Issue with R605 router connected to Easy Smart Switches
Issue with R605 router connected to Easy Smart Switches
There are 3 ISPs connecting to 3 WAN ports of a multi-wan router (previously it was R470T+ v4, now R605).
The 2 remaining ports of this router act as LAN ports and are connected to 2 easy smart switches (SG1024DE v4) that are configured with MTU VLAN.
The switches provide wired connection to flats of the building, 1 LAN port per flat. I need the LAN ports to be isolated from each other but getting internet from the R605.
We needed easy smart switches configured with MTU VLAN to be prepared for any router-on-a-stick situation because in the flats people can connect their devices either directly wired or using their own wifi router which may accidentally be configured as DHCP server which would act as rogue server in an unmanaged local network.
(The uplink port on the switches is port1, but that's irrelevant.)
When I replaced the R470T+ with the new R605, first I realized that its setup page deals with VLAN configuration differently from R470T+, so I just let it on default setup without creating different VLANs for the R605's LAN ports. I think all ports are on the default VLAN1 now. But I thought it doesn't really matter because the switches must isolate their LAN ports anyway. If I created different VLANs for the router's LAN ports, the only benefit would be isolating traffic between the two switches, right?
What happened was suddenly a router (TP-Link WR740N, connected to one switch port) started to act as rogue DHCP server, trying to give IP for other devices connected to other switch ports.
Note that there are several routers in router mode (DHCP on) connected to the switches and none of them caused this issue, none of them appeared as rogue server.
It didn't matter if I connected that rogue router to a different switch port or to the other switch, it kept acting as rogue server.
I find it odd.
One detail that might matter: the rogue router has the same IP range (192.168.10.x) as one of the ISP's router connected to the first WAN port, that is a (remotely controlled by the ISP) Ubiquity device that I don't have access to modify anything in it.
Is it possible that there is a flow, a bug on R605 that causes this mysterious issue?
The R605's LAN is set to a different IP range (192.168.6.x).
Do I have to setup the LAN ports on R605 with VLANs different from the default VLAN1 to avoid this issue? And if so, what would be that setup (in standalone mode)?
There are only instructions for router connected to L3 switches, creating different IP pools etc... that is not our case.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Although I haven't got any more help by the dear developers, I managed to do it by my own. And demonstrated it in a new thread.
Here is the solution.
- Copy Link
- Report Inappropriate Content
Dear @Arion,
Arion wrote
When I replaced the R470T+ with the new R605, first I realized that its setup page deals with VLAN configuration differently from R470T+, so I just let it on default setup without creating different VLANs for the R605's LAN ports. I think all ports are on the default VLAN1 now. But I thought it doesn't really matter because the switches must isolate their LAN ports anyway. If I created different VLANs for the router's LAN ports, the only benefit would be isolating traffic between the two switches, right?
Compared with R470T+(or other non-Omada gateways), the current R605 (and ER7206) doesn't support Layer2 VLAN, devices can only obtain IP addresses from R605 on the default VLAN1 when it's working in Standalone mode.
So, just leave the default setup without creating different VLANs for the LAN ports on the R605, otherwise, devices not in VLAN1 may be unable to obtain IP addresses and access the Internet.
If you want to create different VLANs and assign different IP subnets for the LAN ports on the R605, please use Omada Controller to manage and configure the R605, with which you can create VLAN interfaces and configure the IP subnets accordingly.
Update:
New firmware will be released on R605 by the end of May 2021. After upgrading the R605, you will be able to create different VLANs and assign different IP subnets for the LAN ports on the R605 in Standalone mode (without using Omada Controller).
Please pay attention to the TP-Link official website for the new firmware update:
https://www.tp-link.com/en/support/download/er605/#Firmware
One detail that might matter: the rogue router has the same IP range (192.168.10.x) as one of the ISP's router connected to the first WAN port, that is a (remotely controlled by the ISP) Ubiquity device that I don't have access to modify anything in it.
Is it possible that there is a flow, a bug on R605 that causes this mysterious issue?
The R605's LAN is set to a different IP range (192.168.6.x).
From the behavior, it seems that the WR740N is connected to the front SG1024DE switch via LAN port instead of via WAN port.
Could you please check the physical connection between them?
It should be okay if the front switch is connected to the WAN port of the WR740N router.
- Copy Link
- Report Inappropriate Content
Thanks for your reply.
Actually, I wouldn't mind not having different VLANs on the R605 if the LAN ports on the switches remain isolated from each other. I don't want any communication between the LANs on the switches, only providing internet from the main router, R605.
I'm just worried if that WR740N can hijack the whole network even if I configured the switches to isolate the LAN ports, the whole point of having these easy smart switches (replacing old unmanaged switches recently) was to avoid this issue. I thought it would make the network foolproof and if someone doesn't configure their router in a flat correctly, at worst case they won't have internet but won't interfere with others.
I'm wondering, to avoid this in the future:
Does the MTU VLAN setup on the switches means their uplink port is tagged or untagged?
Should I configure the LAN ports (connecting to the switches) on the R605 tagged or untagged?
