EAP225 random blocked access to certain domains

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
EAP225 random blocked access to certain domains
EAP225 random blocked access to certain domains
2017-08-03 16:45:25
Model :

Hardware Version :

Firmware Version :

ISP :

As per object, I have an EAP225 that's creating a lot of troubles.

It's connected as a simple Access Point (PoE) trough a PoE Switch.After a lot of troubles with the Controller Software (honestly, that's a horrible piece of software) I managed to configure the EAP225 to work as an Access Point.

When connected to the Wireless Network form the EAP225 some domains are inacccessible, like when you block them via firewall except there is no firewall on the network and the same domains are accessible when connecting directly via Switch.

Anyone has any idea about this problem?
  0      
  0      
#1
Options
5 Reply
Re:EAP225 random blocked access to certain domains
2017-08-04 14:38:57
Hi NeoMod,

This is strange. The EAP has only the AP mode, it's a pure L2 device. It has no Firewall, domain filter features, I cannot figure out what feature the EAP/EAP Controller have that will block certain domains. And what are these domains?

When you do the test, did you try with the same laptop? Will it be possible that this problem is caused by the wireless device?

If your problem still exists, and have evidence to prove it is the EAP that caused the problem. It's recommended to contact the TP-LINK support via support@tp-link.com for help.

Best Wishes,
Tom Wu
  0  
  0  
#2
Options
Re:EAP225 random blocked access to certain domains
2017-08-05 06:07:12

NeoMod wrote


It's connected as a simple Access Point (PoE) trough a PoE Switch.After a lot of troubles with the Controller Software (honestly, that's a horrible piece of software) I managed to configure the EAP225 to work as an Access Point.


The EAP Controller isn't needed to set up an EAP. Actually, it doesn't even make much sense to use the EAP Controller for setting up a single EAP. You could use the EAP in stand-alone mode and configure it through the web UI if you don't need the extra functionality of the EAP Controller such as its Captive Portal or batch firmware upgrades.


When connected to the Wireless Network form the EAP225 some domains are inacccessible, like when you block them via firewall except there is no firewall on the network and the same domains are accessible when connecting directly via Switch.


All EAPs are operating as data-link level devices, so they just give you the same connectivity wirelessly as is available by wire if directly connected to the switch. I never experienced such problems with the EAP225. Which domains are you using for tests?
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#3
Options
Re:EAP225 random blocked access to certain domains
2017-08-08 22:33:56

tomm wrote

Hi NeoMod,

This is strange. The EAP has only the AP mode, it's a pure L2 device. It has no Firewall, domain filter features, I cannot figure out what feature the EAP/EAP Controller have that will block certain domains. And what are these domains?

When you do the test, did you try with the same laptop? Will it be possible that this problem is caused by the wireless device?

If your problem still exists, and have evidence to prove it is the EAP that caused the problem. It's recommended to contact the TP-LINK support via [EMAIL="support@tp-link.com"]support@tp-link.com[/EMAIL] for help.

Best Wishes,
Tom Wu


Thank you Tom for your answer.
Indeed, the behaviour left me quite astounded: since it’s a pure L2 it shouldn’t behave like that but indeed the situation was the following:

Google search was working, but accessing any result resulted in a failure
[*]Facebook was fully working
[*]Telegram, WhatsApp and Instagram were completely blocked
[*]Some on-line newspapers were accessible while others not (repubblica.it, ilmattino.it, ilmessaggero.it, feedly.com, etc.)
[*]Forum and TPLink Website were completely blocked
[*]Gmail was accessible, purely for mail connection
[*]AppStore and PlayStore were completely blocked.
The test has been done on 10 different devices, including Windows 10, Windows Mobile, Android nougat and iOS 11.
And I also can confirm that the problem was only due to the EAP: neither the switch nor the modem or another wifi ap connected for test purposes to the same network caused the same issue.
Indeed, connecting any device, wireless or cabled, to the same modem (directly or via switch) resulted in a clean access to the internet.
The problem, now solved after 48h of really hard troubleshooting, is resident in the EAP firmware.


The EAP Controller isn't needed to set up an EAP. Actually, it doesn't even make much sense to use the EAP Controller for setting up a single EAP. You could use the EAP in stand-alone mode and configure it through the web UI if you don't need the extra functionality of the EAP Controller such as its Captive Portal or batch firmware upgrades.


That should be the ideal working setup, but truth to be told the whole implementation in real-work is quite awful.
[*]The EAP so called stand-alone WEB SERVER did not offer the same personalization level offered through the controller software. (as an example, try to configure a personal image and logo for the guest network portal from the stand-alone web server. It’s not possible).
[*]The so-called “extra” functionalities are the reason why a someone will be willing to invest so much money in a simple AP: it doesn’t make any sense to force simple installations (like a single AP, indeed) to use the controller software.


All EAPs are operating as data-link level devices, so they just give you the same connectivity wirelessly as is available by wire if directly connected to the switch. I never experienced such problems with the EAP225. Which domains are you using for tests?


Again that’s what I expect from pure L2 devices without firewall but there is a nasty, and quite frankly bad implemented, piece of firmware in the EAP225 where this standard behaviour is completely overwritten by what seems to be a logic control that is not working as it should.
As for domains example, please take a look at the first part of my post.
  0  
  0  
#4
Options
Re:EAP225 random blocked access to certain domains
2017-08-09 04:35:58

NeoMod wrote


The EAP so called stand-alone WEB SERVER did not offer the same personalization level offered through the controller software. (as an example, try to configure a personal image and logo for the guest network portal from the stand-alone web server. It’s not possible).


That's right, the EAPC offers extended functionality for Hotspots such as portal page customization.

I just have set up a brand-new EAP225 with our EAPC and enabled the Hotspot portal (auth scheme: no authentication, i.e. single-click login). After login, I can access Google search results, repubblica.it, ilmattino.it, ilmessaggero.it, feedly.com, TP-Link website/forum, gmail, etc. without any problems. No blocking whatsoever happens. Controller is v 2.4.4.

If you want, I can offer you to temporarily adopt your EAP225 to our EAPC, so you could compare the behavior of your clients with our EAPC if you think that the EAPC is the cause for blocking requests (I can't reproduce this at all).

Another way to find out what happens is to set up your EAP in stand-alone mode with no portal function and just a WPA2 key. Are the sites mentioned above still blocked? If so, it's something in your network. If not, turn on the built-in portal. Still blocked?

Except for management data and the authorization handshake of unauthenticated users, the EAPC does not receive any traffic. It therefore can not filter domain names or even IPs, since all traffic will only flow from client systems through the EAP through your switch directly to the router. So, if the EAP/EAPC can capture user's requests and let users log into the Hotspot, doors are wide open to the Internet w/o any interaction of the EAPC at this point.

What I can imagine are "security provisions" of your admin for the local network, e.g. client authentication using static leases, which could block traffic if not connected to a switch by wire or something. Did you check this already?

Anyway, if you want me to adopt your EAP225 for a test on our Controller, send me a private mail through the forum's mail system.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#5
Options
Re:EAP225 random blocked access to certain domains
2017-08-21 11:03:43

NeoMod wrote


The problem, now solved after 48h of really hard troubleshooting, is resident in the EAP firmware.
I am wondering how you solved the issue? And what the issue is?
  0  
  0  
#6
Options