Business Community > Gateways > Undefined problem with a TP-Link based network solution
< Gateways

Undefined problem with a TP-Link based network solution

Undefined problem with a TP-Link based network solution

Undefined problem with a TP-Link based network solution
Undefined problem with a TP-Link based network solution
2025-07-20 11:01:35 - last edited 2025-07-23 02:00:32
Tags: #VLAN & Multi-Networks #Routing #ACL #Firewall
Model: ER605 (TL-R605)   EAP115-Wall   SG2210P  
Hardware Version: V2
Firmware Version: 2.3.0 Build 20250428 Rel.18967

Greetings to all the experts in this community. I am newbie so don't be too harsh.

 

In the following paragraphs I will try to explain the setup, what has been done already and the final situation. 

 

Network Topology

 

ISP > ER605 > SG2210P > EAP115-Wall (4 pcs.) + some wired hosts here and there

 

The application is quite simple as one can see. Internet goes into ER605. Then some Some VLANs are configured and some access control policy is implemented per VLAN. A trunk port (5 for example) is used to connect to SG2210P. From here corresponding ports are designated to VLANs and that's pretty much it. Four EAP115-Wall are connected to 4 ports at the switch for which a PoE profile is configured and implemented accordingly.

 

ER605 configuration

 

Model: ER605

Hardware Version: 2.0

Firmware Version: 2.3.0

Build: 20250428

Release: 18967

Serial Number: 22341Q7001870

 

Network > WAN

 

WAN Mode: WAN1 (Note: I only have one ISP. The rest of the ports are LAN.)

WAN1 > Connection Configuration > Connection Type: Dynamic IP (Note: It's not under my control. No VLAN is required.)

 

Network > LAN > LAN tab

 

Settings > IGMP Proxy Disabled (Note: I don't have IPTV service yet. It'll will probably be activated in the unknown future.)

 

Network List

 

ID Name VLAN Isolation Status IP Address Subnet Mask Mode DHCP Server DHCP Relay Description Purpose
1 LAN 1 De-isolated 192.168.1.1 255.255.255.248 Normal Disable Disable Local Area Network Provide a connection between switch and router.
2 MGMT 2 De-isolated 172.16.2.1 255.255.255.248 Normal Disable Disable Management Network

Provide access to hosts and network devices for management and maintenance purpose.
3 HAN 10 De-isolated 172.16.10.1 255.255.255.240 Normal Enable Disable Home Area Network

Provide wire access to hosts (if and where needed).
4 SRVN 20 De-isolated 172.16.20.1 255.255.255.248 Normal Disable Disable Server Network Hosts a NAS.
5 TSTN 30 De-isolated 172.16.30.1 255.255.255.240 Normal Enable Disable Test Network Experiment and try stupid stuff.
6 SCN 40 De-isolated 172.16.40.1 255.255.255.248 Normal Disable Disable Security Network Hosts surveillance devices and NVR.
7 WLAN 50 De-isolated 172.16.50.1 255.255.255.248 Normal Disable Disable Wireless Local Area Notwork Hosts access points.
8 HAPN 60 De-isolated 172.16.60.1 255.255.255.224 Normal Enable Disable Home Appliances Network Hosts "intelligent" home appliances.
9 MDN 70 De-isolated 172.16.70.1 255.255.255.224 Normal Enable Disable Mobile Devices Network Obvious.
10 GWN 80 De-isolated 172.16.80.1 255.255.255.240 Normal Enable Disable Giest Wireless Network Obvious
11 WSCN 90 De-isolated 172.16.90.1 255.255.255.240 Normal Enable Disable Wireless Security Network Hosts wireless surveillance devices.
12 WTSTN 100 De-isolated 172.16.100.1 255.255.255.240 Normal Enable Disable Wireless Test Network Experiment and try stupid stuff.

 

 

Network > LAN > DHCP Client List tab

 

There's nothing configured here.

 

Network > LAN > Address Reservation tab

 

There's nothing configured here.

 

Network > LAN > LAN DNS tab

 

There's nothing configured here.

 

Network > Virtual WAN

 

WAN Interface List: There's nothing configured here.

