ER7212PC - Issues

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER7212PC - Issues

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER7212PC - Issues
ER7212PC - Issues
2023-08-29 08:06:49 - last edited 2023-08-29 13:13:32
Model: ER7212PC   EAP650  
Hardware Version: V1
Firmware Version: 1.0.4 Build 20230724 Rel.49286

To whom it may concern,

 

First of all, apology for the possible long post.

 

I was facing issue with Airplay, mDNS and posted via the forum post - https://community.tp-link.com/en/business/forum/topic/618796

Initially, I was glad that it was escalated to support engineer and hopefully get to resolve the issue with Airplay eventually. 

However, the response and support I received from the engineer was less than satisfactory. 

 

Below is a summary of the environment,

 

  • 2 x vLAN - General & IOT
    • General vLAN - Common vLAN for general usage
    • IOT vLAN - Hosting of all smart devices
  • Also wanted to disable access from IOT vLAN to General vLAN.
    • Setup Gateway ACL
      • Deny IOT network to General network, Direction - LAN>LAN
    • Setup EAP ACL
      • Deny IOT network to General network, Protocols - All
  • Given that the issue was with Airplay, (after googling) I setup mDNS service
    • Device Type - Gateway
    • Service - Airpla
    • Service Network - IOT
    • Client Network - General

 

Below is a summary of the interaction with the remote support,

 

Prior to the remote session with the engineer, I have been testing various combination, Airplay ports on the ACL and start to realize that the one that is blocking the access is the EAP ACL. In short, if I disable the deny IOT network to general network in EAP and Gateway ACL, Airplay can work. However, that imply that IOT network can reach my general network and that's not my objective.

 

Next, the engineer manage to start the remote session with me.

He requested a few things to perform tcpdump e.g., client (iphone) and service (samsung tv) at the same vlan and perform airplay, client and service at general and iot vlan respectively and perform airplay.

Eventually, I shared with the engineer about my findings regarding the ACL rules that is blocking my access. He start to share that if we want to restrict access between different network, we should use gateway ACL (I am not very convinced about that) and EAP ACL was meant to restrict access within same network. (Please refer to attachment for more details - Line 66 till 100) 

The advise he given about port groups is not applicable in Gateway ACL and suddenly he log off the session (with the root access terminal opened) (Please refer to attachment - Chat history with TP link - Line 100 till 117)

 

Next, I have to revert to the original support email and he told me that there is no issue to be resolved, mDNS proxy feature works as it should (which I agree). However, the issue was that I can't get Airplay to work with TP link devices and it does not matter which configuration is causing it, the fact is that it is TP link's device configuration (or the lack of it) that cause it. Eventually with the root access terminal, I was able to perform tcpdump and identify the various ports required. With that information and google, I was able to make it work on certain use cases of Airplay. ( I still can't make it work for screen mirroring from iphone and can't find futher information regarding it - so if anyone has any idea, please feel free to let me know)

 

Once again, he shared about configuration on gateway ACL that was quite puzzling to me, but given that I am no expert in TP link product, I tried and it does not work.

(Please refer to attachment - Email History with TP Link) More importantly within Gateway ACL, there is no port restrictions unlike EAP ACL.

 

Below are the summary of the issues that I found, 

 

  1. Gateway ACL does not support port group and currently it only support network. That imply that if I opened up access, it will be for all devices within the source & destination network for all protocol. Is that the expected behavior of the device or ACL at the gateway level?
  2. Gateway & EAP ACL does not allow insert of rules and given traditional ACL or firewall rules order, the ACL are applied from top to bottom.
  3. Port mirroring, TCPdump or equivalent troubleshooting capabilities are not made available to us.

 

I am no expert in the product or configuration and for all I know, I might have been configuring it wrongly (in terms of the Gateway or EAP ACL). That's the main reason why I am looking for technical support to help with the product. However, the standard of support rendered and features (or lack of it) really make me wonder if I should ever use or recommend TP link product in future. 

 

*Please refer to 2nd post for attachment - Email History with TP link

  0      
  0      
#1
Options
7 Reply
Re:ER7212PC - Issues
2023-08-29 09:41:43

Hi @Tapwater 

Thanks for posting in our business forum.

I'd like to remind you that not recommended for customers or users to share this kind of support email on the public platform or the community. Although you have erased the mailboxes or names of our internal staff, this behavior has violated the confidentiality statement of commercial email communication, and are expected to delete the attachments.

