CPE210 drops connection when using mgmt vlan

CPE210 drops connection when using mgmt vlan
CPE210 drops connection when using mgmt vlan
2018-02-04 22:41:41
Model : CPE210

Hardware Version : V2

Firmware Version : CPE210_2.0-up-ver2-1-6-P1[20170908-rel45234]

I have two CPE210, hardware version 2, one acting as AP and one as client. I have assigned them static IPs, 192.168.5.10 (AP) and 192.168.5.16 (client).

When I don't assign mgmt vlan I can connect to the two devices using a manually set static IP on my computer (192.168.5.3) and connecting the network cable from my computer to the LAN input on the PoE injector. The two devices keep having a good and stable connection.

I then remove the static IP from my computer setting it in DHCP mode and receive an IP adress from the DHCP server (with range = 192.168.100-199). As soon as I do that I can no longer connect to (nor ping) either of the CPE210s, even though they are on the same subnet as my computer. They keep having a stable connection as verified by plugging another computer into the client and receiving an IP adress within the DHCP range and is able to surf the internet.

I go back to static IP on my computer and connect to the AP to set management vlan to 5, which is the vlan my computer is on using an EdgeRouter X as the brain to provide the DHCP server (actually a bunch of DHCP servers with corresponding vlans). The important part is that the bits and bytes going in to the AP is a trunc of several vlans.

I can successfully set the mgmt vlan to 5, and is then able to connect to the AP using DHCP on my computer. Everything would be a happy party then, if it wasn't for the reason that the AP at that point start losing its connection to the client every 4-5 seconds. If I log in to the the AP I can see that the number of connected devices flashes between 0 and 1 for about 4-5 seconds in each state. If I log in to the client I can see that the timer keeping track of the connection to the AP never reach more than 4-6 seconds and is then reset to 0.

Maybe this is firmware related or there is something else I'm missing. I noticed in another thread ( http://forum.tp-link.com/showthread.php?104188-CPE210-510-new-firmware-2.1.11-released-today-(includes-KRACK-fix) ) that there is a new firmware for HW version 3, but that it also works on CPE210 V2. Maybe someone can confirm this again in this thread, or maybe see beyond the troubleshooting already performed by me :)
0
0
#1
Options
11 Replies
Re:CPE210 drops connection when using mgmt vlan
2018-02-05 03:38:51
There was a recent beta fixing mgmt VLAN problems, see http://forum.tp-link.com/showthread.php?101865-New-Beta-Firmware-with-Management-VLAN-Featre-Improved

It most certainly is contained in latest firmware 2.1.11 of 2018-01-26.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#2
Options
Re:CPE210 drops connection when using mgmt vlan
2018-02-05 03:51:40

R1D2 wrote

There was a recent beta fixing mgmt VLAN problems, see http://forum.tp-link.com/showthread.php?101865-New-Beta-Firmware-with-Management-VLAN-Featre-ImprovedIt most certainly is contained in latest firmware 2.1.11 of 2018-01-26.
Good idea. Unfortunately my HW (CPE210 v2) is not listed. How sensitive is the HW version in relation to the specifications of the firmware?
0
0
#3
Options
Re:CPE210 drops connection when using mgmt vlan
2018-02-05 05:06:53

R1D2 wrote

There was a recent beta fixing mgmt VLAN problems, see http://forum.tp-link.com/showthread.php?101865-New-Beta-Firmware-with-Management-VLAN-Featre-ImprovedIt most certainly is contained in latest firmware 2.1.11 of 2018-01-26.
I upgraded to latest firmware as specified by you. I haven’t had time to set mgmt VLAN and try, but I still couldn’t connect to the devices when my computer got its IP via DHCP server and the signal to the AP is a trunc.
0
0
#4
Options
Re:CPE210 drops connection when using mgmt vlan
2018-02-05 09:34:21

peltors wrote

I upgraded to latest firmware as specified by you. I haven’t had time to set mgmt VLAN and try, but I still couldn’t connect to the devices when my computer got its IP via DHCP server and the signal to the AP is a trunc.


