Omada remote site devices FW update is broken. Again.
Firmware update of devices on remote sites is broken once again (has been for months now).
I had previously managed to get it working by changing the controller ports from the HW defaults to the Omada software controller defaults, but this is no longer working. Mind you that I had previously tried DMZ the OC300 and that didn't help, the only way it worked was by changing the actual controller port.
Restoring the portal port to the HW default doesn't work either.
My OC300 is running the latest stable FW: "1.30.7 Build 20250704 Rel.78617 (Stable)", with the default ports according to https://www.tp-link.com/cl/support/faq/3281/ which has the ambiguous 09-02-2025 date (is it Febrary 9th or September 2nd?). I also have a static public IP on the OC300 hosted site.
Just to be perfectly clear, I can adopt, configure and forget devices on remote sites. All sites have an Omada router, some behind an bridged ISP router, others behind a non-bridged ISP-router where the Omada router has been DMZ. The only thing not working is device FW update.
I have individually forwarded each port, as recently I tried forwarding a bunch of IP Camera ports as individual groups (extern xx443-xx554 to intern 443-554) and that didn't work; I had to make a separate rule for individual port (one for each xx443 to 443 adn one for each xx554 to 554).
Sorry for the Spanish/English mix, but Omada UI has decided to ignore my language setting (set as english) or to mix both languages.
There is no real Firmware update result. It takes about a day for any type of message to appear, and the only message is also not helpful.
Side note: What is the purpose of the "SITES" column anyway? It is listing all sites on every device model, regardless of which models are present on which sites.
I grudgingly forwarded port 443 too, but the same devices keep saying there is a new version available, which I can confirm on the same model devices from the local site.
I guess not many people use the HW controller with more than one site or to control a remote sites. If anyone does and has the FW update working, I appreciate any hints as to what else I can try. I’m not willing to go to each site to retrieve the devices and do a forget-manualFWupdate-adopt procedure each time there is a new FW. I’m updating FWs because there are still quirks I hope the new FW will rectify.
Do any of your remote sites have Site-To-Site VPNs back to the main site hosting the OC300 ?
I have come across instances where if you are doing port forward adoption method, having a site to site linking back to management vlan which the OC sits on can cause...weirdness with adoption of firmware updates.
I have a purely NAT forwarded remote site with no VPN, firmware updates work normally. I didnt have to change any ports.=, just make sure i forwarded the right ones.
I have remote sites adopted inside their site-to-site VPN, you just need to point remote devices to the controller IP and it jsut works, no forwarding needed.
Here is my unadjusted completely default ports NAT forwarding to my OC300 which works perfectly, for your reference
Hello @Vincent-TP
The only message is "Failed Device List". But all devices are listed in the "devices" tab, both in global view as well as in each individual site view.
When I start the upgrade process, each devices eventually goes into the "Upgrading" state, but the upgrade fails.
Hello, @GRL
Do any of your remote sites have Site-To-Site VPNs back to the main site hosting the OC300 ?
I have come across instances where if you are doing port forward adoption method, having a site to site linking back to management vlan which the OC sits on can cause...weirdness with adoption of firmware updates.
I have a purely NAT forwarded remote site with no VPN, firmware updates work normally. I didnt have to change any ports.=, just make sure i forwarded the right ones.
I have remote sites adopted inside their site-to-site VPN, you just need to point remote devices to the controller IP and it jsut works, no forwarding needed.
Here is my unadjusted completely default ports NAT forwarding to my OC300 which works perfectly, for your reference
I don't have Site-to-Site VPNs, but I did have Site-to-Client VPNs. I just deleted these as I wasn't using them anyways and tried again, but the problem persists. I have these same ports forwarded (added port 80 to test it out), but it still isn't working.
So maybe it is a problem with my "System Settings".
Note: I replaced my domain name just to capture the screenshot.
While I do have a fixed public IP, I caught my ISP changing my IP at least once a few years ago, apparently due to some major HW or config changes within the ISP. That is why I keep the domain name.
If I set "Auto Refesh IP", then remote devices will be configured with the local controller IP instead of the WAN IP, loosing connection to the controller.
controller hostname/ip should be the internal LAN side IP of the controller, for example in my case its set to 192.168.0.230 which is my OC300 lan side IP
Your port forward will be directing your remote site traffic to its internal IP, the controller will know to route its responses back to your gateway for going back to the remote sites. Setting it differently here will probably screw up that interaction
This is mine
That is strange. While writing my previous reply, I did shortly activate the "Autorefresh IP" and tried the FW update on two remote devices (each on a different remote site), but both not only failed the FW update but also failed to reconnect to the controller. Not only that, but one of the two devices is the new I SG2005P-PD, an outdoor PoE switch which is itself PoE powered. This switch and all devices it powered (EAP100 bridge, EAP225-Outdoor, IPC) all lost connection permanently. I waited about half an hour, then deactivated the "autorefresh IP (which had replaced the domain name with the local controller IP) and called the remote site (1000km away) so they could perform a manual power cycle. This allowed all devices to reconnect.
This is mine
Does this configuration correspond to the purely-NAT hosted site, or to the Site-to-Site VPN hosted site?
