Preferred setup for Ethernet Backhaul in Access Point mode
Preferred setup for Ethernet Backhaul in Access Point mode
Hi,
Just to be sure:
What is TP-links recommendation for setting up EasyMesh with Ethernet Backhaul when using two AX55 WiFi devices both in Access Point mode and situated in an existing switched LAN network?
From the currently supplied TP-Link information - it is not obvious to me if it would serve us best to use the AX55 WAN ports for access to the LAN and for the Ethernet Backhaul connection - or to use only the two build-in AX55 LAN switch x 4 for all connections.
Like this (WAN ports in use):
Regards
zEnterHacker
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Yes, it's not obvious but your network diagram seems fine and this should work as expected.
In general, when a router is set to a dedicated AP mode, its WAN port should be used for an uplink.
- Copy Link
- Report Inappropriate Content
Hi @terziyski
Thanks a lot for your prompt answer.
Now having cleared that the network topology is OK and "the way to do it" I have a more serious question:
Looking at the Official AX55 V1 Firmware download page (ver 1.3.3) it seems like the following new features are supposed to work in AP mode:
6.Add support for EasyMesh in AP mode;
7.Add support for EasyMesh Network via Ethernet Backhaul;
9.Add isolation of Guest Network and Main Network in AP mode;
Now if you (while running in AP mode/Easymesh/Ethernet Backhaul) activate the Guest network and untick:
Allow guests to see each other
Allow guests to access your local network
IMHO - this means that clients connected to the Guest WiFi mesh are now supposed to be isolated from the LAN and from each other - BUT is this really the case..
Which devices in the drawing above are expected to be seen in a complete port-scan (all subnet IPs all ports) if scanned from a WiFi client connected to the "isolated" Guest WiFi network?
Regards
zEnterHacker
- Copy Link
- Report Inappropriate Content
zEnterHacker wrote
Now if you (while running in AP mode/Easymesh/Ethernet Backhaul) activate the Guest network and untick:
Allow guests to see each other
Allow guests to access your local network
IMHO - this means that clients connected to the Guest WiFi mesh are now supposed to be isolated from the LAN and from each other - BUT is this really the case..
Which devices in the drawing above are expected to be seen in a complete port-scan (all subnet IPs all ports) if scanned from a WiFi client connected to the "isolated" Guest WiFi network?
Yes, getting these two features disabled your statement should be correct, if you do a scan from device connected to the guest network.
- Copy Link
- Report Inappropriate Content
Hi @terziyski
Yea - all IP address on the LAN subnet (except from the Default Gateway) should be blocked for Guest WiFi clients - But I tell you that not how it works!
First of all I see no Guest Network on the satellite AP only one 2,4 GHz channel and one 5GHz channel generated on the Master AP.
So IMHO GUEST networks do not operate correctly under EasyMesh. This is totally unexpected from what you would expect from a router mesh pair of the exact same make & model.
Secondly - If I port-scan the entire subnet from a roaming WiFi client connected to the GUEST network of the main AP - I get open ports for ALL DEVICES on my LAN except the from the IP of the main AP itself (well there is one single response from UDP port 5351 - perhaps this is the Ethernet Backhaul port?)
So again IMHO the LAN network is TOTALLY OPEN to Guests while it was supposed to be isolated. What is this? (A MAJOR SECURITY HOLE!)
- While connected to the Guest Network I can access the stream from every Chineese Sequrity CAM also on the "isolated Guest Network" meaning that they can also access every device on the LAN and WiFi clients can indeed see each other - NOT excatly a cool feature this Guest isolation!
If You want an isolated GUEST EasyMesh network do it like this - but it will double your investment and your electricity bill - see below.
The RED GUEST routers are not using a Guest Network SSID but just configured as if it were a normal LAN & EasyMesh - but uplinked to a DMZ port on the main Firewall (Creating a real isolation of the LAN network - Clients on this network can see each other).
Yea I know - totally unacceptable solution - but I just don't trust this GUEST network ting!
If someone in R&D / Senior Engineering would care to comments of this - it would be much apreciated because this is really not good!
(Note: The DHCP server is in Auto Mode - meaning the it is the DHCP server in the main gateway/firewall that handles all IP asignments)
Regards
zEnterHacker
- Copy Link
- Report Inappropriate Content
I forgot to mention that there's a known limitation with Guest and IoT network when Easymesh is used.
