have. How to do it?
From omada, can urls be blocked for the public network? Thank you!
I don’t think so. It would be better to block a website with dns. Like pihole.
Why not create a management vlan for the OC200?
It’s in the management vlan by default.
@@SPXLabs I get this but the TPlink doc to set up the management vlan says that you have to change port profile to the management vlan profile.
Under "How to configure Management VLAN in Omada SDN Controller (4.4.4 or above)"
Well, I’d use this video for demonstration purposes and not a bible, so definitely do what you think is best or more correct.
@@SPXLabs What I meant is, why not change the port of the oc200 to Admin vlan which was the default one? You kept the port profile to All but why is that? Would it break something to change it to Admin?
Why do the EAPs have to be trunked essentially on ALL port?
Idk man. Feel free to change things around. I’m just doing what is easy and works.
EAPs are like switchs and can have many ssid’s on many vlans. As such, ports connected to an EAP wifi access point should be a trunk.
@@spoonikle But do they really need to be trunked to ALL? Why not create just the VLANs needed for SSIDs.
Excellent Vid. Thanks a lot!!
How about setup without omada, devices in standalone mode?
Idk it’s a lot of work and much less stream lined. I don’t understand the point of buying Omada hardware and not using it.
@@SPXLabs same reason people hate unifi controller.
Hmmm. Okay but, and humor me hear. Why not just by regular jetstream stuff that's not connected to a cloud controller? But back to your question, I can't promise anything. I would not hold your breath on it. I'd have to kind of learn how to do everything without the controllers help and it takes time. Also, there are other things I would rather work on or do. Sorry to be so blunt and standoff-ish. I don't do TH-cam full time, so it's not easy for me to just make content whenever.
@@SPXLabs because the feature sets and hardware are not the same and sometimes you have to buy the omada stuff to get the features or ports you want even if you dont want to use the cloud controller. it's annoying. ubiquiti does that BS and it's annoying to see tp-link do it too.
Yeah perfectly reasonable IMO. I agree that companies can be annoying AF like that
Hi sir,omada update 5.11.10 how to upgrade smoothly?
www.tp-link.com/us/omada-sdn/controller-upgrade/#content-1
I'm running my omada controller on my nas but do you think the hardware controller is better or it doesn't matter?
Doesn’t matter. Do whatever works for you in your environment.
@@SPXLabs Thanks i'll keep it in the nas then that way i save money
That’s a great idea!
Thank you for sharing, easy to build from zero. I have 2 networks: Parents and Kids, there are printers connected to Parents network. ACL defined so far KidsBlockAllVlans KidsBlockGateway ParentsAllowAccessKids. I would like users from Kids network have access to printers. How can I do it?
I'm not 100% sure off the top of my head but a little quick silly way would be to put the printer in it's own VLAN and allow all VLANs access to it lol. I think there may be a way to have a rule to that specific IP, kind of how we block access to the vlan gateway IP but in reverse. I think.
@@SPXLabs Thank you. FYI: I set printer on separate VLAN on specific IP, I can print from other VLANs
Device account is not new
It may not be new today but when compared to the 2022 setup guide that option did not exist during setup. So after updating all the firmware to what was the latest at the time of filming, it was definitely new.
Hell
Iam in trouble i have tplink ER 604 VPN ROUTER i cannot be used whatsapp call .
Can you help me to configure my router unblock whatsapp call 📞 🙄 🙏
By default the ER604 will not block anything. Double check your firewall rules, you may have blocked something by accident.
@@SPXLabs thanks I am living in united arb imerets here is government ban video or and adiou call on social media networks .
So how i can unblock social media calls 📞
Sounds like you need to connect to a VPN in another country first, then make your video calls