Multiple SSIDs with Multiple Subnets on CAP&AC products

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Multiple SSIDs with Multiple Subnets on CAP&AC products

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Multiple SSIDs with Multiple Subnets on CAP&AC products
Multiple SSIDs with Multiple Subnets on CAP&AC products
2020-10-12 14:43:04 - last edited 2020-10-15 07:00:18
Model: AC50  
Hardware Version: V1
Firmware Version: latest

Dear all, hi there,

 

Starting off with the configuration guide on

https://www.tp-link.com/de/support/faq/1848/

I was convinced I could roll off my project without hassles. Great, finally a step by step guide for my usage case, I’ll spend money on this. Yes, you’ve figured it out, I’m no network guru, I didn’t have the chance to dive deeper into this particular topic ,all I know I’ve picked up here and there. I see that changes in build versions make things difficult where they should be easy, VLAN just got complicated as hell over the 3 TP-Link devices.

 

I’m sitting in front of the same device models as in the configuration guide. Here is the SaveStream Router, the L2 Managed switch (mine has less ports though) and access controller. Find more details on the topology plan attached.

 

The challenges comes with different build versions, my TL-ER620 is version 3.0, my T260G-18TS is version 4.0. This makes the configuration guide obsolete in it's most delicate part, the VLAN configuration. Guess what came out contacting the official support.. tons of blahbla but no substantial help at all, they simply cannot understand the usage case of their products no matter about lifetime warranty.

 

After many hours of try&error, cursing a lot about this bunch of s..t etc. I managed to get DHCP service and internet access on the 3 SSID's the CAP's are sending out. This is all built up with untagged VLANs since I understood the configuration guide like this. But this is where my journey begins, shouldn't I use tags for the WiFi VLANs? This got me so puzzled I hardly can find out now.

 

I'm stuck when it comes to separating the VLANs. All my subnets now have full access to the other subnets of the other VLANs and I have to separate this due to security requirements. Basically the idea is that VLANs 100, 200, 300, 800 and 900 can see their own subnet, the gateway router on 192.168.190.1 and internet. Access from one VLAN to another VLAN should be blocked (except VLAN1 of course). All in all basic requirements, no very special solution one might think.

 

I've fiddled around with the default route from 0.0.0.0/0.0.0.0 (everything) to 192.168.190.1 (main router) splitting it up into the 5 subnets like

from 172.21.181.0/255.255.255.0 (VLAN100) to 192.168.190.1

from 172.24.184.0/255.255.255.0 (VLAN200) to 192.168.190.1

from 172.28.188.0/255.255.255.0 (VLAN300) to 192.168.190.1

from 10.111.112.0/255.255.255.0 (VLAN800) to 192.168.190.1

from 10.115.230.0/255.255.255.0 (VLAN900) to 192.168.190.1

 

To my surprise this broke all internet access on the VLANs. Nice separation but not really the intention :-[

 

All in all I got 90 % working with +60 hours of try&error and now I can’t put this in place due to the very last issue.

 

Is there anyone out there who as came over this obstacle. Any hint is very much appreciated, please help.

File:
topology.pngDownload
  0      
  0      
#1
Options
1 Accepted Solution
Re:Multiple SSIDs with Multiple Subnets on CAP&AC products-Solution
2020-10-13 06:51:58 - last edited 2020-10-15 07:00:18

Dear @andilge ,

 

I managed to get DHCP service and internet access on the 3 SSID's the CAP's are sending out. This is all built up with untagged VLANs since I understood the configuration guide like this. But this is where my journey begins, shouldn't I use tags for the WiFi VLANs? This got me so puzzled I hardly can find out now.

 

Yes, the ports connected to the CAP should be tagged. The config is simplified on the T series switches:

access the T2600 switch page, go to L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config, modify the VLANs associated with the SSID of CAP, and select the ports connected to CAP as Tagged Ports in the corresponding VLANs. Apply and Save.

 

After that, configure the AC referring to the FAQ1848, ensure you bind the 3 SSIDs to corresponding VLANs properly.

 

I've fiddled around with the default route from 0.0.0.0/0.0.0.0 (everything) to 192.168.190.1 (main router) splitting it up into the 5 subnets like

from 172.21.181.0/255.255.255.0 (VLAN100) to 192.168.190.1

from 172.24.184.0/255.255.255.0 (VLAN200) to 192.168.190.1

from 172.28.188.0/255.255.255.0 (VLAN300) to 192.168.190.1

from 10.111.112.0/255.255.255.0 (VLAN800) to 192.168.190.1

from 10.115.230.0/255.255.255.0 (VLAN900) to 192.168.190.1 

 

On the TL-ER6120 router, ensure you configured Multi-net NAT and static route.

The static route on the router helps the data packet from WAN to find the next hop, which should be the switch connected after the router.

Destination: 172.21.181.0/255.255.255.0, Next Hop: the switch’s IP instead of the router's IP.

 

On the T2600 switch, the static route is suggested to set 0.0.0.0/0.0.0.0 (everything) to 192.168.190.1 (main router).

The purpose of this static route item is to forward all the data packets received by the switch to the front gateway router successfully.

