EAP670 multiple SSID issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

EAP670 multiple SSID issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
EAP670 multiple SSID issue
EAP670 multiple SSID issue
2022-06-24 16:12:00 - last edited 2022-08-04 11:49:34
Model: EAP670  
Hardware Version: V1
Firmware Version: 1.0.2 Build 20220210 Rel. 56619(5553)

I have two VLANs configured on my EAP670:

 

VLAN1 (SSID1): 192.168.1.x/24

VLAN3 (SSID3): 192.168.3.x/24

 

Both SSIDs are 5 GHz.  The router is configured to allow traffic to pass from VLAN1 to VLAN3 but not in the other direction.

 

I have two clients connected; both are Linux PCs (Ubuntu 20.04.4) and both have Intel AX200 Wi-Fi adapters.  When they are each connected to the same SSID/VLAN, connectivity works as expected.  When they are connected to the differering SSIDs, connectivity is broken between the two for anything beyond a simple network ping, i.e., the client on VLAN1 can ping the client on VLAN3 but if I attempt to open a connection which requires high throughput (such as remote desktop), the connection fails.  I also see kernel debug messages from the Intel Wi-Fi driver on the client connected to VLAN3.

 

This problem did not happen with the WAP the EAP670 just replaced.

 

What could be the cause?

  0      
  0      
#1
Options
1 Accepted Solution
Re:EAP670 multiple SSID issue-Solution
2022-08-04 11:49:30 - last edited 2022-08-04 11:49:34

Hi there,

 

Thank you for coming to our community for help!

 

This thread is about the issue with TCP connections (such as Remote Desktop) between VLANs on the same EAP650/EAP670/EAP653 v1. If you suffer from the same issue as it's described below (thank you @Endpoint7024 for the detailed information), please follow this post for a solution. Thanks for your cooperation and patience. See you on the community soon!

 

Endpoint7024 wrote

I have two VLANs configured on my EAP670:

 

VLAN1 (SSID1): 192.168.1.x/24

VLAN3 (SSID3): 192.168.3.x/24

 

Both SSIDs are 5 GHz.  The router is configured to allow traffic to pass from VLAN1 to VLAN3 but not in the other direction.

 

I have two clients connected; both are Linux PCs (Ubuntu 20.04.4) and both have Intel AX200 Wi-Fi adapters.  When they are each connected to the same SSID/VLAN, connectivity works as expected.  When they are connected to the differering SSIDs, connectivity is broken between the two for anything beyond a simple network ping, i.e., the client on VLAN1 can ping the client on VLAN3 but if I attempt to open a connection which requires high throughput (such as remote desktop), the connection fails.  I also see kernel debug messages from the Intel Wi-Fi driver on the client connected to VLAN3.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#14
Options
13 Reply
Re:EAP670 multiple SSID issue
2022-06-24 20:47:43

  @Endpoint7024 It's weird. But this may be the same issue as here with EAP650.

 

https://community.tp-link.com/en/business/forum/topic/559240

  0  
  0  
#2
Options
Re:EAP670 multiple SSID issue
2022-06-24 21:01:43

  @jrypacek Thanks for sharing.  I would say that I'm seeing the exact same problem as shown in the other thread.

 

I hope someone at TP-Link can prioritize a firmware fix for this.

  0  
  0  
#3
Options
Re:EAP670 multiple SSID issue
2022-06-24 21:53:24

  @Endpoint7024 

 

Hey

 

One thing jumps out at me in what you said..  

The router is configured to allow traffic to pass from VLAN1 to VLAN3 but not in the other direction.

 

As traffic flow requires 2 way chatter (sync, syn-ack, ack packets) blocking one vlan accessing the other will virtually kill both communications, you may get PING as its UDP but in my experience that's even questionable.   Have you specific port exceptions for the traffic you require?     Did you try removing the restrictions to test this?

 

 

  0  
  0  
#4
Options
Re:EAP670 multiple SSID issue
2022-06-24 22:54:40
The one-way routing restriction between VLANs isn't the issue. I've had this setup working properly for a long time using an older Netgear-based WAP. The problem only started occurring when I replaced the older WAP with the EAP670. There were zero changes made to the router.
  0  
  0  
#5
Options
Re:EAP670 multiple SSID issue
2022-06-25 06:21:01

  @Philbert 

 

I had the same idea, but when you look at the link I posted you will see that some EAP models have very weird and significant bug. I also found two issues on EAP610. Hope they will be able to fix it soon as I'm getting disappointed.

  0  
  0  
#6
Options
Re:EAP670 multiple SSID issue
2022-06-25 07:24:47

  @Endpoint7024 

Hi,

which router and controller are you using?

 

  0  
  0  
#7
Options
Re:EAP670 multiple SSID issue
2022-06-25 16:12:30

  @nutzich I'm not using any Omada-specific HW.  The EAP670 is connected to a Netgear GS108PEv3 managed switch.  The switch port it's connected to is configured for 802.1q VLAN tagging as I described in my first post but I really don't think that has anything to do with this.  As I said, i can reconnect the older WAP I was using and the problem goes away.

 

Based on information in the other thread it appears the EAP660's firmware is newer and fixes the problem.  I hope the EAP670 can be updated soon or else I will need to find another solution.

  0  
  0  
#8
Options
Re:EAP670 multiple SSID issue
2022-06-25 20:47:58

  @Endpoint7024 

Hi,
I just wanted to know the type of router because for example the TL-R605 router behaves like @Philbert  said. The TL-R605 router cannot handle unidirectional ACLs, the way people would wish, because it does not know a status such as established or related.
So i would agree with you, that it might be related to the firmware of the AP.
The only thing that eventuel could be tested to isolate the problem a bit more, would be to use different SSIDs, but for test only one VLAN.

The EAP225 had a similar problem (unfortunately I can no longer describe it exactly) a few years ago even without using vlan. This was then fixed with a firmware update.

  1  
  1  
#9
Options
Re:EAP670 multiple SSID issue
2022-06-25 21:12:55

  @nutzich 

 

The router is a Raspberry Pi 4B running OpenWRT.  It is configured as follows:

 

 

"lan" is VLAN1 (192.168.1.x)

"iot" is VLAN3 (192.168.3.x)

 

"lan" devices are permitted to initiate connections to "iot" devices.  "iot" devices are not permitted to initiate connections to "lan" devices.  It's like a one way street.

 

The RPi's Ethernet port is configured (via OpenWRT) for 802.1q VLAN tagging.  Works great with the Netgear managed switch.

 

There is an additional VLAN, "NoInternet", which is not routed to the EAP670.

 

I've had this exact setup working for over a year without issues.

  0  
  0  
#10
Options
Re:EAP670 multiple SSID issue
2022-06-25 21:23:48

As an experiment I just temporarily changed the firewall rules to allow "iot" VLAN traffic to flow to the man "lan" zone:

 

 

I verified this is now working using devices which are hard wired to the switch.  As expected, it doesn't make any difference with respect to the EAP670.  It's still basically impossible for devices on the two VLANs to talk to each other if they're each connected to the EAP670.

  0  
  0  
#11
Options