If everything is on the default VLAN1 on the R605, does it mean that traffic from any VLAN on the switches gets connected in the R605 as if they weren't on different VLANs there initially?
Would it make any sense doing a work-around, choosing a rare IP range for the DHCP server on the R605, like 192.168.111.x and somehow blocking any communication in other IP pools?
- Copy Link
- Report Inappropriate Content
I just read in another thread here that this R605 really has a serious issue with intervlan traffic always on. And I also read now that ACL won't rule out anything on the LAN of the router, only on the WAN ports. Really???
This is insane! What was the purpose of this router? (Other than being exclusively used in Omada ecosystem.) If its LAN ports will act as an unmanaged switch that connects every end devices regardless what you configured on "managed" switches.
Unfortunately I can't send the product back and ask a refund as the days had passed before I could have this important information about the limitation/deficiency of this router.
Now I guess I'll have to replace it back with the old R470T+ and wait some months or years for a firmware update of the R605.
People need to be informed about this limitation on the product's page!
And it should be helpful to know if the company is planning to solve this issue.
It's also not clear and needs to be answered if I can configure the router with Omada software that is not always on? And whether the necessary rules will cooperate with easy smart switches.
Because if you don't have Omada enabled switches and EAPs, it's really wasteful to buy an OC200 or operate a connected computer 24/7.
- Copy Link
- Report Inappropriate Content
Fae wrote
Update:New firmware will be released on R605 by the end of May 2021. After upgrading the R605, you will be able to create different VLANs and assign different IP subnets for the LAN ports on the R605 in Standalone mode (without using Omada Controller).
Please pay attention to the TP-Link official website for the new firmware update:
Thank you, that's a promising news!
Looking forward to it.
- Copy Link
- Report Inappropriate Content
I came to the router's location to perform the update and now the new firmware isn't there on the site anymore.
It was released on 28 May. What happened? Was it too buggy?
If you have some info, please tell us!
Thanks
- Copy Link
- Report Inappropriate Content
So, I just found in another thread here a beta firmware update shared by @Fae
It seems to be a fix after the initially released and quickly removed firmware update:
https://community.tp-link.com/en/business/forum/topic/266026
This beta firmware can be downloaded directly from this link:
https://static.tp-link.com/beta/2021/202106/20210601/ER605(UN)_V1_1.1.0_20210531.zip
I'll check it out tomorrow whether it solves the vlan issues and will reflect then.
- Copy Link
- Report Inappropriate Content
This beta firmware (1.1.0 Build 20210531 Rel.59047) solved the inter-vlan problem, mostly.
Setting up vlans with different IP subnet is quite easy. (However, it's not in Transmission -> NAT section but in Network -> LAN.)
And I could remove vlan1 for all of the LAN ports. If it matters...
However, there is a mystery:
I was able to reach the gateway address (of the R605 for any of the IP subnets for other vlans) via any LAN port.
Also I was able to reach the address of the switch that is on the other LAN port (with different vlan and subnet).
That is weird. It seems the router still can't isolate communication between the LAN ports, between vlans.
On the other hand, I couldn't reach the EAP's web address from the other LAN ports of the R605.
So, the switches I could, the EAP I couldn't.
No other inter-vlan connection could be found.
My devices connected to the switches don't reach anything on other LAN ports of the switches, fortunately, which is great news and it's definitely an improvement.
The Status section is poor and useless, IMO, comparing to the R470T+.
It shows in System Status the almost real-time graph of the CPU cores that can satisfy some engineers but for most people it's useless, not informative.
I would prefer a graph showing the traffic of each ports, especially the WAN ports. The Traffic Statistics/Interface Statistics does show a momentary status with about 10 seconds delay but it doesn't really show real bandwidth usage and when I run speedtest, it shows much lower rate on this statistics page. Mostly I can see couple of KB/s. First I thought it was a bug and those numbers are packets instead of KB/s.
Then another surprise is when you look at the total RX/TX Bytes, it shows that the load balance function is not following what I intended when I input the bandwidth for each ISP. It ssems the router sends traffic more to the 2nd wan port instead of the 1st. Even if the 1st is set to 10000 up and 80000 down, the 2nd with 1000 up and 1000 down. I had to do it so radical (the reality is the 2nd has half the download speed and 150% the upload of the 1st ISP) and even so it doesn't seem to send the right proportion of traffic.
Why the load balance doesn't work now correctly?
And why the router shows in the Interface Statistics the lines for WAN/LAN2 and WAN/LAN3 that is not existing in this config as I have 2 WAN and 3 LAN ports?
The Network List in LAN section shows the list out of order, as you can see. And I can't change it. Actually it shows the order in which I configured them. To look more organized, I should reconfigure some of them.
Another observation: the IP Statistics shows IP addresses that are different from the subnets I configured and it shows them with either only ingress or only egress traffic. It seems some router-on-a-stick on the switches and their connected devices with manually added IP. But how can I see them on this page?
Is there something to do with IGMP proxy on?
