(EAP110) Portal Access from SSID in different VLAN
Hardware Version : Not Clear
Firmware Version :
ISP :
All,
I have two VLANs
VLAN 0 - Private ( 192.168.1.0/24 )
VLAN 1 - Guest ( 192.168.2.0/24 )
The EAP110 has an IP in VLAN 0 ( 192.168.1.88 ) . When enabling a portal on a SSID that is assigned to VLAN 1 , a WiFi client gets directed to the portal on 192.168.1.88 . As per firewall rules access is denied from VLAN 1 to VLAN 0 , the portal is not accessible.
Any ideas besides setting a FW rule to allow access to the portal ?
Max
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Forcing the computer hosting the eap controller software to also serve the portal page is ridiculous. This forces you to have and maintain a separate computer that is on the same unsecured vlan as the guest computers yet has complete control in maintaining the eaps, a computer that no business could be conducted on because it is unsecured, it's ludicrous.
It would make far more sense to separate those two functions and have it be optional to host the portal from the same computer or default to the EAPs. I was recently told by support that when we move to an external portal page that we must keep the eap software running at all times to accomplish this, which has all the same nonsense as above. Why can't the AP's handle the redirect themselves sans the controller?
- Copy Link
- Report Inappropriate Content
thank you
Cheers Ronald
- Copy Link
- Report Inappropriate Content
binary wrote
Hi, have implemented a hotel wlan solution with a lot of EAP110 (outdoor) and EAP245 APs. Guests using the Internet access with bandwidth limitation over VLAN. But with this configuration i can´t use a portal.
The EAPs are just access points, not multi-functional servers running a Captive Portal and not even a router. A CP must be hosted on a separate system. It makes no sense to have a CP on every AP in a hotspot system. Every CP solution I know of needs such a central authentication server for good reasons, be it on a dedicated local server or on a system in a cloud. I'm in the hotspot business since more than 10 years now and yes, we use EAPs (among other routers acting as gateways) as APs with our Captive Portal controller, which is hosted on a central server in our hotspot solution.
You can host the EAP controller in an AWS cloud instance if you don't want to use a local server for this task. And yes, the APs indeed do handle the redirect to the controller themselves if set to managed mode. The claims from user Advantech regarding the portal redirection are just nonsense.
What's more, a server running a Captive Portal should never ever run other unrelated business software for a simple reason: basic security considerations. A CP is not just an app or a service which can run on a system used for other tasks such as a billing system or hotel reservation system, since the CP must be exposed to the guest's LAN to handle the requests.
That being said, you can indeed use a portal with separate VLANs for EAP's multi-SSID mode, although probably not with your configuration.
See http://www.tp-link.com/us/faq-928.html for the steps to set up an external portal/authentication service (note that the EAC and the external portal/auth services can run on the same or on different servers). With this solution you can use every authentication scheme one can think of.
See http://www.tp-link.com/us/faq-896.html for a simple authentication scheme using a RADIUS server together with EAC (method 4). With this scheme, the RADIUS server could also reside on the same server as the EAC.
- Copy Link
- Report Inappropriate Content
I've understood what you're saying and i´m with you if we speak about enterprise environments!
My solution for now: have installed a virtual machine hosting the EAP Controller which is located in both VLANs. On this VM (no Domainmember) i have configured some routing and firewall rules to prevent access to other things except EAP Controller from both VLANs. So this is working fine now and an proper solution for me right now.
thank you and have a nice week
- Copy Link
- Report Inappropriate Content
binary wrote
On this VM (no Domainmember) i have configured some routing and firewall rules to prevent access to other things except EAP Controller from both VLANs.
This is a professional alternative to isolate the public WiFi from the rest of the network. Glad it works for you.
Have fun! :)
- Copy Link
- Report Inappropriate Content
This issue still exists with the EAP110-Outdoor v3, as of fw 5.0.1 Build 20210316 Rel. 38795(5553).
FTR: the EAP110-Outdoor in standalone mode - no Omada controller - provides a basic captive portal function for the guest network WiFi. It works well with the exception that when you put the guest network on a separate VLAN, the clients won't be able to reach the captive portal web page which is only listening on the management IP address, not in the guest VLAN.
You can see this in a packet capture on a guest client: in my case I have the AP on an untagged/native interface (e.g. 10.0.0.10/24), and the guest wifi on VLAN 3 (10.0.3.0/24.). Once associated, the client gets a DHCP address (from my router) in VLAN 3, say 10.0.3.100. The router is (ideally) configured to only allow traffic from the guest VLAN out to the Internet, not to the LAN. The client's Initial HTTP requests are intercepted by the AP which responds with a redirect (JS location) to the AP's web server port 22080 - on 10.0.0.10.
i.e. the problem is that web server is on the 'management' address (i.e. not the Guest VLAN); for this to work requires the gateway to forward the captive portal traffic from guest VLAN to AP management address, that is, to allow some guest traffic access to the LAN.
For this to work without requiring config on the router, the AP captive portal could acquire a DHCP address in the guest VLAN for which it is operating, so that the client can reach it without the help of the router.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 4741
Replies: 7
Voters 0
No one has voted for it yet.