Is it possible to create a manageable VLAN on EAP660 Access point without creating an SSID?
I have a new EAP660 HD access point and I set 4 SSID each using separate 4 VLANs.
For now I don't have a controller (it's ordered and will be here in a couple of days).
Is it possible to have a 5th VLAN only for manage the access point without creating an SSID for that?
What I'm trying is to allow access to UI page only to manageable VLAN to have a better security?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
If you don't have an SSID for management VLAN, how do you connect to the access point and manage it? Or you want to set one of the existing 4 VLANs as management VLAN? That will be possible. Each SSID can only be in one VLAN.
- Copy Link
- Report Inappropriate Content
Actually I try to have a new VLAN (lets say number 10) to be a management vlan for my AP and as I use pfsense as my router I setup a static ip (part of the VLAN 10) to my AP.
That is working, my AP is getting the static VLAN 10 ip address and that ip is showing in omada dashboard for my AP.
Now when I try to set in omada the VLAN 10 as MANAGEMENT VLAN for my AP (select my AP >> Config >> Services >> click on Management VLAN >> enable check box and select the VLAN 10 from a list and click apply, the AP is disconnected and only way to get it back into omada is to reset the AP to factory default.
The AP (EAP660) is connected to TL-SG2008P, on a port that provides a few VLANS (10, 20, 30, 40, 50). All other VLANS (20, 30, 40, 50) are used for separate SSIDs to provide WiFi on different subnets and that is working as intended. Omada shows my AP with the VLAN 10 ip address and allow me to change settings, etc. At the same time I could not open the AP web page using the AP ip address, the page timeout (maybe that is expected, not sure, but it's a different behaviour for TL-SG2008P switch, see below).
My understanding is that management vlan is intended as a way to manage the device in omada to separate the data vlans from management vlan or maybe I'm wrong and missing something here.
At the same time I have setup my TL-SG2008P switch in the same way as I try with EAP660 and I set the management vlan to VLAN 10 and is working fine. When I try to access the TL-SG2008P directly through it's VLAN 10 ip address I'm getting the tp-link page with an error that it's managed by omada.
- Copy Link
- Report Inappropriate Content
Is your router the omada gateway like ER605 or ER7206? If no, you should refer to "topology 2” in this article to set up mgmt VLAN:
https://www.tp-link.com/en/support/faq/2814/
BTW, is your controller OC200 or software controller? After you set the switch to mgmt VLAN10, did the switch still show connected on the controller?
- Copy Link
- Report Inappropriate Content
Hi @Somnus,
Thanks for your response.
I use pfsense as my main router so is not omada.
I was following the suggested guide, but the guide is not describing a situation with multiple vlans per AP that is a bit more complicated looks like.
So I have setup a profile (named router) that includes 7 VLANs as tagged (including management vlan) and then selected it for port #7 on TL-SG2008P switch that is connected to my pfsense router (used as an input Trunk). Then I setup another profile (named AP1) that includes 5 VLANs (including management vlan) and then selected it for port #1 on the switch that is connected to my EAP660 (used as Trunk for AP). So on profile "router" the Native Network: is a dummy_one (non existent), and for profile "AP1" is the management vlan.
All other 4 vlans on AP1 is working as expected (getting different subnet ips), and also the eap660 itself is receiving a static ip from the 5th vlan (management vlan) and pfsense assign a static ip to eap660. Everything looks OK, the EAP660 and the TL-SG2008P are show in the omada, but as soon as I set the Management vlan to enable for the AP, and select the management vlan from the list, the AP disconnects and is not accessible anymore (not from omada or directly by ip in a browser even I could ping the AP) and the wifi is still working fine. For now the only way I have found to get it back into omada is to reset the AP and then adopt as a new AP.
I have an OC200 hardwire controller connected to TL-SG2008P switch (on management vlan untagged port so it receives an ip from management vlan).
- Copy Link
- Report Inappropriate Content
Dear @Ionut21,
Ionut21 wrote
I use pfsense as my main router so is not omada.
I was following the suggested guide, but the guide is not describing a situation with multiple vlans per AP that is a bit more complicated looks like.
So I have setup a profile (named router) that includes 7 VLANs as tagged (including management vlan) and then selected it for port #7 on TL-SG2008P switch that is connected to my pfsense router (used as an input Trunk). Then I setup another profile (named AP1) that includes 5 VLANs (including management vlan) and then selected it for port #1 on the switch that is connected to my EAP660 (used as Trunk for AP). So on profile "router" the Native Network: is a dummy_one (non existent), and for profile "AP1" is the management vlan.
All other 4 vlans on AP1 is working as expected (getting different subnet ips), and also the eap660 itself is receiving a static ip from the 5th vlan (management vlan) and pfsense assign a static ip to eap660. Everything looks OK, the EAP660 and the TL-SG2008P are show in the omada, but as soon as I set the Management vlan to enable for the AP, and select the management vlan from the list, the AP disconnects and is not accessible anymore (not from omada or directly by ip in a browser even I could ping the AP) and the wifi is still working fine. For now the only way I have found to get it back into omada is to reset the AP and then adopt as a new AP.
I have an OC200 hardwire controller connected to TL-SG2008P switch (on management vlan untagged port so it receives an ip from management vlan).
For your case, there is no need to create a SSID only for the management VLAN setup.
And please use the default profile "All" (Native Network is LAN) for the port #1 on the switch that is connected to the EAP660.
If you use a profile whose Native Network is the management VLAN, the management VLAN is untagged, it's possible that the AP will be disconnected from the controller.
- Copy Link
- Report Inappropriate Content
Thanks for your suggestion.
Have a question for you. By checking the Target Networks "All" means all the VLANs available on the switch will be tagged and pass to port 1 (in my case connected to EAP660) right? That is not what I intended as I have some VLANS only for wired subnets.
I have on AP1 profile, the Native Network set to "management VLAN" (that is untagged) and 4 other tagged VLANs (not using LAN) for ~ 2-3 weeks (have not enabled the Management VLAN in the EAP660 config) and did not noticed my EAP660 disconnection in Omada or any WiFi or network issues.
Today I have tried to modify the AP1 profile, by setting Native Network to "Dummy VLAN" (that is untagged) and 5 other tagged VLANs (including management vlan) and not using LAN. As soon I made this change my EAP660 status in Omada switched from "CONNECTED" to "HEARTBEAT MISSED". Setting back the profile setup and my EAP get CONNECTED status back. This small test shows that management subnet should be untagged when the Management VLAN is not enable in the EAP660 config > Services VLAN setup. A bit scare to set "enable" to find that I need to reset my EAP660 that will cause internet interruption as my wife was very when I was setting my new Omada setup as internet was not working for longer time than expected. Will try when nobody home to keep family happy.
@Fae, do you think that it may work by setting the Native Network to "dummy VLAN" and my management VLAN tagged, and then set the Management VLAN "enabled" pointed to my management vlan on the EAP660 config?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3216
Replies: 6
Voters 0
No one has voted for it yet.