ER7212PC - Issues
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
To whom it may concern,
First of all, apology for the possible long post.
I was facing issue with Airplay, mDNS and posted via the forum post - https://community.tp-link.com/en/business/forum/topic/618796
Initially, I was glad that it was escalated to support engineer and hopefully get to resolve the issue with Airplay eventually.
However, the response and support I received from the engineer was less than satisfactory.
Below is a summary of the environment,
- 2 x vLAN - General & IOT
- General vLAN - Common vLAN for general usage
- IOT vLAN - Hosting of all smart devices
- Also wanted to disable access from IOT vLAN to General vLAN.
- Setup Gateway ACL
- Deny IOT network to General network, Direction - LAN>LAN
- Setup EAP ACL
- Deny IOT network to General network, Protocols - All
- Setup Gateway ACL
- Given that the issue was with Airplay, (after googling) I setup mDNS service
- Device Type - Gateway
- Service - Airpla
- Service Network - IOT
- Client Network - General
Below is a summary of the interaction with the remote support,
Prior to the remote session with the engineer, I have been testing various combination, Airplay ports on the ACL and start to realize that the one that is blocking the access is the EAP ACL. In short, if I disable the deny IOT network to general network in EAP and Gateway ACL, Airplay can work. However, that imply that IOT network can reach my general network and that's not my objective.
Next, the engineer manage to start the remote session with me.
He requested a few things to perform tcpdump e.g., client (iphone) and service (samsung tv) at the same vlan and perform airplay, client and service at general and iot vlan respectively and perform airplay.
Eventually, I shared with the engineer about my findings regarding the ACL rules that is blocking my access. He start to share that if we want to restrict access between different network, we should use gateway ACL (I am not very convinced about that) and EAP ACL was meant to restrict access within same network. (Please refer to attachment for more details - Line 66 till 100)
The advise he given about port groups is not applicable in Gateway ACL and suddenly he log off the session (with the root access terminal opened) (Please refer to attachment - Chat history with TP link - Line 100 till 117)
Next, I have to revert to the original support email and he told me that there is no issue to be resolved, mDNS proxy feature works as it should (which I agree). However, the issue was that I can't get Airplay to work with TP link devices and it does not matter which configuration is causing it, the fact is that it is TP link's device configuration (or the lack of it) that cause it. Eventually with the root access terminal, I was able to perform tcpdump and identify the various ports required. With that information and google, I was able to make it work on certain use cases of Airplay. ( I still can't make it work for screen mirroring from iphone and can't find futher information regarding it - so if anyone has any idea, please feel free to let me know)
Once again, he shared about configuration on gateway ACL that was quite puzzling to me, but given that I am no expert in TP link product, I tried and it does not work.
(Please refer to attachment - Email History with TP Link) More importantly within Gateway ACL, there is no port restrictions unlike EAP ACL.
Below are the summary of the issues that I found,
- Gateway ACL does not support port group and currently it only support network. That imply that if I opened up access, it will be for all devices within the source & destination network for all protocol. Is that the expected behavior of the device or ACL at the gateway level?
- Gateway & EAP ACL does not allow insert of rules and given traditional ACL or firewall rules order, the ACL are applied from top to bottom.
- Port mirroring, TCPdump or equivalent troubleshooting capabilities are not made available to us.
I am no expert in the product or configuration and for all I know, I might have been configuring it wrongly (in terms of the Gateway or EAP ACL). That's the main reason why I am looking for technical support to help with the product. However, the standard of support rendered and features (or lack of it) really make me wonder if I should ever use or recommend TP link product in future.
*Please refer to 2nd post for attachment - Email History with TP link
Hi @Tapwater
Thanks for posting in our business forum.
So, is your firmware still on 1.0.4? The ER7212PC has its latest firmware. Download for ER7212PC V1 and ER7212PC V1_1.1.0 Build 20230803 Official Firmware (Released on Aug 23rd, 2023)
I read the email you sent earlier in the reply. When the senior engineer was consulting and reporting to the dev and test team, I was copied. The fact is that there is no issue in the mDNS. The issue is a result of the configuration of EAP ACL. And most mDNS not working cases would be a result of ACL.
So, for your case, recommend you get a switch. At this moment, this product is defined as a router. We never consult with the switch dev/test team for any questions about this model. Switch ACL is not gonna be available for it.
To achieve what you want, follow the senior engineer's solution by setting up IP-Port ACL. As we know that mDNS is 5353/UDP, so, setting up two rules, allow 5353/UDP and deny all, should be able to get this mDNS working while blocking all other communication.
This is based on my experience. If the mDNS is UDP 5353, then you gotta set up ACL to block the access between the LAN interfaces, then, you should use multiple rules to implement this. I am giving you a brief plan and this may need additional rules to make it perfect.
Scheme:
Deny all, IP-Port = IoT subnet + port 0-65535
Allow, IP-Port = IoT subnet + 5353
_____________________________________________________________________________________________________
One of the main reason I brought ER7212PC was that it was advertised as a 3-in-1 - Router, Switch, Controller, and the option for me now is to buy another TP link product - managed switch. There is no reason for me to get this product, if this is advertised as a Router with the limitation of 10 AP & 2 switch. There are cheaper router within TP link product range that simply does routing capabilities.
I agree that bulk of the issue with mDNS would be with the ACL but the matter of fact is also that the product can't configure the appropriate ACL to support the network topology.
Can I understand the IP-Port ACL is only applicable to Switch Level ACL? If so, beside getting another of your prodcut what are my other options?