Router blocking traffic to vlan
I just upgraded the router firmware from 2.2.6 to the 2.3.0. The lan-vlan configuration was working correclty prior to the upgrade. After the update, the lan -> vlan is being blocked. However the vlan -> lan is not being blocked.
I'm running a ping on 2 computers, one on the lan and one on the vlan with a ping to each. The lan side does not reach and the vlan side pings just fine.
I tried to downgrade the firmware back to the 2.2.6, but the router is rejecting the file.
There is an omada control managing the router and a single switch ( SG2210MP v4.20) and a wifi AP ( EAP660 HD(US) v1.0)
I did notice when I reboot the router, the pings from lan->vlan will start working for a couple seconds, then stop. Then as the router is starting up again, the pings connect, but then stop again after a few seconds.
I am at a loss on how to get the network working correclty again.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Chrisasnyder wrote
To follow up on my previous posts. I deleted the Lab vlan. Disconnected the lab devices. Rebooted router and switch. Readded the lab vlan, setup the permit acl, reconnected the devices. Still unable to ping between the vlans. I've been through the settings many times and I just don't see why it doesn't work.
As I indicated in the initial post, this setup was working correctly until I updated the router firmware from 2.2.6 to 2.3.0.
Is there a way to roll the firmware back to 2.2.6 to hopefully get my network functional again?
Here's the details on my configuration. It's not overly complicated.
Everything is working as I exepct the lan - lab access.
Router (ER605 v2.0) 2.3.0
Switch (SG2210MP v4.20) 4.20.10
Omada Controller (4CF50A)
AP (EAP660 HD v1.0) 1.4.2
VPN via openVPN. The lab vlan is a /24 in the vpn.
LAN : 192.168.10.1/24
Lab VLAN : 172.31.81.1/24
Router :
WAN1 : Internet
WAN/LAN3 : Switch
ACL : Permit ALL LAN->LAN Network:LAN to Network:Lab
ACL : Permit ALL LAN->LAN Network:lab to Network:LAN
Lab vlan added to VPN networks.
No switch ACL entries.
Switch ports : profile : device
Port 1 : All : Omada controller
Port 2 : All : Router
Port 3 : All : Unmanaged switch - many local devices
Port 4 : Lab : - device
Port 5 : All : Empty
Port 6 : Lab : vlan - unmanaged switch - 4 devices
Port 7 : All : Empty
Port 8 : All : AP
A - Lan - Main workstation connected to unmanaged switch off of port 3.
B - Lab - computer off port 4
C - VPN - remote server on VPN
What works:
A ping C
B ping C
C ping B
What does not work:
A ping BB ping A
I would still recommend you read this:
- Copy Link
- Report Inappropriate Content
I did a test with one of the kids who has an ER605v2 and multiple vlans, I disabled the router ACL one way but didn't get any ping, I disabled the router ACL both ways, no ping, so I scratched my head here for a little while. Then I came to think of the EAP ACL that I had created before the LAN to LAN ACL came to the routers, I then disabled the EAP ACL and thus I got pinging from a LAN to VLAN, I have installed firmware version 2.3.0 Build 20250428 Rel.18967, check if you have the same firmware and check the switch and EAP ACL
- Copy Link
- Report Inappropriate Content
Without seeing the config, I assume that you might have accidentally triggered the unidirectional ACL.
Recomend you check your ACL settings.
Chrisasnyder wrote
I just upgraded the router firmware from 2.2.6 to the 2.3.0. The lan-vlan configuration was working correclty prior to the upgrade. After the update, the lan -> vlan is being blocked. However the vlan -> lan is not being blocked.
I'm running a ping on 2 computers, one on the lan and one on the vlan with a ping to each. The lan side does not reach and the vlan side pings just fine.
I tried to downgrade the firmware back to the 2.2.6, but the router is rejecting the file.
There is an omada control managing the router and a single switch ( SG2210MP v4.20) and a wifi AP ( EAP660 HD(US) v1.0)
I did notice when I reboot the router, the pings from lan->vlan will start working for a couple seconds, then stop. Then as the router is starting up again, the pings connect, but then stop again after a few seconds.
I am at a loss on how to get the network working correclty again.
The behavior is expected.
- Copy Link
- Report Inappropriate Content
Thanks for the reply. Prior to the router firmware update, I had 2 ACL rules for lan-lan. One in each direction to permit all between the 2 vlans. They are still there. I tried enable and disable them. I deleted and recreated them. Nothing changed the behavior.
One mistake I made in my original description is traffic between the two vlans is block in BOTH directions. Turn out the PI on the vlan had a wifi connection to the other vlan, which tricked me.
The only other thing I can think to try is to delete the vlan and rebuild it and the rules again.