 

Network > IPTV

 

Settings: IPTV Disabled

 

Network > MAC

 

Default MAC addresses of WAN1 and LAN interfaces. Not changed. Not cloned.

 

Network > Switch > Mirror tab

 

Settings: Port Mirror Disabled.

 

Network > Switch > Port Config tab

 

Port Status Flow Control Negotiation Mode
1 Enable Disable Auto
2 Disable Disable Auto
3 Disable Disable Auto
4 Disable Disable Auto
5 Enable Disable Auto

 

 

Network > Switch > Port Status tab

 

Port Status Speed [Mbps] Duplex Mode Flow Control
1 Link Up 1000M Full-duplex Disabled
2 Link Down --- --- ---
3 Link Down --- --- ---
4 Link Down --- --- ---
5 Link Up 1000M Full-duplex Disabled

 

 

Network > VLAN

 

Network > VLAN tab

 

ID VLAN ID Name Ports Description
1 1 VLAN1 5(UNTAG) LAN
2 2 VLAN2 5(TAG) MGMT
3 10 VLAN10 5(TAG) HAN
4 20 VLAN20 5(TAG) SRVN
5 30 VLAN30 5(TAG) TSTN
6 40 VLAN40 5(TAG) SCN
7 50 VLAN50 5(TAG) WLAN
8 60 VLAN60 5(TAG) HAPN
9 70 VLAN70 5(TAG) MDN
10 80 VLAN80 5(TAG) GWN
11 90 VLAN90 5(TAG) WSCN
12 100 VLAN100 5(TAG) WTSTN
13 4094 VLAN4094 1(UNTAG) WAN

 

 

Netwrok > VLAN > Ports tab

 

Port PVID VLAN
1 4094 4094(UNTAG)
5 1 1(UNTAG) 2(TAG) 10(TAG) 20(TAG) 30(TAG) 40(TAG) 50(TAG) 60(TAG) 70(TAG) 80(TAG) 90(TAG) 100(TAG)

 

 

USB > USB Modem

 

There's nothing configured here.

 

USB > Storage

 

There's nothing configured here.

 

Preferences > IP Group

 

Preferences > IP Group tab

 

ID Group Name Address Name Description
1 IPGROUP_ANY --- IPGROUP_ANY
2 IPGROUP_LAN IP_LAN IPGROUP_LAN
3 IPGROUP_MGMT IP_MGMT IPGROUP_MGMT
4 IPGROUP_HAN IP_HAN IPGROUP_HAN
5 IPGROUP_SRVN IP_SRVN IPGROUP_SRVN
6 IPGROUP_TSTN IP_TSTN IPGROUP_TSTN
7 IPGROUP_SCN IP_SCN IPGROUP_SCN
8 IPGROUP_WLAN IP_WLAN IPGROUP_WLAN
9 IPGROUP_MDN IP_MDN IPGROUP_MDN
10 IPGROUP_GWN IP_GWN IPGROUP_GWN
11 IPGROUP_WSCN IP_WSCN IPGROUP_WSCN
12 IPGROUP_WTSTN IP_WTSTN IPGROUP_WTSTN

 

 

Preferences > IP Address tab

 

