AP's switching from Management VLAN to main network
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
I have a four EA225 AP's setup on a management VLAN 192.168.200.0/24 (as well as three JetStream switches, an ER605 router and OC200 controller). The OC200 is on a static IP (192.168.10.10) and the other devices are assigned reserved DHCP addresses (192.168.200.0/24 using DHCP option 138 to get the controllers address)
OC200 v1.0 5.1.7
ER605 v2.0 2.0.1
TL-SG2428P v1.0 1.1.2
TL-SG2008P v1.0 1.0.2
TL-SG2008P v1.0 1.0.2
EAP225(EU) v3.0 5.0.9
EAP225(EU) v3.0 5.0.9
EAP225(EU) v3.0 5.0.9
EAP225-Outdoor(EU) v1.0 5.0.9
In the logs of my DNS server I can see occasional requests coming from each of the EAP225's using a DHCP assigned IP in the range 192.168.10.0/24 which is the main 'untagged' network (VLAN1)
Some AP's only show <10 events in 24 hours, but some have as many as 50 requests.
Obviously, these devices should not ever get an address in this range, having IP setups like this:
There is no fallback IP configured, so why are these devices 'flipping' over to the main LAN from the Management VLAN to make DNS requests ?
Checking the DNS logs there are actually no DNS requests from the management network devices IP range....
Network topology looks like this:
There are 6 Interfaces defined:
| Games |
Interface |
192.168.40.1/24 |
40 |
|||||
| Guest |
Interface |
192.168.30.1/24 |
Portal_Default |
30 |
||||
| Internal |
Interface |
192.168.10.1/24 |
1 |
|||||
| IoT |
Interface |
192.168.20.1/24 |
20 |
|||||
| Management |
Interface |
192.168.200.1/24 |
200 |
|||||
| Services |
Interface |
192.168.100.1/24 |
100 |
The ER605 (GW 1) does DHCP for each of these interfaces, so no, I cannot check if the DHCP Server has sent 192.168.10.56 to a client because the Omada system does not provide any logging for its DHCP servers...
The DNS server sits on the Services network at static address of 192.168.100.10/11 on the SW 1 top level switch and is assigned as the default DNS server (both primary and secondary) for each interface.
One switch ACL rule allows DNS(53) traffic to this DNS server, and another ACL rule blocks all other access to DNS(53) from all networks except the Services network.
The 4 clients that keep switching between the Management and Internal network are the 4 EAP225's. This is just an assumption based on the URL's they request, because there is no logging of DHCP leases in the Omada stack (DOH!)
Dear @Tescophil .
Tescophil wrote
I have a four EA225 AP's setup on a management VLAN 192.168.200.0/24 (as well as three JetStream switches, an ER605 router and OC200 controller). The OC200 is on a static IP (192.168.10.10) and the other devices are assigned reserved DHCP addresses (192.168.200.0/24 using DHCP option 138 to get the controllers address)
In the logs of my DNS server I can see occasional requests coming from each of the EAP225's using a DHCP assigned IP in the range 192.168.10.0/24 which is the main 'untagged' network (VLAN1)
Some AP's only show <10 events in 24 hours, but some have as many as 50 requests.
Obviously, these devices should not ever get an address in this range, having IP setups like this:
There is no fallback IP configured, so why are these devices 'flipping' over to the main LAN from the Management VLAN to make DNS requests ?
Checking the DNS logs there are actually no DNS requests from the management network devices IP range....
Looking at the screenshot of the error message you provided, it is easy to see that this is from a request sent by the Tapo client, which is normal - a normal Internet connection request sent by the Tapo client.
Unless your Tapo device is not connected to the internet.
Best Regards!