- Copy Link
- Report Inappropriate Content
To follow up on my previous posts. I deleted the Lab vlan. Disconnected the lab devices. Rebooted router and switch. Readded the lab vlan, setup the permit acl, reconnected the devices. Still unable to ping between the vlans. I've been through the settings many times and I just don't see why it doesn't work.
As I indicated in the initial post, this setup was working correctly until I updated the router firmware from 2.2.6 to 2.3.0.
Is there a way to roll the firmware back to 2.2.6 to hopefully get my network functional again?
Here's the details on my configuration. It's not overly complicated.
Everything is working as I exepct the lan - lab access.
Router (ER605 v2.0) 2.3.0
Switch (SG2210MP v4.20) 4.20.10
Omada Controller (4CF50A)
AP (EAP660 HD v1.0) 1.4.2
VPN via openVPN. The lab vlan is a /24 in the vpn.
LAN : 192.168.10.1/24
Lab VLAN : 172.31.81.1/24
Router :
WAN1 : Internet
WAN/LAN3 : Switch
ACL : Permit ALL LAN->LAN Network:LAN to Network:Lab
ACL : Permit ALL LAN->LAN Network:lab to Network:LAN
Lab vlan added to VPN networks.
No switch ACL entries.
Switch ports : profile : device
Port 1 : All : Omada controller
Port 2 : All : Router
Port 3 : All : Unmanaged switch - many local devices
Port 4 : Lab : - device
Port 5 : All : Empty
Port 6 : Lab : vlan - unmanaged switch - 4 devices
Port 7 : All : Empty
Port 8 : All : AP
A - Lan - Main workstation connected to unmanaged switch off of port 3.
B - Lab - computer off port 4
C - VPN - remote server on VPN
What works:
A ping C
B ping C
C ping B
What does not work:
A ping B
B ping A
- Copy Link
- Report Inappropriate Content
Chrisasnyder wrote
To follow up on my previous posts. I deleted the Lab vlan. Disconnected the lab devices. Rebooted router and switch. Readded the lab vlan, setup the permit acl, reconnected the devices. Still unable to ping between the vlans. I've been through the settings many times and I just don't see why it doesn't work.
As I indicated in the initial post, this setup was working correctly until I updated the router firmware from 2.2.6 to 2.3.0.
Is there a way to roll the firmware back to 2.2.6 to hopefully get my network functional again?
Here's the details on my configuration. It's not overly complicated.
Everything is working as I exepct the lan - lab access.
Router (ER605 v2.0) 2.3.0
Switch (SG2210MP v4.20) 4.20.10
Omada Controller (4CF50A)
AP (EAP660 HD v1.0) 1.4.2
VPN via openVPN. The lab vlan is a /24 in the vpn.
LAN : 192.168.10.1/24
Lab VLAN : 172.31.81.1/24
Router :
WAN1 : Internet
WAN/LAN3 : Switch
ACL : Permit ALL LAN->LAN Network:LAN to Network:Lab
ACL : Permit ALL LAN->LAN Network:lab to Network:LAN
Lab vlan added to VPN networks.
No switch ACL entries.
Switch ports : profile : device
Port 1 : All : Omada controller
Port 2 : All : Router
Port 3 : All : Unmanaged switch - many local devices
Port 4 : Lab : - device
Port 5 : All : Empty
Port 6 : Lab : vlan - unmanaged switch - 4 devices
Port 7 : All : Empty
Port 8 : All : AP
A - Lan - Main workstation connected to unmanaged switch off of port 3.
B - Lab - computer off port 4
C - VPN - remote server on VPN
What works:
A ping C
B ping C
C ping B
What does not work:
A ping BB ping A
I would still recommend you read this:
- Copy Link
- Report Inappropriate Content
Again thanks for the reply. I mentioned the VPN because it is part of the overall config of the router and to illustrate what parts of the vlan setup was working.
The devices that I am using to test connectivity between the vlans are linux based (rhel, debian, and ubuntu), so windows firewall issues are not in play.
Update: I rolled back to the router firmware to 2.2.6 and the network is once again working as expected. I didn't make any other changes.
For whatever reason firmware 2.3.0 in my setup does not allow traffic between vlans with or without the ACL rules.
- Copy Link
- Report Inappropriate Content
I did a test with one of the kids who has an ER605v2 and multiple vlans, I disabled the router ACL one way but didn't get any ping, I disabled the router ACL both ways, no ping, so I scratched my head here for a little while. Then I came to think of the EAP ACL that I had created before the LAN to LAN ACL came to the routers, I then disabled the EAP ACL and thus I got pinging from a LAN to VLAN, I have installed firmware version 2.3.0 Build 20250428 Rel.18967, check if you have the same firmware and check the switch and EAP ACL
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 217
Replies: 6
Voters 0
No one has voted for it yet.