These two SSIDs are not transmitted on the satellite routers, i.e. your device should not be able to roam between main and satellite routers when connected only to the guest network. I saw that you've already reached to @Marvin_S with these questions (here) - lets hope TP-Link will get back to you soon.
- Copy Link
- Report Inappropriate Content
Hi @terziyski
Yes - but that thread is more about the other issue with the missing option to see and manage clients on the satellite AP when Ethernet Backhaul mode is active (it works in normal WiFi EasyMesh mode) - so I thought I'd try to isolate the problems a bit - you got my point ;-)
If you say it's a know limitation that enabling a Guest Network on the main router of an EasyMesh system does not work - or does not include any satellites - then you could argue that this should have been warned about in the WebGUI. I mean, you loose the ability to setup a Guest network locally on the satellite AP as soon as it becomes a part of an EasyMesh system - so the only logical conclusion is that this is should have been controlled by settings on the main EasyMesh router. Is there a plan to fix this?
Anyway the claimed isolation of Guests from the LAN should definitely work and not only just block normal TCP traffic to the IP of the main AP. I mean imagine all the users that does not know how to port scan - how are they to be told, that their LAN Network is TOTALLY OPEN to Guests when they have set all possible isolation features of the AX55 in AP mode?
As I said - I have un-ticked:
-Allow guests to see each other (should have prevented Guest WiFi clients from being able to see each other)
-Allow guests to access your local network (should have prevented any access to any client and somehow only allowed traffic that is supposed to be routed to the WAN via the main Gateway)
Further I tried to tick:
+AP Isolation Enabled (should have prevented all WiFi clients from being able to see each other)
And yet I get port scan responses from all devices including LAN clients and WiFi clients on both the normal SSID and the Guest SSID - as if turning on the AP feature simply makes the AX55 perform like an un-managed switch for all reachable network devices.
I am deeply shocked - and really hope this is being taken as a serious problem especially since the AX55 must have some sort of SPI firewall that takes care of protecting the local network when acting as a normal router directly exposed the Internet via the the ISP modem/router.
Regards
zEnterHacker
- Copy Link
- Report Inappropriate Content
So far when set in AP mode the router works pretty much as an unmanaged switch for its wired devices (and all SSIDs) - wired/wireless networks are bridged.
Here's the difference between router mode and AP mode - in AP mode the SPI Firewall shouldn't be available at all.
Now when TP-Link have implemented the guest network isolation in AP mode for AX55, this should behave the way you've described.
I would suggest to do the port scan from a device that only knows the guest SSID (i.e.main SSIDs forgotten) and see if there's any change in the behavior.
I can't tell much more about guest SSID not transmitted by the satellite devices - this question can be answered only by a TP-Link representative - details.
- Copy Link
- Report Inappropriate Content
Hi @terziyski
All port scans are done with a roaming WiFi client connected to the GUEST SSID and yes the roaming client in question has knowledge of the normal SSID giving full acces to all devices. Just to be sure I deleted the normal SSID ad did a re-scan. Everything was still open - all devices responded: WiFi clients on normal SSID as well as clients on the GUEST SSID and all wired LAN clients.
The only difference between scanning from the normal SSID and the GUEST SSID is:
Normal SSID scan response from main AX55 in AP mode:
Port 80 (TCP)
Port 443 (TCP)
Port 20001 (TCP)
Port 5351 (UDP)
GUEST SSID scan response from main AX55 AP in AP mode:
Port 5351 (UDP)
The rest of device responses are identical on the two scans. This means that the only form of isolation taking place is that you cannot access the WebGUI of the main Router from an "isolated" client on the GUEST SSID but the other satellite AX55 AP, private NAS servers, Printers and stuff are all completely open to attacks from a GUEST Client. This is NOT what is supposed to happen!
I hope this will be officially acknowledged by TP-Link and fixed in an upcoming release.
Regards
zEnterHacker
- Copy Link
- Report Inappropriate Content
I guess the official TP-Link representatives have chosen to ignore this thread
What does: "9.Add isolation of Guest Network and Main Network in AP mode" means - in detail - thanks ?
Regards
zEnterHacker
- Copy Link
- Report Inappropriate Content
Hi, thanks for posting question here.
For Easymesh network, satellite routers do not support Guest network yet. For your other feedback, to assist you efficiently, I've forwarded your case to the TP-Link support engineers who will contact you with your registered email address later. Please pay attention to your email box for follow-up.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 789
Replies: 11
Voters 0
No one has voted for it yet.