[SOLVED] EAP225 AP Web Managment Issues and Questions
Just got a new AC1350 EAP225 Ceiling Mount AP and have connected it to a pfSense router. I have it up and running and have upgraded the firmware from v2.2.0 to v2.4.0.
I found with the new firmware if I select the guest network function for SSID isolation I cannot access the web management login wirelessly. I can however access and manage the AP with a laptop using a wired connection connected to the same TP-Link TL-SG1005D switch that the AP is connected to. So I am wondering is this normal behavior meaning the AP cannot be managed wirelessly if the guest network function is enabled?
I have also found that I cannot gain access to the AP web management login from a wired pc on a different subnet. The pfSense firewall logs show a successful connection from the pc to the AP but when trying to access the AP the browser on the pc shows that the connection just times out and does not load the web login page. I read another thread were someone said they can access the AP's web login from a different subnet however I can't seem to make it work. My firewall rules seem to be good and the logs show nothing is being blocked. I am wondering if this is also normal behavior or could this be a NAT/Port Forward issue or something else?
If it helps, the AP is using Static settings with the IP being 192.168.20.10 and the gateway being 192.168.20.1. The PC that I am trying use for AP management also uses a static IP set to 192.168.10.10 with the gateway being 192.168.10.1. Both the AP and the PC are wired to my pfSense router. The router is using an Intel 4 port NIC with one port used for my wireless LAN and another port for my PC's LAN. The other 2 ports are also being used but having no bearing on this issue. It probably has no bearing to the above issues but there is a TP-Link TL-SG1005D switch between the router and AP and also a monoprice unmanaged switch between the router and PC.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Taggit774 wrote
1) So I am wondering is this normal behavior meaning the AP cannot be managed wirelessly if the guest network function is enabled?
2) I am wondering if this is also normal behavior or could this be a NAT/Port Forward issue or something else?
Re 1) see the release notes of firmware v2.4.0:
2. The SSID isolation function is promoted to the Guest Network Function. Wireless Clients connected with Guest SSID can’t communicate with each other and the local network.
So, yes, it's normal behavior.
Re 2): should work if network routes are in place, the firewall allows traffic between those two subnets and gateways are defined on the AP and PC, but I'm not familiar with pfsense and its default routing policies, sorry.
- Copy Link
- Report Inappropriate Content
R1D2 wrote
Taggit774 wrote
1) So I am wondering is this normal behavior meaning the AP cannot be managed wirelessly if the guest network function is enabled?
2) I am wondering if this is also normal behavior or could this be a NAT/Port Forward issue or something else?
Re 1) see the release notes of firmware v2.4.0:
2. The SSID isolation function is promoted to the Guest Network Function. Wireless Clients connected with Guest SSID can’t communicate with each other and the local network.
So, yes, it's normal behavior.
Re 2): should work if network routes are in place, the firewall allows traffic between those two subnets and gateways are defined on the AP and PC, but I'm not familiar with pfsense and its default routing policies, sorry.
Might be something going on with the AP inregards to my second question. I've noticed a similiar behavior with my laptop. The other night I ran into an issue where my laptop would also timeout trying to reach the AP's web login page. After 5 or 6 failed attempts it would suddenly load the login page (slowly). Once logged in all I could see was the admin page header containing the logo, logout and help buttons. I then had to log out and back in several times before the admin pages would display correctly. During this time the laptop showed I had a good connection to the AP and could also open web pages without issue.
Given the issue with the laptop this would seem to be atleast some what an AP issue as both are on the same subnet so the firewall doesn't even see the communication between the two.
I also forgot to mention in my first post that I do have the mac addresses for the laptop and desktop pc added in the AP for managment access.
- Copy Link
- Report Inappropriate Content
I would recommend a network analysis using tcpdump or wireshark to find out what's happening. You also could connect your laptop/PC directly to the switch the EAP's is connected to in order to check whether this behavior is actually caused by the EAP or by your network setup.
- Copy Link
- Report Inappropriate Content
Since my last post I have tried a couple of things.
Ran windows 10 network diagnostics from the pc having issues with the AP. It reported "Resource (192.168.20.10) (the AP) is online but not responding to connection attempts.
Made a wired connection on a third subnet with my laptop and that also times out.
I have also connected the same laptop to the switch which is also connected to the AP and I can login. It will however fail to connect sometimes. Seem rather random.
I'll run wire shark and see if that offers any hints.
- Copy Link
- Report Inappropriate Content
Update: I have a solar envoy on the same switch as the AP and I can access the envoys web GUi by IP using the same pc that times out trying to access the AP's login page.
Also, I did run wireshark on the pc and I can see connection attempts and re-transmission, but no reply, nothing from the AP.
When I installed the AP I had to make a couple of new cat6 cables. Thought that maybe I might have made a mistake terminating the cables but thinking about it more I can access the AP's login with a laptop connected to the same switch as the AP and I don't seem to have any other issues like dropped internet from the AP. When I had the laptop connected to the switch it did have some timeouts before getting a successful login however. I should see more issues if one of my cables was improperly terminated shouldn't I?
Does the AP rely on IPv6? I have that turned off in the router.
Maybe I should ask, what requirments (such as ports and protocols) need to be met for a successful connection between subnets in regards to communicating with the AP?
I have tried allowing all traffic between the AP and pc with no luck.
Just to recap, when trying to connect to the AP from my pc in a different subnet I can see in the router/firewall that the pc does make a connection to the AP but there is no response from the AP and the webpage times out. Either the AP is dropping the LAN connection
I have to assume there is a problem with the AP but unsure. I think I might now need to install wireshark on the laptop and plug it into the same switch as the AP to do some testing.
- Copy Link
- Report Inappropriate Content
Ok, looks like I have some what isolated the issue.
During the initial setup of the AP I enabled the "MAC Authentication" feature and added the MAC addresses for my laptop and pc. Turning this feature off is now letting me login from different subnets. The only issue now is the AP will only allow port 80 login when logging in from a different subnet. Trying HTTPS still times out.
If I am connected to the same switch or use a wireless connection to the AP I can login using HTTPS.
I double and triple checked my MAC addresses and they were without doubt added to the "MAC Authentication" correctly. I can only assume my pfSense router is masking or changing the pc's MAC address.
Given what I have found, when accessing from a different subnet is it normal behavior for the AP to only allow login using HTTP when "MAC Authentication" is disabled?
- Copy Link
- Report Inappropriate Content
Taggit774 wrote
I double and triple checked my MAC addresses and they were without doubt added to the "MAC Authentication" correctly. I can only assume my pfSense router is masking or changing the pc's MAC address.
The MAC address is local to the network, so your EAP won't see it at all if it is in a different network. See MAC address - Wikipedia for details.
Given what I have found, when accessing from a different subnet is it normal behavior for the AP to only allow login using HTTP when "MAC Authentication" is disabled?
No. If you can log into the web UI using HTTPS if connected to the EAP's network, but not in the other LAN network, it's almost certainly an issue with the firewall rules.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@molika I never did get it working until just recently. About a week ago I checked to see if there was any new firmware for the AP and saw I was 2 updates behind. Long story short, I updated to the latested firmware and then gave HTTPS another try and it is now working.
If you update the firmware do not make the same mistake I did. I didn't save a config file to restore my settings for the AP and after I updated I lost all of my settings and had to redo everything.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3714
Replies: 10
Voters 0
No one has voted for it yet.