EAP670 multiple SSID issue
EAP670 multiple SSID issue
I have two VLANs configured on my EAP670:
VLAN1 (SSID1): 192.168.1.x/24
VLAN3 (SSID3): 192.168.3.x/24
Both SSIDs are 5 GHz. The router is configured to allow traffic to pass from VLAN1 to VLAN3 but not in the other direction.
I have two clients connected; both are Linux PCs (Ubuntu 20.04.4) and both have Intel AX200 Wi-Fi adapters. When they are each connected to the same SSID/VLAN, connectivity works as expected. When they are connected to the differering SSIDs, connectivity is broken between the two for anything beyond a simple network ping, i.e., the client on VLAN1 can ping the client on VLAN3 but if I attempt to open a connection which requires high throughput (such as remote desktop), the connection fails. I also see kernel debug messages from the Intel Wi-Fi driver on the client connected to VLAN3.
This problem did not happen with the WAP the EAP670 just replaced.
What could be the cause?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi there,
Thank you for coming to our community for help!
This thread is about the issue with TCP connections (such as Remote Desktop) between VLANs on the same EAP650/EAP670/EAP653 v1. If you suffer from the same issue as it's described below (thank you @Endpoint7024 for the detailed information), please follow this post for a solution. Thanks for your cooperation and patience. See you on the community soon!
Endpoint7024 wrote
I have two VLANs configured on my EAP670:
VLAN1 (SSID1): 192.168.1.x/24
VLAN3 (SSID3): 192.168.3.x/24
Both SSIDs are 5 GHz. The router is configured to allow traffic to pass from VLAN1 to VLAN3 but not in the other direction.
I have two clients connected; both are Linux PCs (Ubuntu 20.04.4) and both have Intel AX200 Wi-Fi adapters. When they are each connected to the same SSID/VLAN, connectivity works as expected. When they are connected to the differering SSIDs, connectivity is broken between the two for anything beyond a simple network ping, i.e., the client on VLAN1 can ping the client on VLAN3 but if I attempt to open a connection which requires high throughput (such as remote desktop), the connection fails. I also see kernel debug messages from the Intel Wi-Fi driver on the client connected to VLAN3.
- Copy Link
- Report Inappropriate Content
@Endpoint7024 It's weird. But this may be the same issue as here with EAP650.
https://community.tp-link.com/en/business/forum/topic/559240
- Copy Link
- Report Inappropriate Content
@jrypacek Thanks for sharing. I would say that I'm seeing the exact same problem as shown in the other thread.
I hope someone at TP-Link can prioritize a firmware fix for this.
- Copy Link
- Report Inappropriate Content
Hey
One thing jumps out at me in what you said..
The router is configured to allow traffic to pass from VLAN1 to VLAN3 but not in the other direction.
As traffic flow requires 2 way chatter (sync, syn-ack, ack packets) blocking one vlan accessing the other will virtually kill both communications, you may get PING as its UDP but in my experience that's even questionable. Have you specific port exceptions for the traffic you require? Did you try removing the restrictions to test this?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
I had the same idea, but when you look at the link I posted you will see that some EAP models have very weird and significant bug. I also found two issues on EAP610. Hope they will be able to fix it soon as I'm getting disappointed.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@nutzich I'm not using any Omada-specific HW. The EAP670 is connected to a Netgear GS108PEv3 managed switch. The switch port it's connected to is configured for 802.1q VLAN tagging as I described in my first post but I really don't think that has anything to do with this. As I said, i can reconnect the older WAP I was using and the problem goes away.
Based on information in the other thread it appears the EAP660's firmware is newer and fixes the problem. I hope the EAP670 can be updated soon or else I will need to find another solution.
- Copy Link
- Report Inappropriate Content
Hi,
I just wanted to know the type of router because for example the TL-R605 router behaves like @Philbert said. The TL-R605 router cannot handle unidirectional ACLs, the way people would wish, because it does not know a status such as established or related.
So i would agree with you, that it might be related to the firmware of the AP.
The only thing that eventuel could be tested to isolate the problem a bit more, would be to use different SSIDs, but for test only one VLAN.
The EAP225 had a similar problem (unfortunately I can no longer describe it exactly) a few years ago even without using vlan. This was then fixed with a firmware update.
- Copy Link
- Report Inappropriate Content
The router is a Raspberry Pi 4B running OpenWRT. It is configured as follows:
"lan" is VLAN1 (192.168.1.x)
"iot" is VLAN3 (192.168.3.x)
"lan" devices are permitted to initiate connections to "iot" devices. "iot" devices are not permitted to initiate connections to "lan" devices. It's like a one way street.
The RPi's Ethernet port is configured (via OpenWRT) for 802.1q VLAN tagging. Works great with the Netgear managed switch.
There is an additional VLAN, "NoInternet", which is not routed to the EAP670.
I've had this exact setup working for over a year without issues.
- Copy Link
- Report Inappropriate Content
As an experiment I just temporarily changed the firewall rules to allow "iot" VLAN traffic to flow to the man "lan" zone:
I verified this is now working using devices which are hard wired to the switch. As expected, it doesn't make any difference with respect to the EAP670. It's still basically impossible for devices on the two VLANs to talk to each other if they're each connected to the EAP670.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3494
Replies: 13
Voters 0
No one has voted for it yet.