Problem Implementing Wifi SSID VLANs on EAP245 v3 and EAP 110 Outdoor V3/V1
Problem Implementing Wifi SSID VLANs on EAP245 v3 and EAP 110 Outdoor V3/V1
SHORT DESCRIPTION
==================
We have recently implemented a network of 51 EAP APs in our apartment basement of spread over 36 acres in Bangalore, INDIA. WE are in process of adding another 10-20 APs shortly and may expand to about 100 APs by 2020 end . Our backbone wired campus network consists of 31 Dllink 1200 series and 1 DGS-3120-24SC switches to which the TpLink EAPs and Internet Routers are connected. The network runs our IP CCTV network with 400+ Hikvision cameras on a dedicated Intranet VLAN.
One of the important features we wanted from Wifi Access was Wifi SSID - VLAN mapping with all SSIDs having Internet access, but this feature did not work as expected for us for the following APs
(1) EAP225 v3 (EU) - Latest Firmware
(2) EAP110 Outdoor V3 (EU) - Latest Firmware
(3) EAP110 Outdoor V1 - Latest firmware
All firmware are the latest avalable in the country and marked as upto date by the OC200 controllers. However when we disable Wifi VLANs everything works just great. However some other APs like EAP115 V2 (US) and consumer grade AP TL-WA901ND work fine.
DETAILED DESCRIPTION
=====================
The following topology indicates what is currently being used and working reliably 24x7. Basically APs are connected to one untagged Internet access VLAN port and no SSID-VLAN mapping is done
In this all APs (EAP225, EAP 110, EAP 115, WA-901ND) work fine. The DHCP server runs on load balalncing router. Clients get DHCP addresses from router and can access the internet.
However to integrate SSID-VLAN mapping, we modified the topology as below:
Here we convertted the AP port as tagged for all Wifi VLANs assuming that the AP will insert and strip of the VLAN tags based on traffic direction while teh switch will just trunk these packets to the router. What happened was very strange:
(1) First for the EAP115 V2 (US version) and TL-WA901ND the cionfiguration worked perfecetly. The inter-VLAN isolation was achieved while each VLAN had internet access.
(2) EAP 110 V3 and V1 did not work. fails to even get DHCP IP from router
(3) EAP 115 V3 behaved erratically:
(a) On latest firmware (EAP225(EU)_V3_2.6.0 Build 20190726) , the clients connecting to Wifi cannot even get DHCP address from Router
(b) On previous firmware (EAP225(EU)_V3_2.5.0 Build 20190404), that was shipped with equipment, IOS devices worked immediately, while Android and Windows 10 get DHCP address after long time (they stay in obtaining IP address for long time) and then work at slow internet speed onvce they get the IPs
At IP levels all devices are on private 10.0.0.0/8 subnet and no dedicated DHCP server per VLAN or seperate subnet per VLAN. All devices share the same DHCP pool.
Given the strange beahvior of differnet TP-Link AP models, where some models work beautifully and some don't, we are confused as to where the bugs are (which models) OR with our VLAN configuration. From our test observations and understanding, we think our VLAN Configuration of tagging/untagging is correct, but how to explain some models of APs working and some not. And differences of operations across firmwares. Anwways everything up for review.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
APRC-P3-Tel wrote
@R1D2 : So In summary , it seems, our network architecture has a fault at layer-3 level where our router is not VLAN-aware and tags the DHCP response or packet towards client with default/native VLAN ID = 1, which then can make it way back to the AP, but not to the client from the AP.
As far as I understand from your two diagrams your router outputs untagged traffic only. The switch then tags frames with VLAN 1 if PVID=1.
BTW are you aware of any entry level enterprise grade router that is VLAN aware and potentially suitable for our network ?
Also is Tp-link's own TL-ER5120 V4 VLAN aware ?
Sorry, I don't know the TL-ER5120 router at all – had no opportunity to test it so far. We use our own router hardware running a customized OpenWRT firmware which supports VLANs, but still no load balancing out of the box (yet). For a load balanced ISP uplink I once used an EdgeRouter, but IMO it isn't that easy to configure for setups not pre-defined in the web UI unless you are willing to dig into Vyatta OS stuff.