ID Name IP Address Type IP Address Range IP Address/Mask Description
1 IP_LAN IP Address/Mask 192.168.1.0/29, 172.16.2.0/29, 172.16.10.0/28, 172.16.20.0/29, 172.16.30.0/28, 172.16.40.0.0/29, 172.16.50.0/29, 172.16.60.0/27, 172.16.70.0/27, 172.16.80.0/28, 172.16.90.0/28, 172.16.100.0/29 192.168.1.0/29, 172.16.2.0/29, 172.16.10.0/28, 172.16.20.0/29, 172.16.30.0/28, 172.16.40.0.0/29, 172.16.50.0/29, 172.16.60.0/27, 172.16.70.0/27, 172.16.80.0/28, 172.16.90.0/28, 172.16.100.0/29 IP_LAN
  IP_MGMT IP Address/Mask 172.16.2.0/29 172.16.2.0/29 IP_MGMT
3 IP_HAN IP Address/Mask 172.16.10.0/28 172.16.10.0/28 IP_HAN
4 IP_SRVN IP Address/Mask 172.16.20.0/29 172.16.20.0/29 IP_SRVN
5 IP_TSTN IP Address/Mask 172.16.30.0/28 172.16.30.0/28 IP_TSTN
6 IP_SCN IP Address/Mask 172.16.40.0/29 172.16.40.0/29 IP_SCN
7 IP_WLAN IP Address/Mask 172.16.50.0/29 172.16.50.0/29 IP_WLAN
8 IP_HAPN IP Address/Mask 172.16.60.0/27 172.16.60.0/27 IP_HAPN
9 IP_MDN IP Address/Mask 172.16.70.0/27 172.16.70.0/27 IP_MDN
10 IP_GWN IP Address/Mask 172.16.80.0/28 172.16.80.0/28 IP_GWN
11 IP_WSCN IP Address/Mask 172.16.90.0/28 172.16.90.0/28 IP_WSCN
12 IP_WTSTN IP Address/Mask 172.16.100.0/28 172.16.100.0/28 IP_WTSTN

 

 

Preferences > Time Range > Time Range List

 

There's nothing configured here.

 

Preferences > VPN IP Pool > VPN IP Pool List

 

There's nothing configured here.

 

Preferences > Service Type > Service Type List

 

Default service types as defined from factory. Nothing additional. Nothing special.

 

Preferences > Location Group

 

There's nothing configured here.

 

Preferences > Domain Group

 

There's nothing configured here.

 

Transmission > NAT

 

Transmission > NAT > One-to-One NAT tab

 

There's nothing configured here.

 

Transmission > NAT > Virtual Servers tab

 

There's nothing configured here.

 

Transmission > NAT > Port Triggering

 

There's nothing configured here.

 

Transmission > NAT > NAT-DMZ

 

There's nothing configured here.

 

Transmission > NAT > ALG

 

There's nothing configured here.

 

Transmission > Disable NAT

 

There's nothing configured here.

 

Transmission > Bandwidth Control

 

There's nothing configured here.

 

Transmission > Quality of Services

 

There's nothing configured here.

 

Transmission > Session Limit

 

There's nothing configured here.

 

Transmission > Load Balancing

 

There's nothing configured here.

 

Transmission > Routing

 

Transmission > Routing > Static Route tab

 

There's nothing configured here.

 

Transmission > Routing > Policy Routing tab

 

There's nothing configured here.

 

Transmission > Routing > Routing Table tab

 

ID Destination IP Subnet Mask Next Hop Interface Metric
1 0.0.0.0 0.0.0.0 192.168.100.1 WAN1 0
2 172.16.2.0 255.255.255.248 0.0.0.0 MGMT 0
3 172.16.10.0 255.255.255.240 0.0.0.0 HAN 0
4 172.16.20.0 255.255.255.248 0.0.0.0 SRVN 0
5 172.16.30.0 255.255.255.240 0.0.0.0 TSTN 0
6 172.16.40.0 255.255.255.248 0.0.0.0 SCN 0
7 172.16.50.0 255.255.255.248 0.0.0.0 WLAN 0
8 172.16.60.0 255.255.255.224 0.0.0.0 HAPN 0
9 172.16.70.0 255.255.255.224 0.0.0.0 MDN 0
10 172.16.80.0 255.255.255.240 0.0.0.0 GWN 0
11 172.16.90.0 255.255.255.240 0.0.0.0 WSCN 0
12 172.16.100.0 255.255.255.240 0.0.0.0 WTSTN 0
13 192.168.1.1 255.255.255.248 0.0.0.0 LAN 0
14 192.168.100.1 255.255.255.0 0.0.0.0 WAN1 0
15 192.168.100.1 255.255.255.255 0.0.0.0 WAN1 0

 

 

Transmission > Routing > RIP

 

There's nothing configured here.

 

Transmission > Routing > OSPF

 

There's nothing configured here.

 

Firewall > Anti ARP Spoofing

 

There's nothing configured here.