 

In addition, we also thank you for sharing your remote problem follow-up process in the community in detail. If the problem has not been resolved, we are happy to continue to help follow up.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#3
Options
Re:ER7212PC - Issues
2023-08-29 13:12:58

  @Clive_A 

 

Please proceed to delete the attachment as I only intend to show the conversation history between the support staff & myself regarding the issue. 

The various issue still persist and the end objective of enabling Airplay is still not fully working as intended. 

 

I have shared that information to the engineer previously but I was simply told that there was no issue.

As I have only 2 means of contacting TP link - forum and engineer via email, I have fallen back to the forum to seek further assistance.

  0  
  0  
#4
Options
Re:ER7212PC - Issues
2023-08-30 02:23:17 - last edited 2023-08-30 02:28:41

Hi @Tapwater 

Thanks for posting in our business forum.

So, is your firmware still on 1.0.4? The ER7212PC has its latest firmware. Download for ER7212PC V1 and ER7212PC V1_1.1.0 Build 20230803 Official Firmware (Released on Aug 23rd, 2023)

I read the email you sent earlier in the reply. When the senior engineer was consulting and reporting to the dev and test team, I was copied. The fact is that there is no issue in the mDNS. The issue is a result of the configuration of EAP ACL. And most mDNS not working cases would be a result of ACL.

So, for your case, recommend you get a switch. At this moment, this product is defined as a router. We never consult with the switch dev/test team for any questions about this model. Switch ACL is not gonna be available for it.

 

To achieve what you want, follow the senior engineer's solution by setting up IP-Port ACL. As we know that mDNS is 5353/UDP, so, setting up two rules, allow 5353/UDP and deny all, should be able to get this mDNS working while blocking all other communication.

This is based on my experience. If the mDNS is UDP 5353, then you gotta set up ACL to block the access between the LAN interfaces, then, you should use multiple rules to implement this. I am giving you a brief plan and this may need additional rules to make it perfect.

 

Scheme:

Deny all, IP-Port = IoT subnet + port 0-65535

Allow, IP-Port = IoT subnet + 5353

 

_____________________________________________________________________________________________________

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#5
Options
Re:ER7212PC - Issues
2023-08-30 05:10:01

  @Clive_A 

 

One of the main reason I brought ER7212PC was that it was advertised as a 3-in-1 - Router, Switch, Controller, and the option for me now is to buy another TP link product - managed switch. There is no reason for me to get this product, if this is advertised as a Router with the limitation of 10 AP & 2 switch. There are cheaper router within TP link product range that simply does routing capabilities. 

 

I agree that bulk of the issue with mDNS would be with the ACL but the matter of fact is also that the product can't configure the appropriate ACL to support the network topology. 

Can I understand the IP-Port ACL is only applicable to Switch Level ACL? If so, beside getting another of your prodcut what are my other options? 

  0  
  0  
#6
Options
Re:ER7212PC - Issues
2023-08-30 05:40:49 - last edited 2023-08-30 05:40:59

Hi @Tapwater 

3-in-1, but it is still a router. It ends up with a gigabit VPN router. To be honest, the performance of ER7212PC is weaker than the traditional models we have. If you refer to the specs and datasheet, you'll see that. Gateway ACL with IP-Port has been brought up before and it's been sent to the dev team. As far as I know, there is a plan but I don't know when will it be available.


My last reply, you can use EAP ACL which supports IP-Port Group as a temporary solution. Have you tried that?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#7
Options
Re:ER7212PC - Issues
2023-09-04 02:10:37

  @Clive_A 

 

I agree that the performance of ER7212PC is weaker but that's a decision I made due to the fact that it is supposed to provide 3-in-1 functions.

However from the current looks of it, it is just a router with dummy switch ports built into it. 

 

EAP ACL was already tested prior to the support ticket but I was informed by your engineer that it was meant for same network access management.

Meanwhile, I would like to understand is there port mirroring capability or similar tcp dump that I can perform on the router to capture the necessary ports/traffic required.

  0  
  0  
#8
Options
Re:ER7212PC - Issues
2023-09-05 06:43:36

Hi @Tapwater 

Thanks for posting in our business forum.

Troubleshooting mDNS Repeater on the Router Doesn't Take Effect

You can port mirroring and capture to learn about your network. About the mDNS, I wrote an article about it. I think could be helpful for your issue.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#9
Options