I suggest to ask in the Switches & Routers forum for TL-ER5120 capabilities, there are users who know TP-Link routers much better than I do. Remember to ask for DHCP server pools, I'm not sure whether the TL-ER5120 does support this beside VLANs and load balancing.
- Copy Link
- Report Inappropriate Content
@APRC-P3-Tel, in the second setup you connected several VLANs from the switch DGS-1210-52 untagged to the router – this can't work. Replies from the router will be sent back as untagged traffic through VLAN 1 only (or whatever your PVID is set to).
You need to use trunk links from the EAP to the router and terminate the VLANs at different (sub-) networks. You also need a DHCP server per subnet/VLAN for the WiFi clients in addition to the DHCP server supplying the EAPs with an IP through the untagged Default VLAN 1.
It does not make much sense to me to use different VLANs which separate the broadcast domains within the same network and the same broadcast domain (10.0.0.0/8). What do you want to achieve with a VLAN-aware Multi-SSID setup? Different WPA keys? If the latter, you would just use Multi-SSID, but within the same (single) LAN, not within different VLANs.
- Copy Link
- Report Inappropriate Content
@R1D2 , The router is connected to the port with PVID set to 1 (Default/Native).
(a) I get what you are pointing but how are things working with EAP 115 V2 and TL-WA901ND, which have older firmwares ? Is the firmware in them having an open defect that is patched in EAP 225 V3 and EAP 110 V3/V1 ?
(b) The DHCP discover request from client to router will carry the VLAN tag of Wifi SSID ? Is their a way (like configuration item) for DHCP server to copy the tag back in the DHCP reply ?
(c) If I convert, one of the wifi AP VLAN ports (on DES-1210-28p) to say Untagged for Default VLAN 1, Untagged for WiFi VLAN 4 (say) [Pvid set to 1] and then connect a PC using ethernet interface to that, everything works fine.
To be frank we made this VLAN design with the concept that VLAN are layer-2 broadcast limiter domains operating below layer-3 and their is no tight coupling dependency between layer-2 and layer-3. Our objective to implement VLAN aware Multi-SSID setup is o sepersate the LANs of each Wifi SSID (based on user groups) . For eg,, seperation of guests and residents of apartment complex in seperate networks for better security. Also some resident groups need WLAN isolation (clients canot communicate with each other and need only intyernet function) while others do not need it (like office in apartment adminstrative block, where a PC and Wifi printer does need to communicate).
- Copy Link
- Report Inappropriate Content
APRC-P3-Tel wrote
@R1D2 , The router is connected to the port with PVID set to 1 (Default/Native).
(a) I get what you are pointing but how are things working with EAP 115 V2 and TL-WA901ND, which have older firmwares ? Is the firmware in them having an open defect that is patched in EAP 225 V3 and EAP 110 V3/V1 ?
(b) The DHCP discover request from client to router will carry the VLAN tag of Wifi SSID ? Is their a way (like configuration item) for DHCP server to copy the tag back in the DHCP reply ?
(c) If I convert, one of the wifi AP VLAN ports (on DES-1210-28p) to say Untagged for Default VLAN 1, Untagged for WiFi VLAN 4 (say) [Pvid set to 1] and then connect a PC using ethernet interface to that, everything works fine.
Re: (a) I have only EAP225, but since you have been using untagged ports for EAPs it could have been worked IMO only for non-tagged Multi-SSIDs. On ingress the switch replaces a VLAN tag by the PVID for an access port, but on egress it should not have reached the VLAN-tagged SSID. As for TL-WA901 I never used VLAN-tagged SSIDs with this AP, so I can't tell you why it worked.
There was a bug fix for EAP225 in recent firmware 2.6.0, though – can't say whether it was present and/or fixed in other models:
Re: (b) You could use DHCP relay if the switch supports it. Anyway, you need separate subnets to be able to create separate broadcast domains.
Re: (c) Sure this works with a PC. Asymmetric VLANs work like this:
- Laptops A and B are in VLAN 10/PVID 10 and VLAN 1, laptops C and D are in VLAN 20/PVID 20 and VLAN 1. Laptops are connected to untagged (access) ports.