 

Firewall > Attack Defense

 

There's nothing configured here.

 

Firewall > MAC Filtering

 

There's nothing configured here.

 

Firewall > Access Control

 

There's nothing configured here. Additional information will be presented.

 

Firewall > Application Control

 

There's nothing configured here.

 

Behavior Control > Web Filtering

 

There's nothing configured here.

 

Behavior Control > Web Security

 

There's nothing configured here.

 

VPN

 

There's nothing configured here.

 

Authentication

 

There's nothing configured here.

 

Services

 

There's nothing configured here.

 

System Tools

 

There's nothing configured here.

 

Now, there are no rules in the firewall section because I wasn't able to make any kind of rule combination work. And before someone points to one of the available articles with examples - yes, I read it and I tried it. It doesn't work.

 

At this stage I will spare the switch configuration, because the post became quite long and also because I did a test without the switch. I used the router's LAN ports for a switch and I tried a to allow traffic between any two VLANs. Unfortunately, without success. If someone is interested I can upload the access control policy document upon request.

 

After a couple of months of extensive testing of various scenarios I come to the conclusion that may be there's something wrong with inter-VLAN routing on my device? Or, I am missing something obvious?

 

Any feedback would be highy appreciated.

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Undefined problem with a TP-Link based network solution-Solution
2025-07-21 03:17:34 - last edited 2025-07-23 02:00:32

  @mocuZ 

mocuZ wrote

@Clive_A 

 

Sorry, I am getting used to the formatting tool of this community. I'll try to avoid such posts in the future.

 

The real problem I encounter is that I am not able to allow traffic between VLANs based on access control rules. Here's what I mean. Let's say MGMT has to be able to send and receive ICMP messages from HAN. Then, a corresponding rule is defined. However, once activated and present in the table nothing happens. A host in MGMT is only capable of reaching it's gateway and not a host in another VLAN. And the same goes for the host in HAN - it can only reach its gateway. If one tries System Tools > Diagnostic > Ping, then it turns out that the router itself is only able to reach a host via a dedicated interface and not through any of the available in the drop down menu. If one tries System Tools > Diagnostic > Traceroute then all requests time out no matter which interface is chosen. If I do the same test on a host I get a reply for the first hop which ends the corresponding gateway, and from there all are timed out.

 

The real question is why? Then the next one is: What's wrong? What am I doing wrong in terms of configuration? Is this a limitation of the router? Are there any other settings I need to configure?

 

I forgot to mention that there's no OC. All this topology is implemented in Standalone mode.

 

Currently, the SG2210P is out of the picture in order to isolate the problem and work only with router until I am able to make traffic flow to each and every VLAN as defined by the access control list. Thus, I am using two hosts connected to the router in order to perform such tests.

 

Take your time and get back to me whenever you can. Any feedback would be highly appreciated.

There is a function under the tab when you config the switch. That's called the management VLAN which is not a regular VLAN. That really blocks all other VLAN connections. 

 

I assume the MGMT VLAN you talk about in this context is referring to the "name" of the VLAN interface. Right?

 

In the config, I only read that you have configured the VLAN interfaces. And if you read the guide, that by default allows the inter-VLAN traffic. So, if you cannot get a device being pinged, that means the problem with the device firewall. 

What If My Windows Computer Is Not Accessible or Pingable Over the VPN/VLAN Interfac

 

Regardless of the controller or not, the VLAN interface would work straight with the ping if the firewall is okay on that device being pinged in this context. 

Recommended Solution
  1  
  1  
#4
Options
5 Reply
Re:Undefined problem with a TP-Link based network solution
2025-07-21 02:17:32

  @mocuZ 

This is too long. I see many of the parameters you posted are not related. 

The question in the final parts says that you cannot make a connection to a switch to allow the VLAN traffic to flow through. Is that a correct understanding of your issue here?

How to Set Up VLAN Interface on the Omada Router

  0  
  0  
#2
Options
Re:Undefined problem with a TP-Link based network solution
2025-07-21 02:50:18

@Clive_A 

 

Sorry, I am getting used to the formatting tool of this community. I'll try to avoid such posts in the future.