It's a bad idea to use DHCP for stationary devices. I use static IPs for routers, switches and APs and using the mgmt VLAN with static IPs works fine.

Yes, you have to use a trunk port for connecting the CPE to your switch/router, so you also need to assign a VLAN ID(s) to the CPE's SSID(s) later on if your switch/router doesn't use a native VLAN. For initial setup you need to connect to the AP by a wired connection. Most easy way to achieve this is to connect your laptop/PC to an access port with VLAN membership and PVID of the mgmt VLAN.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#5
Options
Re:CPE210 drops connection when using mgmt vlan
2018-02-05 18:11:16

R1D2 wrote

It's a bad idea to use DHCP for stationary devices. I use static IPs for routers, switches and APs and using the mgmt VLAN with static IPs works fine.

Yes, you have to use a trunk port for connecting the CPE to your switch/router, so you also need to assign a VLAN ID(s) to the CPE's SSID(s) later on if your switch/router doesn't use a native VLAN. For initial setup you need to connect to the AP by a wired connection. Most easy way to achieve this is to connect your laptop/PC to an access port with VLAN membership and PVID of the mgmt VLAN.


Yes, I always use static IPs for stationary devices. I did exactly what you describe using trunc and access ports respectively. I didn't assign VLAN IDs to the CPEs SSIDs b/c I collect the trunc in a VLAN aware switch and splitting it there.

I got this to work yesterday. I set the mgmt VLAN on the CPE210s and they didn't drop connection. I'm still a bit confused that this part didn't work fully until the last firmware. Seems like a central part of the functionality.
0
0
#6
Options
Management VLAN made easy
2018-02-05 20:19:19

peltors wrote

I'm still a bit confused that this part didn't work fully until the last firmware. Seems like a central part of the functionality.


No, it did work before since the feature was introduced (I do this all the time), but it had been enhanced again in December.

Since I had to set up a MGMT VLAN just today for a customer and to show an example for others with the same demand, I document all necessary steps here:

The network uses a LAN with VID 1 and a MGMT VLAN with VID 100. The laptop, CPE and router are interconnected using a TL-SG105E. Router is a TL-WDR4300 using OpenWRT as its firmware.

First, set up the switch. Until everything is in place, leave your laptop connected on port 1 and assign it an unused static IP, say 192.168.0.10:





- Ports 1 and 2 are plain untagged LAN ports, members of VLAN 1 only.
- Port 1 is used for setting things up and uses the subnet 192.168.0.0 during setup to reach all devices.
- Ports 3 and 4 are trunk ports with tagged VLAN 1 and 100.
- Port 5 is an untagged MGMT port for the laptop (later to be connected) in VLAN 100.

PVIDs are as follows:





Untagged ingress traffic on trunk ports will be assigned PVID 1 (LAN), the Default VLAN. Untagged ingress traffic on port 5 will be forwarded to the MGMT VLAN 100. Apply and save the switch settings.

Now connect the CPE to port 2 of the switch and set it up as follows. In menu " Wireless", enable Multi-SSID (even if you plan to use only one SSID). Enable VLAN tagging for the SSID, assign it to the LAN subnet (VID 1):






In menu " Network" set a static IP for MGMT. If you want to use NTP time servers on the Internet for the CPE, add a default gateway and DNS servers. If you choose to use a NTP server running on your router and do not want to allow Internet access for the CPE itself, just leave the default gateway and DNS server entries empty:





Now enable the Management VLAN of the CPE. You will lose connectivity at this point. Connect the CPE to port 4 of the switch to regain connectivity to its web UI through port 5. You could connect the laptop to port 5 now to save settings on the CPE, but you could also finish the setup first, then save settings on the CPE later.

Set up the router. Add a new interface for the MGMT subnet, assign a trunk port for LAN/MGMT traffic, install firewall zone for MGMT and - if you need due to the firewall's default policy - add a route from MGMT to WAN if Internet access is required (depends on the decision about which NTP server to use etc.). Of course, those steps may differ on your router, but on OpenWRT it's done this way and I show it only to make the principle clear:

[CODE] config interface 'mgmt'
option proto 'static'
option ifname 'eth0.100'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'

config switch_vlan
option device 'eth0'
option vlan '100'
option ports '5t 0t'
[/CODE]
First config section installs an interface for the MGMT VLAN with VID 100 and IP 192168.100.1. Second config section creates a trunk port on WDR4300's port labeled " 4" (the 5t). 0t is an internal trunk to the CPU needed to forward traffic to the firmware.