- Router is in VLAN 1/PVID 1, but is also member of VLANs 10 and 20. Router is connected to an untagged (access) port.
- A can communicate with B and the router. A and B cannot communicate with C or D.
- C can communicate with D and the router. C and D cannot communicate with A or B.
- Router can communicate with A, B, C and D.
- All devices share a common broadcast domain, same network, one DHCP server.
VLAN-aware Multi-SSIDs require a trunk port for the EAP. The management layer of the EAP can use untagged traffic, but it can also be tagged, thus using any VLAN.
The difference to the asymmetric VLAN setup is that a switch port can be a member of more than only one VLAN, but a SSID can only be member of one VLAN, therefore it does not support an asymmetric VLAN setup:
You now have three (or two, if mgmt shares either VLAN 10 or 20) different broadcast domains with real isolation between the devices, but you need to terminate the VLANs either in the switch (if it's a L3 switch) or in the router. With a L3 switch you could use a routed port to connect to the Internet router, VLAN interfaces for routing in the switch and even one DHCP server with different pools for each VLAN. If your switch doesn't support routing and DHCP, you need to terminate the VLANs in the router.
See this HowTo (method 2) for setting up a local and a guest VLAN with Omada EAPs. It's not difficult, you just need a VLAN-aware router which can support multiple networks or a router which supports Multi-Nets NAT. Of course, the router (or the switch) needs to support different DHCP pools, too.
BTW: The »Guest Network« function of Omada Controller (method 1 in the HowTo mentioned above) is somewhat similar to an asymmetric VLAN in that it allows one broadcast domain to be shared among several (untagged) SSIDs, except that clients in the guest network are isolated using the »Client Isolation« function of the WiFi chip and access to all private IPs is blocked for the guest network.
- Copy Link
- Report Inappropriate Content
@R1D2 : So In summary , it seems, our network architecture has a fault at layer-3 level where our router is not VLAN-aware and tags the DHCP response or packet towards client with default/native VLAN ID = 1, which then can make it way back to the AP, but not to the client from the AP.
We do have a Layer-3 switch (dlink DGS-3120-24SC) which has layer-3 functions like DHCP Proxy, etc. I will see if its possible to design a new architecture with it by connecting the VLAN unaware router to this Layer-3 switch and not the Layer-2 52-port switch, where it is currently connected in no wifi VLAN mode.
BTW are you aware of any entry level enterprise grade router that is VLAN aware and potentially suitable for our network ?
Also is Tp-link's own TL-ER5120 V4 VLAN aware ?
- Copy Link
- Report Inappropriate Content
APRC-P3-Tel wrote
@R1D2 : So In summary , it seems, our network architecture has a fault at layer-3 level where our router is not VLAN-aware and tags the DHCP response or packet towards client with default/native VLAN ID = 1, which then can make it way back to the AP, but not to the client from the AP.
As far as I understand from your two diagrams your router outputs untagged traffic only. The switch then tags frames with VLAN 1 if PVID=1.
BTW are you aware of any entry level enterprise grade router that is VLAN aware and potentially suitable for our network ?
Also is Tp-link's own TL-ER5120 V4 VLAN aware ?
Sorry, I don't know the TL-ER5120 router at all – had no opportunity to test it so far. We use our own router hardware running a customized OpenWRT firmware which supports VLANs, but still no load balancing out of the box (yet). For a load balanced ISP uplink I once used an EdgeRouter, but IMO it isn't that easy to configure for setups not pre-defined in the web UI unless you are willing to dig into Vyatta OS stuff.
I suggest to ask in the Switches & Routers forum for TL-ER5120 capabilities, there are users who know TP-Link routers much better than I do. Remember to ask for DHCP server pools, I'm not sure whether the TL-ER5120 does support this beside VLANs and load balancing.
- Copy Link
- Report Inappropriate Content
R1D2 wrote
APRC-P3-Tel wrote
@R1D2 : So In summary , it seems, our network architecture has a fault at layer-3 level where our router is not VLAN-aware and tags the DHCP response or packet towards client with default/native VLAN ID = 1, which then can make it way back to the AP, but not to the client from the AP.
As far as I understand from your two diagrams your router outputs untagged traffic only. The switch then tags frames with VLAN 1 if PVID=1.