 

The real problem I encounter is that I am not able to allow traffic between VLANs based on access control rules. Here's what I mean. Let's say MGMT has to be able to send and receive ICMP messages from HAN. Then, a corresponding rule is defined. However, once activated and present in the table nothing happens. A host in MGMT is only capable of reaching it's gateway and not a host in another VLAN. And the same goes for the host in HAN - it can only reach its gateway. If one tries System Tools > Diagnostic > Ping, then it turns out that the router itself is only able to reach a host via a dedicated interface and not through any of the available in the drop down menu. If one tries System Tools > Diagnostic > Traceroute then all requests time out no matter which interface is chosen. If I do the same test on a host I get a reply for the first hop which ends the corresponding gateway, and from there all are timed out.

 

The real question is why? Then the next one is: What's wrong? What am I doing wrong in terms of configuration? Is this a limitation of the router? Are there any other settings I need to configure?

 

I forgot to mention that there's no OC. All this topology is implemented in Standalone mode.

 

Currently, the SG2210P is out of the picture in order to isolate the problem and work only with router until I am able to make traffic flow to each and every VLAN as defined by the access control list. Thus, I am using two hosts connected to the router in order to perform such tests.

 

Take your time and get back to me whenever you can. Any feedback would be highly appreciated.

  0  
  0  
#3
Options
Re:Undefined problem with a TP-Link based network solution-Solution
2025-07-21 03:17:34 - last edited 2025-07-23 02:00:32

  @mocuZ 

mocuZ wrote

@Clive_A 

 

Sorry, I am getting used to the formatting tool of this community. I'll try to avoid such posts in the future.

 

The real problem I encounter is that I am not able to allow traffic between VLANs based on access control rules. Here's what I mean. Let's say MGMT has to be able to send and receive ICMP messages from HAN. Then, a corresponding rule is defined. However, once activated and present in the table nothing happens. A host in MGMT is only capable of reaching it's gateway and not a host in another VLAN. And the same goes for the host in HAN - it can only reach its gateway. If one tries System Tools > Diagnostic > Ping, then it turns out that the router itself is only able to reach a host via a dedicated interface and not through any of the available in the drop down menu. If one tries System Tools > Diagnostic > Traceroute then all requests time out no matter which interface is chosen. If I do the same test on a host I get a reply for the first hop which ends the corresponding gateway, and from there all are timed out.

 

The real question is why? Then the next one is: What's wrong? What am I doing wrong in terms of configuration? Is this a limitation of the router? Are there any other settings I need to configure?

 

I forgot to mention that there's no OC. All this topology is implemented in Standalone mode.

 

Currently, the SG2210P is out of the picture in order to isolate the problem and work only with router until I am able to make traffic flow to each and every VLAN as defined by the access control list. Thus, I am using two hosts connected to the router in order to perform such tests.

 

Take your time and get back to me whenever you can. Any feedback would be highly appreciated.

There is a function under the tab when you config the switch. That's called the management VLAN which is not a regular VLAN. That really blocks all other VLAN connections. 

 

I assume the MGMT VLAN you talk about in this context is referring to the "name" of the VLAN interface. Right?

 

In the config, I only read that you have configured the VLAN interfaces. And if you read the guide, that by default allows the inter-VLAN traffic. So, if you cannot get a device being pinged, that means the problem with the device firewall. 

What If My Windows Computer Is Not Accessible or Pingable Over the VPN/VLAN Interfac

 

Regardless of the controller or not, the VLAN interface would work straight with the ping if the firewall is okay on that device being pinged in this context. 

Recommended Solution
  1  
  1  
#4
Options
Re:Undefined problem with a TP-Link based network solution
2025-07-23 03:43:07 - last edited 2025-07-24 02:49:58

@Clive_A

I am afraid I can't confirm this. There is a function under the tab when you config the switch. That's called the management VLAN which is not a regular VLAN. I can only the following tabs under Network > Switch > Mirror/Port Config/Port Status. There is no management VLAN setting in the Port Config tab.

