Specific VLAN Blocking Intra- and Inter-VLAN pings (but otherwise everything seems to function)
For some reason I am unable to ping my specific IOT VLAN either from outside this VLAN or even from within it. ***NONE OF MY WLANs ARE CONFIGURED AS GUEST NETWORKS***
Below is my complete network setup (using a lot of guides from amazing contributors like u/deathsmetal on reddit) when I discovered this idiosyncrasy. I have gone so far as to completely disable all ACLs and disable my mDNS service entirely in order to troubleshoot, but nothing seems to work. What I also find odd is that it appears that all of my iot devices are able to talk to each other through the Google Home app that I am using so, beyond the inability to ping, everything else appears on the surface to be working.
With my ACLs all enabled, my situation is:
-
Ping from secure to:
-
secure success
-
iot __fail__ <<< why is this being blocked?
-
guest success
-
camera success
-
-
Ping from iot to:
-
iot __fail__ <<< why cant i ping from within the VLAN?
-
secure fail
-
guest
-
camera success
-
-
Ping from guest to:
-
guest success <<< i expect this because this is not actually currently set up as a guest network
-
secure fail
-
iot __fail__ <<< why is this being blocked when none of my ACLs currently block iot from guest
-
camera fail
-
Here's my attempt at a table mapping this out below. It's the 'to iot' column, specifically, that has me confused. I cannot ping to iot from ANY of my VLANs, even the iot VLAN itself. I am expecting that the only should be in the from guest to iot cell, but the rest of the cells in that column should be based on my current ACLs.
to secure |
to guest |
to iot |
to camera |
|
from secure | ||||
from guest | ||||
from iot | ||||
from camera |
In the end - all that I can determine is there must be something specific to this VLAN/WLAN setup that is preventing pings from within or without the network, but for the life of me I cannot figure it out. Appreciate in advance any help that can be offered.
-------------------------------------------------------
Architecture:
-
ER605 v2 | FW: 2.2.3 Build 20231201 Rel.32918
-
TL-SG2210MP v4.2 | FW: 4.20.0 Build 20230818 Rel.72032
-
OC200 v2 | SDN: 5.12.9 | FW: 2.11.3 Build 20230906 Rel.36272
-
2x: EAP670 v1.0 | FW: 1.0.12 Build 20230922 Rel. 53972
-
2x: EAP655-Wall v1.0 | FW: 1.2.4 Build 20231208 Rel. 73353
-
-
TL-SG1024DE v6 | FW: 1.0.0 Build 20220825 Rel.69073
-
Configuration:
-
VLANs (each has an associated WLAN)
-
100 - secure
-
IGMP snooping enabled
-
WLAN Multicast Filtering enabled (mDNS)
-
-
110 - guest (not actually set up as a guest network right now)
-
IGMP snooping enabled
-
WLAN Multicast Filtering enabled (mDNS)
-
-
120 - iot
-
IGMP snooping enabled
-
WLAN Multicast Filtering enabled (mDNS)
-
-
140 - camera
-
-
ACLs
-
Gateway ACLs (in order)
-
Allow | All Protocols | Source: secure | Dest: guest, iot, camera
-
Deny | All Protocols | Source: iot | Dest: secure, guest
-
Deny | All Protocols | Source: guest | Dest: secure, camera
-
Allow | All Protocols | Source: iot | Dest: camera
-
Allow | All Protocols | Source: camera | Dest: iot
-
-
Switch and EAP ACLs: none
-
-
Profiles
-
Bonjour
-
Added _googlecast._tcp.local
-
-
-
Services
-
mDNS
-
Gateway | All Services | Service network: iot | Client network: secure, guest, iot
-
-