No traffic between LANs
No traffic between LANs
I'm stuck with configuring a network and even youtube and the manuals don't bring me any further.
Setup:
1x ER7206
1x OC300
1x TL-SX3016F
13x TL-SG2210MP
1x EAP115 (just temporary)
This setup is to be used for the following: Camera's, Access Control, several building related systems like alarms, building management systems, lights etc.
I have set up te following wired networks:
- "Lan" 192.168.0.x (for the network devices)
- "Access control" 192.168.51.x (for access controls)
- "Camera" 192.168.52.x (for camera)
- "building" 192.168.53.x (for several things)
- "Lights" 192.168.54.x (for the lights)
Some devices/servers have to talk to each other and the Building manager needs to access all networks form his computer, preferably without switching.
I was under the impression i would have to use Switch ACL to block access to some parts of the network but "out of the box" everything is blocked. I tried to use SWITCH ACL to permit connection between the several networks but that doesn't work either. I can't even ping outside of the subnet. How do I get this working?
(first time using omada normally i would have used unifiy but due to availability and cost TP-link was chosen)
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I assume you have a working WAN port and that you have your top level switch connected to port 5 (rightmost ethernet port) of the 7206.
I assume you have created the 5 LAN subnets as defined below...did you assign them VLANs or leave them all at VLAN1?
Have you created switch port profiles yet?
If you connect your laptop to the top level switch, what IP address is assigned (ie which LAN subnet is assigned by DHCP)?
Honestly, I'd be tempted to 'Forget' your 7206 and re-adopt it as this just sounds like it's a bit confused and see where you are at (especially if you adopted it before defining all your networks in the OC300)
- Copy Link
- Report Inappropriate Content
@d0ugmac1 yes. Wan is working the SFP wan. The fiber switch is connected to port 5 on the 7206. All subnets have a vlan ID (1, 51, 52 etc).
All ports are on the port profile "all". Mainly because we are still installing loads of equipment. And we don't know exactly which device will end up on which port yet.
Only the "LAN" has dhcp the rest doesn't need dhcp or we don't want dhcp on it. An ip adress is assigned out of the specified 192.168.0.x range I set. If I connect to 192.168.0.x everything in that subnet is working. If I set a manual op adres in for example 192.168.52.* I can ping that subnet and the server in it.
I made switch ACL rules permitting everything in every direction but I still can't ping from 192.168.0.* to 192.168.52.* or vise versa. Everything has been rebooted, forced provisioned etc.
- Copy Link
- Report Inappropriate Content
Ok, I think it's as simple as the port profile ALL only accepts untagged traffic on 192.168.0.X/24. YOu can see this if you go to Controller->Wired Networks->LAN->Profile then click the 'eye' for the ALL line. Essentially every switch port you have right now is only working on 192.168.0.0/24.
To verify:
You will see that the Native network is LAN (in my case that's the 192.168.0.0/24 subnet) for the ALL profile
You will now want to make sure that the other 4 subnets you defined, ie the .50's, are listed in the Untagged Networks line in the All profile if you want devices on those subnets to interact with each other (multi-netted)
Down the road you can create profiles like Camera, which would use the Camera subnet as it's native network instead of LAN...then devices connected to that port and belonging to the correct .50's subnet don't have to have tags and will switched back to router with the appropriate 'Camera' tag where they can then interact with other subnets, if so permitted.
Clear as mud?
- Copy Link
- Report Inappropriate Content
@d0ugmac1 The other subnets are in the tagged field. I cannot change it, seems you should be able to change it but when I move them from the tagged to the untagged field it doesn't retain the changes.
- edit -
Apparently the ALL port profile cannot be changed. I created a new profile called "All untagged" and put every network in the untagged field. I assigned every port this profile (which is quite cumbersome because you have to do it by device... but I still cannot ping for example 192.168.52.200 (a server) from 192.168.0.88 (my laptop). If I change my laptops IP to 192.168.52.200 no problem.
- Copy Link
- Report Inappropriate Content
Ok, let's have a look at what your 7206 thinks it's routing table is, so can you go here in the Insight section (light bulb) of the controller
and post the Results of both the Gateway and Switch tables? You should XX out your public IP for safety before posting.
- Copy Link
- Report Inappropriate Content
And the switch table
- Copy Link
- Report Inappropriate Content
OK, your Gateway setup looks identical to mine (I have 4 extra subnets for different SSIDs configured, much the same as your .50's) and the Gateway table matches.
Your switch table on the other hand is very confusing! I have a couple of sites, one with only a single local subnet and the above (5 local subnets). In both of my cases my Switch table looks like this:
Basically Switch to 0.0.0.0 is via the Router, and Switch to any other management VLAN IP goes via the switch (ie stays local). Presumably you have a lot more switches in your setup, and your expanded table is mapping any 192.168.0.0/24 IP's to the local IP of that switch. What's weird is that NONE of your switches have the 0.0.0.0 DESTINATION defined...which of those switches is actually physically attached to a Router LAN port?
For what it's worth, here's the corresponding table excerpt from the Gateway of the system for which I show the Switch table above, you'll see the 5 defined subnets.
- Copy Link
- Report Inappropriate Content
So for fun and giggles...I happened to have a spare switch kicking around and I just plugged it in below the main switch I'd shown above, and lo two new Switch routing entries were added:
So you definitely have something funky in your WAN/LAN setup on your controller.
- Copy Link
- Report Inappropriate Content
And if it helps, please check your subnet settings. I have shown the LAN setup I have, but it's the same thing for the other 4 subnets. You must make sure that your subnets get tagged to the router port feed downstream switches. For instance if you have a .51 devices plugged into switch B which plugs into switch A which plugs into LAN2 on the router, then your .51 subnet needs to have LAN2 ticked. If you don't tick 'auto gateway' make sure you know what your doing!
My management VLAN:
- Copy Link
- Report Inappropriate Content
I have every setting exactly the same... doesn't work... I'm getting really really frustrated with Omada.
I can hear you think "you have an ACL active" that is correct. It is this one (bidirectional so two) :
When I delete this ACL it doesn't work either.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1126
Replies: 12
Voters 0
No one has voted for it yet.