[BUG/Issue] EAP ACL not functioning between wireless connections on the same EAP. (653, 650, 225)
Hello,
After 4 full days of trying and encountering issues every time, it seems there is a bug in the EAPs when combined with EAP ACL rules.
Hardware setup:
- ER605 v2.0 (Firmware Version: 2.1.4 Build 20230727 Rel.40308)
- OC200 1.0 (Controller Version: 5.12.9) (Firmware Version: 1.26.3 Build 20230906 Rel.36269)
- TL-SG2008P v3.0 (Firmware Version: 3.0.5 Build 20230602 Rel.73473)
- TL-SG2008P v3.0 (Firmware Version 3.0.5 Build 20230602 Rel.73473)
- EAP225(EU) v3.0 ( 5.1.0 Build 20220926 Rel. 62456)
- EAP653(EU) v1.0 (1.0.9 Build 20230814 Rel. 36852)
- EAP650(EU) v1.0 (1.0.10 Build 20230814 Rel. 36852)
- EAP653(EU) v1.0 (1.0.9 Build 20230814 Rel. 36852)
My problem:
I want to connect my printers via Wi-Fi to an isolated VLAN. The printer should not be discoverable/usable in the isolated VLAN but should be accessible from another (trusted) VLAN. Unfortunately, this is not working with the "Guest Network" function in the WLAN settings because it makes the printer inaccessible from any other VLAN as well. That's why I'm trying to achieve this with ACL rules.
After much experimentation with Gateway ACL & Switch ACL, I finally realized that traffic between wireless devices doesn't pass through the Switch/Gateway (ACL) but is instead routed through the EAP to the other wireless client. Therefore, I attempted to make the other devices unreachable using EAP ACL rules. I succeeded with these ACL rules:
Furthermore, the rules for both Gateway ACL and Switch ACL are currently empty. The outcome of these rules when I connect with my iPhone to the "Isolated" WiFi network is this scan:
I was thrilled when I saw this! Finally, but then a few hours later, it stopped working altogether. I was going crazy! After a lot of investigation and trial and error, I discovered that my printer and/or I occasionally connect to a different access point (AP). When I tested that, I noticed an issue.
Because when I connect with my iPhone to the same EAP, to which the Canon printer is also connected, all EAP rules no longer "work". Then, suddenly, my result is this:
It appears there is an issue with ACL rules not being processed correctly for users in the same EAP. Is this expected behavior? If so, how can I prevent this from happening?
I have tried the following:
- This issue was present in the latest firmware as well as the beta firmware.
- I have tested each EAP separately, and each EAP exhibits this issue.
- The problem persists even after a restart.
- Even when I block the network in the Gateway/Switch ACL, the issue remains.
- I have also tried resetting everything to factory defaults, but the problem persists.
Additional question:
Furthermore, I am still looking for a way to block the "Bonjour" service using ACL. I want to ensure that Bonjour does not work in my Isolated VLAN but does work in the trusted VLAN where the printer can be found using mDNS. Does anyone have any tips for this?
Currently, the iPhone can discover the printer, but due to the other restrictions in place, it cannot print anything.
I hope you can assist me further. Even if it turns out to be a configuration error rather than a bug, I would appreciate guidance on how to resolve it.
I have also tried to provide as much useful information as possible without including unnecessary details. If anything is missing, please let me know, and I'll be happy to provide any additional information you need.
Thank you very much for your help and support!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Running into the same problem. Doesn't sound like there is any intent to update this 'feature'?
I'm setting up a network with PPSK for a marina with a mix of permanent users who are living on site and regular day users (slip holders with smaller boats without living quarters). I will have only one SSID, but several passwords getting clients to their appropriate VLAN. One of those VLANs will be intended for the general use and day guests, who don't need their own indivudual VLAN. This will use a simple shared password posted locally to avoid using an open portal login and the issues that brings. I don't want to consider transmitting multiple SSIDs for multiple reasons, mainly simplicity, but also due to the airspace being very crowded already, so I don't want to add any more SSID's than neccessary. For this VLAN, due to this EAP ACL issue, I am unable to replicate a true guest network behavior and am compromising security for those clients. Since I'm using a single SSID with PPSK it seems overly complicated, but maybe not impossible, to use ACLs to work backwards into this functionality from a base guest network, as I'll have 30+ VLANs, most with interLAN traffic permitted.
Is there any guarantee from TP-Link that usign ACLs to selectively permit access around a guest network will always be allowed and not altered in future firmware updates? If so it sounds like it may be worth trying to work backwards from a default guest network.
It sounds like there may be options in the Switch/EAP settings outside of controller mode to help address this, but this is going to be a decent sized system with multiple outdoor switches (SG2005P-PD) feeding multiple EAPs so dropping out of controller mode is not an option. Any plans to integrate those settings into controller mode?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 3
Views: 2973
Replies: 21
Voters 2