The major problem so far, beside of the intervlan issue is that my 2nd ISP is a 4G modem that sometimes doesn't operate well but it doesn't loose signal, just fails to connect to the internet somehow. So when Load Balance was configured with the 2 WAN connections, it caused issue for devices trying to reach the web because R605 detected incorrectly as if WAN2 was online when it was practically not.
I tried to change the Online Detection function to ping to 8.8.8.8 but no difference.
Then I decided to setup the 2nd WAN only for Link Backup. For some reason, for a while it kept sending me to the 2nd WAN, when Load Balance wasn't already even configured that way.
(I did not reboot the router after each modification. Should I have done it?)
- Copy Link
- Report Inappropriate Content
Dear @Arion,
Arion wrote
However, there is a mystery:
I was able to reach the gateway address (of the R605 for any of the IP subnets for other vlans) via any LAN port.
Also I was able to reach the address of the switch that is on the other LAN port (with different vlan and subnet).
That is weird. It seems the router still can't isolate communication between the LAN ports, between vlans.
On the other hand, I couldn't reach the EAP's web address from the other LAN ports of the R605.
So, the switches I could, the EAP I couldn't.
No other inter-vlan connection could be found.
The devices in different VLANs will be able to communicate with each other since the gateway ER605 supports the VLAN interface now.
If you want to isolate communication between the VLAN networks, please configure LAN-to-LAN ACL on the gateway to achieve it.
Here is a FAQ for your reference: https://www.tp-link.com/support/faq/3061/
For the problem that you cannot reach the EAP's web UI from other LAN, please enable Layer-3 Accessibility as shown below.
- Copy Link
- Report Inappropriate Content
Thank you for that tip about enabling the layer-3 accessibility in EAP.
I still don't really understand the intervlan concept. If I configure each LAN port of the R605 with different VLAN, PVID and IP subnet, how could intervlan be on as if there were no isolation? I can understand that with an ACL rule I can define what to block but I thought it's unnecessary when I used different vlans. Should I setup the LAN ports tagged on the R605 and also tagged on the easy smart switches? I don't know if MTU-VLAN does the uplink port as tagged or trunk port?
Reaching the web UI for both switch is not a problem (it even makes it more convenient for me to check the network) but it's weird that I wasn't able to reach anything else from the other subnets, not even from the same subnet thanks to the easy smart switch in MTU-VLAN mode.
So, about this question I'm not complaining, just curious how is it possible or what did I miss when setting it up.
However I would need someone to clarify other questions mentioned above.
- in IP Statistics why do IP addresses appear in subnets that I didn't define in my configuration? Those are IP addresses of routers (and some of their connected devices) that are plugged into the switches' LAN port. Again, thanks to MTU-VLAN function on the switches these router-on-a-stick routers don't freeze the local network anymore.
But why can I see them in the R605's page? And why just a few and not all of the connected devices?
I had been getting paranoic with these rogue routers, that's why I have chosen IP ranges like 192.168.51.x to avoid any collision.
- other issue is with a not always reliable 4G modem (MR6400 with the great beta firmware), the culprit is probably the mobile ISP but the R605 doesn't help to detect the failing 4G connection.
So therefore the local network became unreliable, some members complained (correctly) that internet was not working for them sometimes. I went to investigate and found out that the 4G connection was weak but not disconnected and the R605 wasn't detecting it as offline and sent traffic to that wan port.
With this fragility I can't keep the 4G modem in the load balance concept. If the R605 was capable to correctly detect the failing connection, it would be a stable configuration.
Is there any good tip for that? (I tried adding google's dns ip to ping but it didn't improve anything.)
- Copy Link
- Report Inappropriate Content
Dear @Arion,
Arion wrote
I still don't really understand the intervlan concept. If I configure each LAN port of the R605 with different VLAN, PVID and IP subnet, how could intervlan be on as if there were no isolation? I can understand that with an ACL rule I can define what to block but I thought it's unnecessary when I used different vlans.
Here is my understanding of the inter-vlan routing, hope it helps:
- Without the inter-vlan routing, devices in different VLANs will be isolated in layer2 communication. This is the situation when you simply configure with different VLANs on the ER605 router.
- With the inter-vlan routing, each VLAN will have its interface in layer3 communication, in other words, there is an entry for each VLAN interface subnet in the routing table so that traffic can be routed among different VLANs. This is the situation when you configure with both different VLANs and IP subnets.
If it's hard to understand, I think you may search it on the Internet for more information, there should be one helpful for you.
Should I setup the LAN ports tagged on the R605 and also tagged on the easy smart switches? I don't know if MTU-VLAN does the uplink port as tagged or trunk port?
Generally speaking, a trunk/tagged port is used to interconnect VLAN-aware devices such as Switches, Routers. In this case, the port should be configured with 802.1Q VLAN, which is a Tag-based VLAN. If the LAN port of the R605 router is tagged, then the uplink port of the connected switch should be tagged as well to allow the tagged traffic to come in and out.
MTU-VLAN is essentially a port-based VLAN, it doesn't tag the uplink port and traffic will always be untagged in this scenario.
There is a network expert who explained the MTU VLAN before, you may check this thread for more details.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3670
Replies: 15
Voters 0
No one has voted for it yet.