Issues with tcp connections between VLANs on the same AP
I'm having issues streaming some networked (WiFi) cameras across VLANs, but only when the client device is on the same AP as the camera. When my client device is connected to a different AP everything streams perfectly. But when they share an AP the stream dies before it can even start. I have 3 total APs, all EAP650. Two are directly connected to my switch, one is using wireless mesh. If the cameras are in the same VLAN as the client device it works perfectly. if the cameras are on a different VLAN AND a different AP it works perfectly. If the cameras are on a different VLAN but the SAME AP, it does not work.
I cannot figure out why this would be.
Update: This is caused because TCP connections will drop unexepectedly when connecting to the same AP from where they initiated, on a different ssid/vlan
I isolated it to the EAP 650 access points I was using. I replaced them with some netgear access points set up with the same SSIDs and VLANs and it works 100% correctly.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Dear @treas, @jrypacek, @d0ugmac1, @s0x, @Endpoint7024, @Spryde, @shberge,
Thank you all for your great patience while we work through this issue!
Regarding the issue with TCP connections (such as Remote Desktop) between VLANs on the same EAP650/EAP670/EAP653 v1, the R&D team has made a Beta firmware to fix it, which has also added the PPSK support, please follow this solution post for downloading.
Thank you for your attention! Look forward to hearing from you on our community soon!
- Copy Link
- Report Inappropriate Content
Did you set up any rules/ACLs etc. controlling traffic between the different VLANs? If you did, were they set on the APs or the Switch?
- Copy Link
- Report Inappropriate Content
@d0ugmac1 No, there are no rules or ACLs in place at all.
It seems like strictly a bandwidth/processing issue. Let me describe the scenario
AP 1: Camera 1, Camera 2, phone
AP 2: Nothing
Result: Cannot stream from camera 1 or camera 2
=============================================
AP 1: Camera 1, Camera 2
AP 2: phone
Result: Can stream from both cameras
=============================================
AP 1: Camera 2
AP 2: Camera 1, phone
Result: Can stream from Camera 2, not Camera 1
=============================================
AP 1: phone, camera 2
AP 2: Camera 1
Result: Can stream from Camera 1, not camera 2
Its always the same result, I can only stream from the cameras that are NOT attached to the same AP
- Copy Link
- Report Inappropriate Content
Did you click the Guest Network in any of your SSID definitions?
What IP subnets are you using for each of your VLAN/SSIDs?
- Copy Link
- Report Inappropriate Content
@d0ugmac1 guest is only checked on my guest ssid
im using a third party router. The default subnet is 1692.168.92.1/24
the iot subnet is 192.168.77.1/24
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
those were important details!
is the guest SSID/VLAN being used by either the camera or the streaming device? If so, untick the 'Guest' network on your AP's SSID and retry.
I assume you are using the APs in standalone (ie no Omada SDN involved?)
- Copy Link
- Report Inappropriate Content
I am using the SDN controller in a docker container. Guest is not checked for either of the ssids used by the devices on any of the EAPS. It also works fine on the same AP if I have all devices in the same network.
- Copy Link
- Report Inappropriate Content
Ok, well I can pretty much guarantee you the issue lies with your 3rd party router configuration as I'm using almost the same setup, but with an ER605 and it works just fine.
It seems to me what we have is an issue where your router has a port with two VLANs on it, and it's not permitting traffic to hairpin back out the same port (which would kind of be normal if you think about why you create VLANs in the first place). However it does permit routing from VLAN1 to VLAN2 on different ports. This explains the behaviour you are seeing, question is why is the router behaving this way and what settings would change this behaviour?
One question you might ask yourself is if you WANT users on VLAN1 to talk to VLAN2 devices why are you using different VLANs in the first place?
I would understand having your IOT's on a guest network and blocking them from talking to other local LAN devices(idea being they only communiate to cloud services).
But, it should be possible to configure your router to allow packets from port1.VLAN1 to route back to port1.VLAN2...maybe google your router vendor/router OS and see who else has had this issue?
- Copy Link
- Report Inappropriate Content
@d0ugmac1 I'm not so sure. My network topology is router 2 ports 802.3ad aggregation to a SG2008P. port 1 of the switch goes to one ap, port 2 goes tp the other. All traffic across my entire network goes over the same bonded ports of the router
As far as why: I intend to add a firewall rule that blocks traffic initiated by lan 2 to lan 1 to isolate iot devices but still allow traffic initiated by devices in lan 1
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 7748
Replies: 52