Issues with tcp connections between VLANs on the same AP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
123...

Issues with tcp connections between VLANs on the same AP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Issues with tcp connections between VLANs on the same AP
Issues with tcp connections between VLANs on the same AP
2022-06-07 16:37:22 - last edited 2022-08-14 08:57:33
Model: EAP650  
Hardware Version: V1
Firmware Version: 1.03

I'm having issues streaming some networked (WiFi) cameras across VLANs, but only when the client device is on the same AP as the camera.  When my client device is connected to a different AP everything streams perfectly.  But when they share an AP the stream dies before it can even start.  I have 3 total APs, all EAP650.  Two are directly connected to my switch, one is using wireless mesh.  If the cameras are in the same VLAN as the client device it works perfectly.  if the cameras are on a different VLAN AND a different AP it works perfectly.  If the cameras are on a different VLAN but the SAME AP, it does not work.

 

I cannot figure out why this would be.

 

 

Update:  This is caused because TCP connections will drop unexepectedly when connecting to the same AP from where they initiated, on a different ssid/vlan

 

I isolated it to the EAP 650 access points I was using.  I replaced them with some netgear access points set up with the same SSIDs and VLANs and it works 100% correctly. 

  1      
  1      
#1
Options
1 Accepted Solution
Re:Issues with tcp connections between VLANs on the same AP-Solution
2022-08-04 11:26:42 - last edited 2022-08-12 09:12:54

Dear @treas, @jrypacek, @d0ugmac1, @s0x, @Endpoint7024@Spryde, @shberge,

 

Thank you all for your great patience while we work through this issue!

 

Regarding the issue with TCP connections (such as Remote Desktop) between VLANs on the same EAP650/EAP670/EAP653 v1, the R&D team has made a Beta firmware to fix it, which has also added the PPSK support, please follow this solution post for downloading.

 

Thank you for your attention! Look forward to hearing from you on our community soon!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  2  
  2  
#37
Options
52 Reply
Re:Issues streaming cameras across VLANs
2022-06-07 18:15:58

  @treas 

 

Did you set up any rules/ACLs etc. controlling traffic between the different VLANs?  If you did, were they set on the APs or the Switch?

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#2
Options
Re:Issues streaming cameras across VLANs
2022-06-07 18:19:06 - last edited 2022-06-07 18:23:50

  @d0ugmac1 No, there are no rules or ACLs in place at all.

 

It seems like strictly a bandwidth/processing issue.  Let me describe the scenario

 

AP 1:  Camera 1, Camera 2, phone

 

AP 2: Nothing

 

Result:  Cannot stream from camera 1 or camera 2

 

=============================================

 

AP 1: Camera 1, Camera 2

 

AP 2:  phone

 

Result:  Can stream from both cameras

 

=============================================

 

AP 1: Camera 2

 

AP 2: Camera 1, phone

 

Result:  Can stream from Camera 2, not Camera 1

 

=============================================

 

AP 1: phone, camera 2

 

AP 2: Camera 1

 

Result:  Can stream from Camera 1, not camera 2

 

 

Its always the same result, I can only stream from the cameras that are NOT attached to the same AP

  0  
  0  
#3
Options
Re:Issues streaming cameras across VLANs
2022-06-07 18:33:37

  @treas 

 

Did you click the Guest Network in any of your SSID definitions?

 

What IP subnets are you using for each of your VLAN/SSIDs?

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#4
Options
Re:Issues streaming cameras across VLANs
2022-06-07 18:36:44

  @d0ugmac1 guest is only checked on my guest ssid

 

im using a third party router.  The default subnet is 1692.168.92.1/24

 

the iot subnet is 192.168.77.1/24

  0  
  0  
#5
Options
Re:Issues streaming cameras across VLANs
2022-06-07 18:37:21
Oh, it also works fine when streaming via lan. It’s literally only when using the same ap that there’s an issue
  0  
  0  
#6
Options
Re:Issues streaming cameras across VLANs
2022-06-07 18:43:49

  @treas 

 

those were important details!

 

is the guest SSID/VLAN being used by either the camera or the streaming device?  If so, untick the 'Guest' network on your AP's SSID and retry.

I assume you are using the APs in standalone (ie no Omada SDN involved?)

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#7
Options
Re:Issues streaming cameras across VLANs
2022-06-07 18:45:48 - last edited 2022-06-07 18:47:12

I am using the SDN controller in a docker container. Guest is not checked for either of the ssids used by the devices on any of the EAPS. It also works fine on the same AP if I have all devices in the same network.

  0  
  0  
#8
Options
Re:Issues streaming cameras across VLANs
2022-06-07 18:56:31

  @treas 

 

Ok, well I can pretty much guarantee you the issue lies with your 3rd party router configuration as I'm using almost the same setup, but with an ER605 and it works just fine.

 

It seems to me what we have is an issue where your router has a port with two VLANs on it, and it's not permitting traffic to hairpin back out the same port (which would kind of be normal if you think about why you create VLANs in the first place).  However it does permit routing from VLAN1 to VLAN2 on different ports.  This explains the behaviour you are seeing, question is why is the router behaving this way and what settings would change this behaviour?

 

One question you might ask yourself is if you WANT users on VLAN1 to talk to VLAN2 devices why are you using different VLANs in the first place?

 

I would understand having your IOT's on a guest network and blocking them from talking to other local LAN devices(idea being they only communiate to cloud services).

 

But, it should be possible to configure your router to allow packets from port1.VLAN1 to route back to port1.VLAN2...maybe google your router vendor/router OS and see who else has had this issue?

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#9
Options
Re:Issues streaming cameras across VLANs
2022-06-07 19:13:58

  @d0ugmac1 I'm not so sure.  My network topology is router 2 ports 802.3ad aggregation to a SG2008P.  port 1 of the switch goes to one ap, port 2 goes tp the other.  All traffic across my entire network goes over the same bonded ports of the router

 

As far as why:  I intend to add a firewall rule that blocks traffic initiated by lan 2 to lan 1 to isolate iot devices but still allow traffic initiated by devices in lan 1

  0  
  0  
#10
Options
Re:Issues streaming cameras across VLANs
2022-06-07 19:18:39
I can ping the devices just fine from any AP, I just can’t initiate a tcp connection
  0  
  0  
#11
Options