 

I assume the MGMT VLAN you talk about in this context is referring to the "name" of the VLAN interface. Right? Yes, it's just easier to distinguish the different interfaces rather then looking at an IP address 172.16.2.0/255.255.255.248.

 

Regardless of the controller or not, the VLAN interface would work straight with the ping if the firewall is okay on that device being pinged in this context. Core Network Diagnostics - ICMP Echo Request (ICMPv4-In) was already explored and enabled on both hosts which are used for testing this network topology. ER605 can successfully send ICMP messaged from the System Tools > Diagnostics > Ping at the respective interface and it can receive replies.

 

Bellow is table highlighting some of the results from my experiments.

 

# Name Policy Service Direction Source Destination Time Outcome Notes
1 Rule_1 Allow ICMP LAN > LAN MGMT HAN Any Unsuccessful Request timed out.
2 Rule_2 Allow ICMP LAN > LAN HAN MGMT Any Unsuccessful Request timed out.
3 Rule_3 Allow ALL LAN > LAN MGMT HAN Any Unsuccessful Request timed out.
4 Rule_4 Allow ALL LAN > LAN HAN MGMT Any Unsuccessful Request time out.

 

 

Rules 1 and 2 were implemented and tested sequentially one after the other. Router reboot was done after each test.

 

Rules 3 and 4 were implemented and tested after deleting rules 1 and 2. Router reboot was done after each test.

 

The above rules were the only one existing in the Access Control List at the time of testing.

 

Take your time and get back to me whenever you can. Any feedback would be highly appreciated.

  0  
  0  
#5
Options
Re:Undefined problem with a TP-Link based network solution
2025-07-23 05:55:27

  @mocuZ 

mocuZ wrote

@Clive_A

I am afraid I can't confirm this. There is a function under the tab when you config the switch. That's called the management VLAN which is not a regular VLAN. I can only the following tabs under Network > Switch > Mirror/Port Config/Port Status. There is no management VLAN setting in the Port Config tab.

 

I assume the MGMT VLAN you talk about in this context is referring to the "name" of the VLAN interface. Right? Yes, it's just easier to distinguish the different interfaces rather then looking at an IP address 172.16.2.0/255.255.255.248.

 

Regardless of the controller or not, the VLAN interface would work straight with the ping if the firewall is okay on that device being pinged in this context. Core Network Diagnostics - ICMP Echo Request (ICMPv4-In) was already explored and enabled on both hosts which are used for testing this network topology. ER605 can successfully send ICMP messaged from the System Tools > Diagnostics > Ping at the respective interface and it can receive replies.

 

Bellow is table highlighting some of the results from my experiments.

 

# Name Policy Service Direction Source Destination Time Outcome Notes
1 Rule_1 Allow ICMP LAN > LAN MGMT HAN Any Unsuccessful Request timed out.
2 Rule_2 Allow ICMP LAN > LAN HAN MGMT Any Unsuccessful Request timed out.
3 Rule_3 Allow ALL LAN > LAN MGMT HAN Any Unsuccessful Request timed out.
4 Rule_4 Allow ALL LAN > LAN HAN MGMT Any Unsuccessful Request time out.

 

 

Rules 1 and 2 were implemented and tested sequentially one after the other. Router reboot was done after each test.

 

Rules 3 and 4 were implemented and tested after deleting rules 1 and 2. Router reboot was done after each test.

 

The above rules were the only one existing in the Access Control List at the time of testing.

 

Take your time and get back to me whenever you can. Any feedback would be highly appreciated.

If you have not configured the switch VLAN, refer to the guide: How to Configure VLAN on TP-Link Switch

 

Simplify this instead of posting all the stuff. You fix two VLAN interface connections, then you can fix the rest of them. 

I prefer screenshots instead of tabs/charts like this. 

 

Or you need a walkthrough like this. There are fan-made YouTube videos about standalone web GUI VLAN interface setup. 

Or the previous link I showed about the VLAN config, it is similar but the keypoint is the VLAN tag on the switch and the router. 

  0  
  0  
#6
Options

Information

Helpful: 0

Views: 205

Replies: 5

Tags

VLAN & Multi-Networks Routing ACL Firewall
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.