Yes we can see that now. Our router is surely VLAN unaware as we did not see even a single item for VLAN config in its web interface. So yes if it will reply with a tag either it will be 1 or nothing in which case the poor switch will have to pick one tag for packet which can be only the PVID (=1). So the DHCP query response packet will hit the AP and the AP will not know which VLAN to give it to and that drop the packet. Strangely EAP115 V2, TL-WA901ND worked. I think their firmware forward tagged packets to all SSIDs and let the host resolve it. Sort of fake VLAN support.
I am exploring two approaches now:
(1) Can a combo of Layer-3 switch AND VLAN unaware router (what we have) handle our *current network design ? The number of Wifi SSIDs with VLANs will only increase and right now its about 9 Wifi VLANs.
(2) I will also look at router that can support multiple tagged interfaces on its LAN side (egress mode only tagging) and have to convert existing switch port to which router is connected as a tagged port for all Wifi VLANs rather than the current untagged ones supported by Asymmetric VLAN. But for this i need to check if the load balancing function of the new router meets our need also and can handle DHCP pools larger than 256 IP addresses. The Tp-link TL-480T+ which we eralier used was having this 256 host limitation besides being limited to 100 mbps throughput which is too less as we need near wire speed routing as we have multiple 1 Gbps Broadband connecrions
BTW are you aware of any entry level enterprise grade router that is VLAN aware and potentially suitable for our network ?
Also is Tp-link's own TL-ER5120 V4 VLAN aware ?
Sorry, I don't know the TL-ER5120 router at all – had no opportunity to test it so far. We use our own router hardware running a customized OpenWRT firmware which supports VLANs, but still no load balancing out of the box (yet). For a load balanced ISP uplink I once used an EdgeRouter, but IMO it isn't that easy to configure for setups not pre-defined in the web UI unless you are willing to dig into Vyatta OS stuff.
The edge router is too complex to setup, tweak or maintain. You need a networking geek to handle it I use a EdgeRouter Lite ER-3 at home and other than its wizards I have only once managed to get it to work by manually copying the steps from a forum post without even understanding what and why I am doing those steps. Not my cup of tea with my skill level.
I suggest to ask in the Switches & Routers forum for TL-ER5120 capabilities, there are users who know TP-Link routers much better than I do. Remember to ask for DHCP server pools, I'm not sure whether the TL-ER5120 does support this beside VLANs and load balancing.
OK. Will do that and also dig the Manual. TL-ER5120 and the 6120 model are inexpensive
- Copy Link
- Report Inappropriate Content
APRC-P3-Tel wrote
Sort of fake VLAN support.
Right, IMO asymmetric VLAN is kind of a »poor man's VLAN«, no true isolation, network sniffers can reveal devices etc.
(1) Can a combo of Layer-3 switch AND VLAN unaware router (what we have) handle our *current network design ? The number of Wifi SSIDs with VLANs will only increase and right now its about 9 Wifi VLANs.
(2) I will also look at router that can support multiple tagged interfaces on its LAN side (egress mode only tagging) and have to convert existing switch port to which router is connected as a tagged port for all Wifi VLANs rather than the current untagged ones supported by Asymmetric VLAN. But for this i need to check if the load balancing function of the new router meets our need also and can handle DHCP pools larger than 256 IP addresses. The Tp-link TL-480T+ which we eralier used was having this 256 host limitation besides being limited to 100 mbps throughput which is too less as we need near wire speed routing as we have multiple 1 Gbps Broadband connecrions
Re 1) Theoretically unmanaged switches should not strip VLAN tags, but I'm not sure since I didn't test it. I have no unmanaged switches anymore given the attractive prices for managed switches from TP-Link. If you have a spare TL-WRxxx WiFi router laying around somewhere I suggest that you install OpenWRT, set up a trunk an test it with your existing switch to make sure it will work (you would have to test it sooner or later anyway). Just copy the stanzas in my HowTo to set up a test network under OpenWRT.
Re 2) For multiple Gigabit uplinks you need a powerful load-balancing router. Lucky you, I would be happy to have a single Gigabit uplink for a reasonable price here in my country. That's why I didn't search for a fast router so far, it would make me sad to have a Gigabit router, but no uplink at this speed.
