ER7212PC - Issues
To whom it may concern,
First of all, apology for the possible long post.
I was facing issue with Airplay, mDNS and posted via the forum post - https://community.tp-link.com/en/business/forum/topic/618796
Initially, I was glad that it was escalated to support engineer and hopefully get to resolve the issue with Airplay eventually.
However, the response and support I received from the engineer was less than satisfactory.
Below is a summary of the environment,
- 2 x vLAN - General & IOT
- General vLAN - Common vLAN for general usage
- IOT vLAN - Hosting of all smart devices
- Also wanted to disable access from IOT vLAN to General vLAN.
- Setup Gateway ACL
- Deny IOT network to General network, Direction - LAN>LAN
- Setup EAP ACL
- Deny IOT network to General network, Protocols - All
- Setup Gateway ACL
- Given that the issue was with Airplay, (after googling) I setup mDNS service
- Device Type - Gateway
- Service - Airpla
- Service Network - IOT
- Client Network - General
Below is a summary of the interaction with the remote support,
Prior to the remote session with the engineer, I have been testing various combination, Airplay ports on the ACL and start to realize that the one that is blocking the access is the EAP ACL. In short, if I disable the deny IOT network to general network in EAP and Gateway ACL, Airplay can work. However, that imply that IOT network can reach my general network and that's not my objective.
Next, the engineer manage to start the remote session with me.
He requested a few things to perform tcpdump e.g., client (iphone) and service (samsung tv) at the same vlan and perform airplay, client and service at general and iot vlan respectively and perform airplay.
Eventually, I shared with the engineer about my findings regarding the ACL rules that is blocking my access. He start to share that if we want to restrict access between different network, we should use gateway ACL (I am not very convinced about that) and EAP ACL was meant to restrict access within same network. (Please refer to attachment for more details - Line 66 till 100)
The advise he given about port groups is not applicable in Gateway ACL and suddenly he log off the session (with the root access terminal opened) (Please refer to attachment - Chat history with TP link - Line 100 till 117)
Next, I have to revert to the original support email and he told me that there is no issue to be resolved, mDNS proxy feature works as it should (which I agree). However, the issue was that I can't get Airplay to work with TP link devices and it does not matter which configuration is causing it, the fact is that it is TP link's device configuration (or the lack of it) that cause it. Eventually with the root access terminal, I was able to perform tcpdump and identify the various ports required. With that information and google, I was able to make it work on certain use cases of Airplay. ( I still can't make it work for screen mirroring from iphone and can't find futher information regarding it - so if anyone has any idea, please feel free to let me know)
Once again, he shared about configuration on gateway ACL that was quite puzzling to me, but given that I am no expert in TP link product, I tried and it does not work.
(Please refer to attachment - Email History with TP Link) More importantly within Gateway ACL, there is no port restrictions unlike EAP ACL.
Below are the summary of the issues that I found,
- Gateway ACL does not support port group and currently it only support network. That imply that if I opened up access, it will be for all devices within the source & destination network for all protocol. Is that the expected behavior of the device or ACL at the gateway level?
- Gateway & EAP ACL does not allow insert of rules and given traditional ACL or firewall rules order, the ACL are applied from top to bottom.
- Port mirroring, TCPdump or equivalent troubleshooting capabilities are not made available to us.
I am no expert in the product or configuration and for all I know, I might have been configuring it wrongly (in terms of the Gateway or EAP ACL). That's the main reason why I am looking for technical support to help with the product. However, the standard of support rendered and features (or lack of it) really make me wonder if I should ever use or recommend TP link product in future.
*Please refer to 2nd post for attachment - Email History with TP link