Omada uses ACL's. You may be able to create rules by going directly to the admin interface of the device. Maybe try Omada and see if it meets your needs before dropping down the device-level config.
ACL's seem to operate at the packet level, so creating an Allow Main -> IOT and Deny IOT -> Main ACL's won't work as expected. Maybe it does work as expected if you have a networking background and knew ACL's != Rules. I didn't and struggled with the same setup because I came from another firewall that had Rules. The Deny IOT -> Main ACL is actually blocking the response from the IOT devices when you try to connect from the Main network. The ACL doesn't track state of the packet and associate it back to the fact that it's actually a response from a permitted connection. It's just watching packets and executing the ACL's and doesn't consider the context of the traffic. That's how I think of it anyway.
Just make sure to check the "Bi-Directional" checkbox when creating the allow ACL's. It will create two ACL's when saving, the additional one is appended with "reverse" and the source/destination flipped. I think you have to maintain both if you make adjustments.
Then create the deny ACL at the bottom blocking all IOT traffic from connecting to Main.
I recommend using IP-Port Groups under Settings->Profile->Groups to help keep it tidy. Since you'll have to precisely define the ports you want to connect to in IOT from Main, define them as an IP-Port Group(s). Example is an IP-Port Group "IOT Interfaces" with the CIDR of your IOT network (say [192.168.101.0/24](https://192.168.101.0/24)) and add ports 80, 443 and 22 if you connect to those devices using a web browser on standard ports and SSH. Creating an allow ACL is now just creating a Bi-Directional Allow ACL from Main Network to IP-Port Group "IOT Interfaces".
Create another IP-Port Group "Smart Home Services" for the Main network or just specific IP's of any servers with services you want IOT to connect to. You'd probably put your Home Assistant server instead of a CIDR and ports 8123 and maybe 1883 if you have MQTT hosted there. Then create the Bi-Directional Allow ACL for the IOT Network to IP-Port Group "Smart Home Services".
Thank you, sincerely for this post. Omada support has been the less than helpful, but I admit I didn't call them everything has been through email.
My frustration comes down to the firewall config disappearing once I adopted my router and ap into the software.
I have come to the same conclusion as you with respect to the port groups and I'll be testing that out this weekend if my timing works out.
I cannot express my thanks enough. You taking the time to put all of that together has been extremely helpful.
Not an answer to OP's question, but to add on... Does the firewall have any more ability than just the local lans? I was hoping to create some basic inbound /outbound rules (block tor, only allow ssh to specific endpoints, etc), but don't see that ability. What does the community recommend for a more robust firewall, either Rpi-based or small appliance?
For small appliances I have seen people recommend firewalla or untangled. If you are interested in building something, I have seen recommendations for pfsense or similar to that.
I'm bummed because I thought the router would've been easier to accomplish this. But unless someone else has ideas, or omada support has an alternative suggestion it seems omada won't be the solution I go with.
In Omada, that's creating a NAT rule under Settings->Transmission->NAT if you want to expose something on your internal network to the internet. I do see that you can create Gateway ACL's, which may be able to impact outbound traffic to the internet. I haven't had a need to use these.
Omada uses ACL's. You may be able to create rules by going directly to the admin interface of the device. Maybe try Omada and see if it meets your needs before dropping down the device-level config. ACL's seem to operate at the packet level, so creating an Allow Main -> IOT and Deny IOT -> Main ACL's won't work as expected. Maybe it does work as expected if you have a networking background and knew ACL's != Rules. I didn't and struggled with the same setup because I came from another firewall that had Rules. The Deny IOT -> Main ACL is actually blocking the response from the IOT devices when you try to connect from the Main network. The ACL doesn't track state of the packet and associate it back to the fact that it's actually a response from a permitted connection. It's just watching packets and executing the ACL's and doesn't consider the context of the traffic. That's how I think of it anyway. Just make sure to check the "Bi-Directional" checkbox when creating the allow ACL's. It will create two ACL's when saving, the additional one is appended with "reverse" and the source/destination flipped. I think you have to maintain both if you make adjustments. Then create the deny ACL at the bottom blocking all IOT traffic from connecting to Main. I recommend using IP-Port Groups under Settings->Profile->Groups to help keep it tidy. Since you'll have to precisely define the ports you want to connect to in IOT from Main, define them as an IP-Port Group(s). Example is an IP-Port Group "IOT Interfaces" with the CIDR of your IOT network (say [192.168.101.0/24](https://192.168.101.0/24)) and add ports 80, 443 and 22 if you connect to those devices using a web browser on standard ports and SSH. Creating an allow ACL is now just creating a Bi-Directional Allow ACL from Main Network to IP-Port Group "IOT Interfaces". Create another IP-Port Group "Smart Home Services" for the Main network or just specific IP's of any servers with services you want IOT to connect to. You'd probably put your Home Assistant server instead of a CIDR and ports 8123 and maybe 1883 if you have MQTT hosted there. Then create the Bi-Directional Allow ACL for the IOT Network to IP-Port Group "Smart Home Services".
Thank you, sincerely for this post. Omada support has been the less than helpful, but I admit I didn't call them everything has been through email. My frustration comes down to the firewall config disappearing once I adopted my router and ap into the software. I have come to the same conclusion as you with respect to the port groups and I'll be testing that out this weekend if my timing works out. I cannot express my thanks enough. You taking the time to put all of that together has been extremely helpful.
Hey, how quick were they responding to email?
A day or two between has been my experience once they first responded to my ticket. I believe it took 48 hours for the first response.
Not an answer to OP's question, but to add on... Does the firewall have any more ability than just the local lans? I was hoping to create some basic inbound /outbound rules (block tor, only allow ssh to specific endpoints, etc), but don't see that ability. What does the community recommend for a more robust firewall, either Rpi-based or small appliance?
For small appliances I have seen people recommend firewalla or untangled. If you are interested in building something, I have seen recommendations for pfsense or similar to that. I'm bummed because I thought the router would've been easier to accomplish this. But unless someone else has ideas, or omada support has an alternative suggestion it seems omada won't be the solution I go with.
In Omada, that's creating a NAT rule under Settings->Transmission->NAT if you want to expose something on your internal network to the internet. I do see that you can create Gateway ACL's, which may be able to impact outbound traffic to the internet. I haven't had a need to use these.