Seriously, what does your Internet provider recommend? Did you ask them for a router they would recommend? I think this should be part of their service if they sell you a multiple Gigabit uplink ...
- Copy Link
- Report Inappropriate Content
R1D2 wrote
APRC-P3-Tel wrote
Sort of fake VLAN support.
Right, IMO asymmetric VLAN is kind of a »poor man's VLAN«, no true isolation, network sniffers can reveal devices etc.
(1) Can a combo of Layer-3 switch AND VLAN unaware router (what we have) handle our *current network design ? The number of Wifi SSIDs with VLANs will only increase and right now its about 9 Wifi VLANs.
(2) I will also look at router that can support multiple tagged interfaces on its LAN side (egress mode only tagging) and have to convert existing switch port to which router is connected as a tagged port for all Wifi VLANs rather than the current untagged ones supported by Asymmetric VLAN. But for this i need to check if the load balancing function of the new router meets our need also and can handle DHCP pools larger than 256 IP addresses. The Tp-link TL-480T+ which we eralier used was having this 256 host limitation besides being limited to 100 mbps throughput which is too less as we need near wire speed routing as we have multiple 1 Gbps Broadband connecrions
Re 1) Theoretically unmanaged switches should not strip VLAN tags, but I'm not sure since I didn't test it. I have no unmanaged switches anymore given the attractive prices for managed switches from TP-Link. If you have a spare TL-WRxxx WiFi router laying around somewhere I suggest that you install OpenWRT, set up a trunk an test it with your existing switch to make sure it will work (you would have to test it sooner or later anyway). Just copy the stanzas in my HowTo to set up a test network under OpenWRT.
Whatever I read, unmanaged swiktches behavior depends on brand. Some overwrite (with ID 1), some strip, some drop vlan tagged packets. I would not attempt to introduce any unmanaged switch in our network core and then have to deal with a prpblem, which i have no idea on how to debug. We started with Dlink smart when we began, we stuck with the brand through the lifecycle as we expanded. We are doinfg same with Tplink on the wifi side.
Re 2) For multiple Gigabit uplinks you need a powerful load-balancing router. Lucky you, I would be happy to have a single Gigabit uplink for a reasonable price here in my country. That's why I didn't search for a fast router so far, it would make me sad to have a Gigabit router, but no uplink at this speed.
The 4 gigabit connections are from 4 different ISPs. The idea is that if 1 ISP's network has a fiber cut or fault inside/outside our premises, we do not loose our internet connectivity as the other 3 scale up to take the extra load. therefore the bonded virtual internet connectivity has never gone down in the last 2 years, unless one of our config drives went the wrong way (lile Wifi SSID-VLAN mapping). And these 4 connections are provided free-of-cost to apartment society by the ISPs as part of license by the society to do end user home broadband business with residents of the apartment complex. Sort of toll tax. ther bandwidth is used back by the community for apartment IT operations and applications, and Wifi Calling in areas where their is no 4G-LTE signal (like basement).
Seriously, what does your Internet provider recommend? Did you ask them for a router they would recommend? I think this should be part of their service if they sell you a multiple Gigabit uplink ...
Nothing. These are consumer grade FTTH connections with ONTs routers that support Gigabit only on the wired interface of these ONTs and Service provider provided routers, The Load balancing stuff is our internal design idea to improve redunancy, fatten the broadband pipe, support more simultaneous users, etc. We have rate kimit on each internet user based on his application and this helps us to support tons of users simultaneously without really irritaing anyone. Just enough Internet speed.
- Copy Link
- Report Inappropriate Content
@APRC-P3-Tel, this sounds really cool and if the four ISPs provide routers already I would have thought of a hardware load balancer between routers and switch, but they are still very expensive. What's more, I have no experince at all in this field (unfortunately).
- Copy Link
- Report Inappropriate Content
@R1D2 : We have done a prototype work of Multiple VLANs (10 nos.) associated with different SSIDs on EAP225 V3 (latest formware), based on your suggestion in lab-type setup with 2-3 Dlink switches. We used a pfSense 2.4.4-p3 box as a firewall router. We created seperate VLAN interfaces, seperate subnet & gateway per VLAN, seperate DHCP server per subnet. Happy to report that it works reliably and is stable.
