@thekwasti 

 

If your camera are on a specific Port range you could createan IP Port group to ALLOW those ports then apply it via a Switch ACL, set this as a higher priority than the block VLAN and that should work

 

For example i have a IOT VLAN that is totally blocked from my main VLAN, however i also have cameras on that IOT so can access via ports 4455 and 4456 those specific IPs used for the cameras..  

 

That help?

 

@Philbert Thanks for the reply. That would work of course, but I don't think it is a good solution. Esp. IP cameras never have to be allowed to initiate connections themself (except for NTP for time sync).

I even tried to run both, the switch as well as the gateway in standalone mode, and even there it is not possible. I just really wonder, how a router in the business tier does not allow a simple firewall rule based on the established state.

 

Probably I will just step away from the whole omada ecosystem and get something like an edgeswitch (I already have an edgerouter running). The centralized management is super nice, but if fundamentals are just not available, then it does not really help. :(

I have to second this. I can setup any 2 random physical home routers and get this functionality by default. Omada needs provide this functionality across VLANs; it's a severe oversight.

Thank god I saw this forum post. That doesn't sound good.

Are there any news regarding this topic? This is a total knock out for our plans to migrate to Omada. Even Unifi offers this functionality.

Without that, a additional firewall is required and I don't see a reason for using a Omada gateway.

@ksx I'm jealous you found this post. I was running the EAP225s and a PoE 1500G switch with an ER-X router, and it was working as expected. I found the EdgeOS to be more complicated than I wanted to deal with (and I didn't want the expense of a full ubiquiti network to get their central management), but I have found the limitations of the Omada system to be extremely frustrating.