 

If you want to block the communication between different subnets, you can add IP ACL rules on the T2600 switch to block it.

For example, create Deny rule, source IP 10.111.112.0/255.255.255.0, destination IP 10.115.230.0/255.255.255.0

Note: at the end of the deny rules, remember to add a Permit rule for Internet access.

Here is the configuration guide for your reference.

https://www.tp-link.com/us/configuration-guides/configuring_acl/?configurationId=18222#configuration_example_for_ip_acl_3_2

 

Hope the information above is helpful.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#2
Options
5 Reply
Re:Multiple SSIDs with Multiple Subnets on CAP&AC products-Solution
2020-10-13 06:51:58 - last edited 2020-10-15 07:00:18

Dear @andilge ,

 

I managed to get DHCP service and internet access on the 3 SSID's the CAP's are sending out. This is all built up with untagged VLANs since I understood the configuration guide like this. But this is where my journey begins, shouldn't I use tags for the WiFi VLANs? This got me so puzzled I hardly can find out now.

 

Yes, the ports connected to the CAP should be tagged. The config is simplified on the T series switches:

access the T2600 switch page, go to L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config, modify the VLANs associated with the SSID of CAP, and select the ports connected to CAP as Tagged Ports in the corresponding VLANs. Apply and Save.

 

After that, configure the AC referring to the FAQ1848, ensure you bind the 3 SSIDs to corresponding VLANs properly.

 

I've fiddled around with the default route from 0.0.0.0/0.0.0.0 (everything) to 192.168.190.1 (main router) splitting it up into the 5 subnets like

from 172.21.181.0/255.255.255.0 (VLAN100) to 192.168.190.1

from 172.24.184.0/255.255.255.0 (VLAN200) to 192.168.190.1

from 172.28.188.0/255.255.255.0 (VLAN300) to 192.168.190.1

from 10.111.112.0/255.255.255.0 (VLAN800) to 192.168.190.1

from 10.115.230.0/255.255.255.0 (VLAN900) to 192.168.190.1 

 

On the TL-ER6120 router, ensure you configured Multi-net NAT and static route.

The static route on the router helps the data packet from WAN to find the next hop, which should be the switch connected after the router.

Destination: 172.21.181.0/255.255.255.0, Next Hop: the switch’s IP instead of the router's IP.

 

On the T2600 switch, the static route is suggested to set 0.0.0.0/0.0.0.0 (everything) to 192.168.190.1 (main router).

The purpose of this static route item is to forward all the data packets received by the switch to the front gateway router successfully.

 

If you want to block the communication between different subnets, you can add IP ACL rules on the T2600 switch to block it.

For example, create Deny rule, source IP 10.111.112.0/255.255.255.0, destination IP 10.115.230.0/255.255.255.0

Note: at the end of the deny rules, remember to add a Permit rule for Internet access.

Here is the configuration guide for your reference.

https://www.tp-link.com/us/configuration-guides/configuring_acl/?configurationId=18222#configuration_example_for_ip_acl_3_2

 

Hope the information above is helpful.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#2
Options
Re:Multiple SSIDs with Multiple Subnets on CAP&AC products
2020-10-13 17:31:37

Dear @Fae,

Thank you so much for your swift and most appreciated response. I now figured out the VLAN config on all 3 devices, the IP ACL was a new challenge.

My experiences with blocking services for hotel guests is that one day you'll have to grant these accesses. In this moment the hotel guest has already passed a negative experience and no, I'm not fond of changing access permissions all the time in a hurry, I've got other work to get done. I'm also happy if I don't have to go into protocol and port level since this brings much more complication, little security benefits but huge conflict potential with the hotel guests. Just everyone in it’s VLAN should not see the others in the others VLANs is needed, nothing more than that is wanted.

I’ve first set up ACLs for each VLAN and gave them understandable names. In the ACLs I created rule sets like "block from own subnet to every other vlan subnet" followed by the global permission rule "grant to everywhere". This sequence is important since ACL quits on the very first match. Once done this I’ve bound the 5 ACLs to the physical ports of the switch and saved it all.

The first tests look very promising, I’ll have to reboot all devices and clear dhcp cache in my computer first to get deeper into testing though. Again, thank you so much for putting me on the right direction to get this done, I owe you one.


All the best, andilge

  0  
  0  
#3
Options
Re:Multiple SSIDs with Multiple Subnets on CAP&AC products
2020-10-15 07:00:05

Dear @andilge,

 

Again, thank you so much for putting me on the right direction to get this done, I owe you one.

 

My pleasure. I think we could take this post as resolved if you don't have any further trouble with the config.

 

Please feel free to write back if you have any further information to add here. Thank you!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options
Re:Multiple SSIDs with Multiple Subnets on CAP&AC products
2020-10-15 08:48:19 - last edited 2020-10-15 08:48:53

All is tested with positive results. I've tried to mark as resolved but don't have the privilege or simply can't find where to do so.

  0  
  0  
#5
Options
Re:Multiple SSIDs with Multiple Subnets on CAP&AC products
2020-10-16 06:40:18

Dear @andilge,

 

Thank you for writing back. No worries. It's marked now.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#6
Options