The main VLAN interface was put in the 10.0.0.0/8 subnet with a 1024 DHCP pool. This is our managment and static devices/infra plane. The APs were static IP configured (or can use DHCP) to be in this subnet.
While each Wifi-SSID-LAN is mapped to a 172.16.x.y series subnet having its own gateway and DHCP server, and Wifi clients use this DHCP address range.
No TL-ER5120v4 as yet, but before that we are going to try another topology with DHCP Interface/VLAN relaybefore deciding whether to deploy relay topology OR seperate DHCP server one.
R1D2 wrote
APRC-P3-Tel wrote
@R1D2 , The router is connected to the port with PVID set to 1 (Default/Native).
(a) I get what you are pointing but how are things working with EAP 115 V2 and TL-WA901ND, which have older firmwares ? Is the firmware in them having an open defect that is patched in EAP 225 V3 and EAP 110 V3/V1 ?
(b) The DHCP discover request from client to router will carry the VLAN tag of Wifi SSID ? Is their a way (like configuration item) for DHCP server to copy the tag back in the DHCP reply ?
(c) If I convert, one of the wifi AP VLAN ports (on DES-1210-28p) to say Untagged for Default VLAN 1, Untagged for WiFi VLAN 4 (say) [Pvid set to 1] and then connect a PC using ethernet interface to that, everything works fine.
Re: (a) I have only EAP225, but since you have been using untagged ports for EAPs it could have been worked IMO only for non-tagged Multi-SSIDs. On ingress the switch replaces a VLAN tag by the PVID for an access port, but on egress it should not have reached the VLAN-tagged SSID. As for TL-WA901 I never used VLAN-tagged SSIDs with this AP, so I can't tell you why it worked.
There was a bug fix for EAP225 in recent firmware 2.6.0, though – can't say whether it was present and/or fixed in other models:
Re: (b) You could use DHCP relay if the switch supports it. Anyway, you need separate subnets to be able to create separate broadcast domains.
Re: (c) Sure this works with a PC. Asymmetric VLANs work like this:
- Laptops A and B are in VLAN 10/PVID 10 and VLAN 1, laptops C and D are in VLAN 20/PVID 20 and VLAN 1. Laptops are connected to untagged (access) ports.
- Router is in VLAN 1/PVID 1, but is also member of VLANs 10 and 20. Router is connected to an untagged (access) port.
- A can communicate with B and the router. A and B cannot communicate with C or D.
- C can communicate with D and the router. C and D cannot communicate with A or B.
- Router can communicate with A, B, C and D.
- All devices share a common broadcast domain, same network, one DHCP server.
VLAN-aware Multi-SSIDs require a trunk port for the EAP. The management layer of the EAP can use untagged traffic, but it can also be tagged, thus using any VLAN.
The difference to the asymmetric VLAN setup is that a switch port can be a member of more than only one VLAN, but a SSID can only be member of one VLAN, therefore it does not support an asymmetric VLAN setup:
You now have three (or two, if mgmt shares either VLAN 10 or 20) different broadcast domains with real isolation between the devices, but you need to terminate the VLANs either in the switch (if it's a L3 switch) or in the router. With a L3 switch you could use a routed port to connect to the Internet router, VLAN interfaces for routing in the switch and even one DHCP server with different pools for each VLAN. If your switch doesn't support routing and DHCP, you need to terminate the VLANs in the router.
See this HowTo (method 2) for setting up a local and a guest VLAN with Omada EAPs. It's not difficult, you just need a VLAN-aware router which can support multiple networks or a router which supports Multi-Nets NAT. Of course, the router (or the switch) needs to support different DHCP pools, too.
BTW: The »Guest Network« function of Omada Controller (method 1 in the HowTo mentioned above) is somewhat similar to an asymmetric VLAN in that it allows one broadcast domain to be shared among several (untagged) SSIDs, except that clients in the guest network are isolated using the »Client Isolation« function of the WiFi chip and access to all private IPs is blocked for the guest network.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 8134
Replies: 12
Voters 0
No one has voted for it yet.