Remember to add the WDR4300's trunk port 4 (the 5t) to an existing LAN with VLAN 1, too:

[CODE] config switch_vlan
option device 'eth0'
option vlan '1'
option ports '2 3 4 5t 0t'
[/CODE]

Next, set up a MGMT zone in the firewall. I use default policy REJECT for forwarding and an explicit forwarding rule to allow traffic from MGMT to the WAN, but not to the LAN:

[CODE] config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option custom_chains '1'
option drop_invalid '1'


config zone
option name 'mgmt'
option network 'mgmt'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'


config forwarding
option src 'mgmt'
option dest 'wan'
option family 'any'
[/CODE]
Now connect the router to port 3 of the switch. Connect the laptop to port 5 of the switch (untagged member of MGMT VLAN) and change its static IP from the 192.168.0.0 subnet into an unused IP of the 192.168.100.0 subnet:






That's all. Test the setup using the ping command.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#7
Options
Re:CPE210 drops connection when using mgmt vlan
2018-02-05 20:33:05
Thank you very much for a complete description.

I pretty much did everything you describe, accept using multi SSID. I figured the trunc would pass between AP and client as a "package" without the need to split it. And it works for me, I take the signal from the client device and run it through a VLAN aware switch, then pass the trunc (removing one of the VLANs) to an VLAN aware access point where I assign different VLANs to different SSIDs.

Is it possible that the connection is more stable splitting the VLANs in different SSIDs in the CPE210 as well?
0
0
#8
Options
Re:CPE210 drops connection when using mgmt vlan
2018-02-05 20:50:45

peltors wrote

Is it possible that the connection is more stable splitting the VLANs in different SSIDs in the CPE210 as well?


No, b/c more SSIDs mean more switching of the virtual wireless interfaces. If you don't need to separate WiFi networks, just leave it at one SSID.

To make connections more stable between two CPEs, use 802.11n mode and 20 MHz channel width (WiFi speed then maxes out at 150 Mbps, but better than an unstable 300 Mbps). Also make sure both CPEs are exactly aligned to each other and have a free line of sight. Enable short GI, WMM and set the distance to Auto.

Note that using the 2.4 GHz band for directional links can be problematic in dense populated areas. With CPE510 I could reach up to 90 Mbps data speed (~ 140 Mbps WiFi speed) compared to only effective 3 Mbps data speed with CPE210 on the same link over 600m.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#9
Options
Re:CPE210 drops connection when using mgmt vlan
2018-02-05 20:59:43

R1D2 wrote

No, b/c more SSIDs mean more switching of the virtual wireless interfaces. If you don't need to separate WiFi networks, just leave it at one SSID.

To make connections more stable between two CPEs, use 802.11n mode and 20 MHz channel width (WiFi speed then maxes out at 150 Mbps, but better than an unstable 300 Mbps). Also make sure both CPEs are exactly aligned to each other and have a free line of sight. Enable short GI, WMM and set the distance to Auto.

Note that using the 2.4 GHz band for directional links can be problematic in dense populated areas. With CPE510 I could reach up to 90 Mbps data speed (~ 140 Mbps WiFi speed) compared to only effective 3 Mbps data speed with CPE210 on the same link over 600m.


Really nice discussion, thank you for taking the time. I will implement the settings you specify. In the scenario I described the CPEs are 8 ft apart. Maybe that is a problem itself :)

The CPEs will be placed in a rural area where there are not so many 2.4GHz networks.
0
0
#10
Options
Re:CPE210 drops connection when using mgmt vlan
2018-02-06 00:30:02
Oops, 8 ft are ~3m, right? Then you should reduce TX power, but the antenna gain may be still to high for such a micro distance.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#11
Options