Specific VLAN Blocking Intra- and Inter-VLAN pings (but otherwise everything seems to function)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Specific VLAN Blocking Intra- and Inter-VLAN pings (but otherwise everything seems to function)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Specific VLAN Blocking Intra- and Inter-VLAN pings (but otherwise everything seems to function)
Specific VLAN Blocking Intra- and Inter-VLAN pings (but otherwise everything seems to function)
2024-01-07 16:36:49 - last edited 2024-01-10 06:10:38
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.3 Build 20231201 Rel.32918

For some reason I am unable to ping my specific IOT VLAN either from outside this VLAN or even from within it. ***NONE OF MY WLANs ARE CONFIGURED AS GUEST NETWORKS***

 

Below is my complete network setup (using a lot of guides from amazing contributors like u/deathsmetal on reddit) when I discovered this idiosyncrasy. I have gone so far as to completely disable all ACLs and disable my mDNS service entirely in order to troubleshoot, but nothing seems to work. What I also find odd is that it appears that all of my iot devices are able to talk to each other through the Google Home app that I am using so, beyond the inability to ping, everything else appears on the surface to be working.

 

With my ACLs all enabled, my situation is:

  • Ping from secure to:

    • secure success

    • iot __fail__ <<< why is this being blocked?

    • guest success

    • camera success

  • Ping from iot to:

    • iot __fail__ <<< why cant i ping from within the VLAN?

    • secure fail

    • guest

    • camera success

  • Ping from guest to:

    • guest success <<< i expect this because this is not actually currently set up as a guest network

    • secure fail

    • iot __fail__ <<< why is this being blocked when none of my ACLs currently block iot from guest

    • camera fail

 

Here's my attempt at a table mapping this out below. It's the 'to iot' column, specifically, that has me confused. I cannot ping to iot from ANY of my VLANs, even the iot VLAN itself. I am expecting that the only angry should be in the from guest to iot cell, but the rest of the cells in that column should be yes based on my current ACLs.

 

 

to

secure

to

guest

to

iot

to

camera

from secure yes yes angry yes
from guest angry yes angry angry
from iot angry angry angry yes
from camera angry angry angry yes

 

In the end - all that I can determine is there must be something specific to this VLAN/WLAN setup that is preventing pings from within or without the network, but for the life of me I cannot figure it out. Appreciate in advance any help that can be offered.

 

-------------------------------------------------------

 

Architecture:

  • ER605 v2 | FW: 2.2.3 Build 20231201 Rel.32918

    • TL-SG2210MP v4.2 | FW: 4.20.0 Build 20230818 Rel.72032

      • OC200 v2 | SDN: 5.12.9 | FW: 2.11.3 Build 20230906 Rel.36272

      • 2x: EAP670 v1.0 | FW: 1.0.12 Build 20230922 Rel. 53972

      • 2x: EAP655-Wall v1.0 | FW: 1.2.4 Build 20231208 Rel. 73353

    • TL-SG1024DE v6 | FW: 1.0.0 Build 20220825 Rel.69073

 

Configuration:

  • VLANs (each has an associated WLAN)

    • 100 - secure

      • IGMP snooping enabled

      • WLAN Multicast Filtering enabled (mDNS)

    • 110 - guest (not actually set up as a guest network right now)

      • IGMP snooping enabled

      • WLAN Multicast Filtering enabled (mDNS)

    • 120 - iot

      • IGMP snooping enabled

      • WLAN Multicast Filtering enabled (mDNS)

    • 140 - camera

  • ACLs

    • Gateway ACLs (in order)

      • Allow | All Protocols | Source: secure | Dest: guest, iot, camera

      • Deny | All Protocols | Source: iot | Dest: secure, guest

      • Deny | All Protocols | Source: guest | Dest: secure, camera

      • Allow | All Protocols | Source: iot | Dest: camera

      • Allow | All Protocols | Source: camera | Dest: iot

    • Switch and EAP ACLs: none

  • Profiles

    • Bonjour

      • Added _googlecast._tcp.local

  • Services

    • mDNS

      • Gateway | All Services | Service network: iot | Client network: secure, guest, iot

  0      
  0      
#1
Options
2 Accepted Solutions
Re:Specific VLAN Blocking Intra- and Inter-VLAN pings (but otherwise everything seems to function)-Solution
2024-01-08 02:08:36 - last edited 2024-01-10 06:10:14

Hi @tpnonymous88 

Thanks for posting in our business forum.

One simple question, have you taken this idea that your IoT may not support ICMP into consideration?

If everything works except for the IoT, isn't t that your IoT devices the reason why?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
Re:Specific VLAN Blocking Intra- and Inter-VLAN pings (but otherwise everything seems to function)-Solution
2024-01-08 15:15:15 - last edited 2024-01-10 06:10:14

  @Clive_A 

 

Ugh - solved this and as expected it was me incorrectly setting something up specific to that iot VLAN. It was a subtle typo in the Gateway/Subnet definition.

 

I meant to define this as: 192.168.120.1/24

 

but it was defined incorrectly as: 198.168.120.1/24

 

the error being the first octet defined as 198 instead of 192.

Recommended Solution
  1  
  1  
#3
Options
2 Reply
Re:Specific VLAN Blocking Intra- and Inter-VLAN pings (but otherwise everything seems to function)-Solution
2024-01-08 02:08:36 - last edited 2024-01-10 06:10:14

Hi @tpnonymous88 

Thanks for posting in our business forum.

One simple question, have you taken this idea that your IoT may not support ICMP into consideration?

If everything works except for the IoT, isn't t that your IoT devices the reason why?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
Re:Specific VLAN Blocking Intra- and Inter-VLAN pings (but otherwise everything seems to function)-Solution
2024-01-08 15:15:15 - last edited 2024-01-10 06:10:14

  @Clive_A 

 

Ugh - solved this and as expected it was me incorrectly setting something up specific to that iot VLAN. It was a subtle typo in the Gateway/Subnet definition.

 

I meant to define this as: 192.168.120.1/24

 

but it was defined incorrectly as: 198.168.120.1/24

 

the error being the first octet defined as 198 instead of 192.

Recommended Solution
  1  
  1  
#3
Options