Inter-vlan routing always on with TL-R605
Inter-vlan routing always on with TL-R605
I have the latest SDN Controller running on a VM. i have an access point. I have just added a TL-605 and im stuck with intervlan routing always on.
I have vlan 1 with DHCP and DNS running on a windows server
I have VLan 31 with DHCP on the R605
I do not have a TP-Link switch I have a Cisco SG-300. I do not have access to apply ACL's on the SWITCH section of the controller. but i have applied them on the Router and EAP sections.
I cannot connect across vlans over WIFI, but i have alot of hardwired devices that have no problems passing traffic between the vlans.
The cisco switch is set correctly and was restricting intervlan traffic with an RV320 router. I am wanting to move more to the TP-Link ecosystem. but this may be a deal breaker.
A trace route clearly shows a HOP at the router
Is there somewhere else i should look or is there a way to better manager the switchports on the TL-605
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
There is no ACL on the TL-R605 this function is for decoration :-) you can make some ACL rules from LAN to WAN, that's all. so briefly summed up, no ACL between VLAN nor any ACL from remote LAN to LAN in VPN tunnel, only from LAN to remote LAN .. I was a little surprised ovet that this important feature was missing, especially considering that they sell the device with these descriptions .
Reference TP-LINK WEB.
Abundant Security Features: Advanced firewall policies, DoS defense, IP / MAC / URL filtering, and more security functions protect your network and data.
- Copy Link
- Report Inappropriate Content
I was feeling the the ACL portion was a farce from looking at the interface.
I did notice that on the controller I could assign an EAP access list and my wireless clients were not able to pass traffic.
I did not think about VPN. Thanks for pointing that out.
Unless this gets corrected in the near future I will be using tp-link solely for wireless hardware.
shberge wrote
There is no ACL on the TL-R605 this function is for decoration :-) you can make some ACL rules from LAN to WAN, that's all. so briefly summed up, no ACL between VLAN nor any ACL from remote LAN to LAN in VPN tunnel, only from LAN to remote LAN .. I was a little surprised ovet that this important feature was missing, especially considering that they sell the device with these descriptions .
Reference TP-LINK WEB.
Abundant Security Features: Advanced firewall policies, DoS defense, IP / MAC / URL filtering, and more security functions protect your network and data.
- Copy Link
- Report Inappropriate Content
I've become frustrated with this as well... you can't configure routing functions on the router. Before I continue to buy into the TP-Link ecosystem, can someone confirm that with a TP-Link SDN compatible switch, inter-vlan routing can be blocked?
- Copy Link
- Report Inappropriate Content
I have a R605 Router, SDN switch and APs running 4x vlans (Management, Private, Guest and IOT)
The VLANs are all separated and dont route controlled by ACLs, with exception of the controller address / ports as I use the Guest Portal.
This video on YouTube might be of interest to you, he describes it in some detail
https://www.youtube.com/watch?v=7i17jvrIjD0
- Copy Link
- Report Inappropriate Content
thanks for you input.
My problem was that the router by itself does not stop inter-vlan routing. it needs to have switch to block that traffic.
- Copy Link
- Report Inappropriate Content
Dear @ScottB.ca,
My problem was that the router by itself does not stop inter-vlan routing. it needs to have switch to block that traffic.
Sorry for any inconvenience caused. This feature will be supported in the subsequent firmware updates.
- Copy Link
- Report Inappropriate Content
@Fae Thank you for the information. I look forward to future releases.
Is there an option to apply to Beta test firmware releases. I work in the networking industry and would enjoy providing feedback.
- Copy Link
- Report Inappropriate Content
Thanks for the reply. I found Cody's videos about a month ago, and I bought into the Omada system because of them. I've tried setting up my networks based on the linked video (I'm sure half his YT views are from me), but I'm having trouble setting up access between VLANs. I've been able to recreate his rule to allow access to the switch GUI, but as soon as I try the same rule format with my HA server, only about 5% of my pings are returned. I can't get get my clients on my main VLAN to talk with my home assistant server on my IoT VLAN. I can get Kodi on the IoT VLAN to talk to my NAS on my main VLAN, but I can't get the other IoT devices to talk to my DNS on the same server (on the main VLAN). I'm getting frustrated.
Does anyone have a good reference for allowing traffic between VLANs that is specific to the Omada software?
- Copy Link
- Report Inappropriate Content
By default traffic will flow between vlans. Can you isolate what might be different between the connections that work and those that don't?
Wireless / wired?
What are you networks per VLAN?
Scottb.ca supporting technology.
- Copy Link
- Report Inappropriate Content
Here is my setup.
TL-605, TL-SG2008P, and EAP245, Omada controller software on PC
TL-SG2008P:
EAP245 (Port 1 - VLAN1 Native, VLAN 10, 20, 30 Tagged)
PC (Port 2 - VLAN1 Native)
Home Assistant (Port 3 - VLAN 30 Native)
TL-605 (Port 8 - All port profile)
VLANS are set up as Interfaces with DHCP enabled on separate subnets
With all ACL rules off, I can connect to HA on VLAN 30 from my PC on VLAN 1 and from an iPad on VLAN 10
Relavent ACL rules (all other rules disabled):
"deny all protocols, source: network interface for VLAN 30 to destination: other network interfaces/VLANS" - This is at the bottom of the ACL stack. With only this enabled I can't ping/connect to HA on anything other than VLAN 30.
"Permit all protocols, source: network/VLAN 10 to destination: HA IP Group" - This is at the top of the stack. When first enabled or moved in the ACL list, two pings will be returned then the rest time out, and no connection to HA from any other VLAN.
I'm sure its something simple that I'm overlooking, but at this point I can see the forest for the trees.
HA on Raspberry PI is on VLAN 30, wireless clients on VLAN 10 and wired PC on VLAN 1 cannot access HA.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 12027
Replies: 15