VLAN Problems EAP225-Outdoor
Hi there,
I have Problems with the Vlan tag from the EAP225-Outdoor.
I run a EAP110-Outdoor with 3 multi SSIDs an 3 VLAN tags and a Zyxel GS1200-5 mgmt switch. Now i want use the EAP225 instead the EAP110, but all wlan ssid with vlan tag enable don't get to the network, only the default one.
EAP config by web interface (i use the same config for EAP110 and EAP225)
This config work fine with the EAP110
Static IP 192.168.188.254
Subnet 255.255.255.0
Gateway 192.168.188.254 (also tried 192.168.188.1)
All SSID broadcast enable
Security WPA-PSK
Time settings are up to date
SSID A Vlan 1
SSID B Vlan 10
SSID C Vlan 20
Zyxel config
Static IP 192.168.188.3
Subnet 255.255.255.0
Gateway 192.168.188.1
Port 1 EAP225 / Port 5 Router
Port 1-5 PVID 1
Vlan 1 Port 1-5 untagged (default)
Vlan 10 Port 1 tagged + Port 5 untagged
Vlan 20 Port 1 tagged + Port 5 untagged
Router
Static IP 192.168.188.1
Subnet 255.255.255.0
DHCP on
Have someone an idea or some troubleshootings ?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@Jay86 can you fix it? I have the same problem
Jay86 wrote
Hi there,
I have Problems with the Vlan tag from the EAP225-Outdoor.
I run a EAP110-Outdoor with 3 multi SSIDs an 3 VLAN tags and a Zyxel GS1200-5 mgmt switch. Now i want use the EAP225 instead the EAP110, but all wlan ssid with vlan tag enable don't get to the network, only the default one.
EAP config by web interface (i use the same config for EAP110 and EAP225)
This config work fine with the EAP110
Static IP 192.168.188.254
Subnet 255.255.255.0
Gateway 192.168.188.254 (also tried 192.168.188.1)
All SSID broadcast enable
Security WPA-PSK
Time settings are up to date
SSID A Vlan 1
SSID B Vlan 10
SSID C Vlan 20
Zyxel config
Static IP 192.168.188.3
Subnet 255.255.255.0
Gateway 192.168.188.1
Port 1 EAP225 / Port 5 Router
Port 1-5 PVID 1
Vlan 1 Port 1-5 untagged (default)
Vlan 10 Port 1 tagged + Port 5 untagged
Vlan 20 Port 1 tagged + Port 5 untagged
Router
Static IP 192.168.188.1
Subnet 255.255.255.0
DHCP on
Have someone an idea or some troubleshootings ?
- Copy Link
- Report Inappropriate Content
@Jay86, firmware version 1.6 for EAP225-Outdoor did fix a bug with VLAN leaks.
The correct way to use VLAN-mapped SSIDs is to terminate the VLAN in the router, not in the switch (except on L3-capable switches).
This means you have to create three subnets in your router, one for each SSID. Port 1 (the one the EAP is connected to) of your switch must be a tagged member in all three VLANs (1, 10, 20). If you don't use a Management VLAN for the EAP itself, it needs to be tagged, too.
From your description we can see that you use an asymmetric VLAN setup to share the same subnet among the three VLANs (e.g. traffic from clients in SSID C to the router uses tagged frames in VLAN 20, but traffic from the router to clients in SSID C uses untagged frames in VLAN 1). Asymmetric VLANs can't work with VLAN-mapped SSIDs. The router (or the L3 switch) must send traffic tagged with VLAN 20 in order to reach SSID C.
This is a correct setup for a VLAN-mapped Multi-SSID network (P3 is tagged member of all VLANs, P4 is untagged member of VLAN 200 only):
- Copy Link
- Report Inappropriate Content
Thanks for your reply,
The EAP225-Outdoor is up to date with:
1.7.0 Build 20200113 Rel. 35383(4555)
EDIT:
Ok sorry,
I don´t now why but it works for a short time. Now the problem is still there
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
My FritzBox don’t support subnetting. It still works on the EAP110-Outdoor with this configuration. (Expect 5Ghz)
I just use UPC*** 5GHz with VLan Tag at this moment i need the other WLan
EDIT: and i can connect to the web interface on the EAP225 any time without problems with Vlan Tag
Port 01 = EAP225 or EAP110 / Port 05 = Gateway/DHCP Server
- Copy Link
- Report Inappropriate Content
@Jay86, good if it works for you.
Indeed, Fritzbox knows subnetting internally, but they hide it under »Guest Network« and »Network Settings« in the web UI. It allows for two subnets which have subnet IP 192.168.178.0 and subnet IP 192.168.179.0 by default (or a user defined network IP X.X.Y.0 and X.X.Z.0, where Z = Y+1). Thus, you can create two subnets at least. With a business-class switch you can assign them two different VLANs.
It's a pitty that FB can't do VLANs itself (AVM told me two years ago in a letter that VLANs are a »too sophisticated technique«). So I decided to use an UBNT EdgeRouter which runs an open (accessible) Linux system and to use the Fritzbox only as a cable modem, as a phone router and to heat my machine room in winter.
Guest network can be mapped to port 4, WLAN can be disabled:
Two subnet IPs can be chosen, where second subnet IP is always the value of first subnet's last network octet +1:
- Copy Link
- Report Inappropriate Content
The Network work fine befor, i dont buy a new switch to assign the IPs to the VLAN and i need 3 VLAN IDs not just 2. It is just a little private network for 3 parties living in a household and i want use the VLAN for privecy. Thank you for trying to help but that is not a solutions for me. If there is no other possibility, its better for me to use the EAP110 again an sell the EAP225. Sad about 5GHz WLan.
- Copy Link
- Report Inappropriate Content
@Jay86, yes, the EAP110-Outdoor still has this VLAN bug. But that means you don't have privacy (no true VLAN isolation, package leaks). Just do a network scan to see what I mean. What's more, TP-Link might probably fix this bug in a future EAP110-Outdoor firmware, too.
It's not possible to use asymmetric VLANs unless you rely on a bug like this or unless you can assign a single SSID to more than one VLAN (and I know of no AP which lets you do that).
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3072
Replies: 8
Voters 0
No one has voted for it yet.