Unable to access TL-WA3001 management page over Wifi when on separate VLAN

Unable to access TL-WA3001 management page over Wifi when on separate VLAN

Unable to access TL-WA3001 management page over Wifi when on separate VLAN
Unable to access TL-WA3001 management page over Wifi when on separate VLAN
2024-09-15 16:33:01
Tags: #Multi-SSID Mode #TL-WA3001
Model: TL-WA1201  
Hardware Version: V1
Firmware Version: TL-WA3001_V1_1.1.0 Build 20240814 (Prerelease)

Sorry for putting the wrong model in the post, but I still don't see the TL-WA3001 as an option. I've tagged it instead.

 

I've noticed an issue with my TL-WA3001 access point (using both the existing stable firmware TL-WA3001(US)_V1_1.0.2 Build 20240306 and the new prelease firmware TL-WA3001_V1_1.1.0 Build 20240814) where I am unable to access the AP management UI when using Wifi from a different VLAN.

 

My network is setup as follows:

VLAN 1 (untagged) using address block 192.168.0.0/24 for managing network devices. The TL-WA3001 is obtaining an IP address of 192.168.0.2 via DHCP on this VLAN.

VLAN 101 (tagged) using address block 192.168.1.0/24 for general LAN devices.

Additional VLANs and address blocks that aren't relevant for this bug configured on different SSIDs.

The TL-WA3001 is configured in multi-SSID mode with only VLAN 101 and the additional (tagged) VLANs configured on different SSIDs. My router/firewall is configured to allow all traffic between the 192.168.0.0/24 and 192.168.1.0/24 networks.

 

When I am connected to my network via ethernet from a device with an IP in 192.168.1.0/24, I am able to connect to the management UI of the router at 192.168.0.2. On the other hand, if I connect to the same network over wifi (where the TL-WA3001 is the only AP), I am NOT able to connect to the management UI. For debugging purposes, I added an additional SSID with VLAN 1 on the TL-WA3001, and from this wireless network, I was able to connect to the management UI.

 

I grabbed a wireshark capture on my client device when trying to connect to the management UI from VLAN 101 over Wifi, and it looks like the TL-WA3001 is ignoring all traffic coming over ethernet after the initial SYN packet in the TCP connection. I see the following:

Source: 192.168.1.101 Destination: 192.168.0.2 SYN

Source: 192.168.0.2 Destination: 192.168.1.101 SYN-ACK

Source: 192.168.1.101 Destination: 192.168.0.2 ACK

Source: 192.168.0.2 Destination: 192.168.1.101 SYN-ACK

 

Looking at the logs on my firewall, I see similar packets going across, including the ACK from the client to the AP. From what I can tell, the TL-WA3001 is ignoring the ACK coming from the client device when the client device is a) connected over Wifi and b) needs routing through the router to connect across VLANs. If I had to guess, all of the VLANs on the TL-WA3001 are sharing a single ARP cache while also not realizing that connecting to a different subnet requires routing, so after the initial SYN packet, the AP is only listening for additional packets from the wifi side and dropping packets coming from the ethernet side.

 

Making matters worse, this issue also affects the captive portal page on the TL-WA3001 when that option is enabled, so it's unable to be used in most cases.

 

Is this a known issue? At some point, I want to try putting the management VLAN 1 on an entirely different address range from the rest of the VLANs (say 172.16.0.0/16) to see if this helps, but I haven't gotten around to it yet.

  0      
  0      
#1
Options
1 Reply
Re:Unable to access TL-WA3001 management page over Wifi when on separate VLAN
2024-09-15 17:22:19 - last edited 2024-09-15 17:32:19

Looking at a new packet capture, I also see that the TL-WA3001 is broadcasting ARP announcements for its VLAN 1 address over wifi, despite the fact that I'm connected to an SSID on a different VLAN on a different subnet. In other words, I'm currently connected to an SSID on VLAN 101 in address block 192.168.1.0/24 and I'm seeing ARP announcements for 192.168.0.2 (VLAN 1) from the access point.

 

Later on in the capture, I see both ARP queries for 192.168.0.2 and responses about 192.168.0.2 from the AP itself. This is incorrect behavior for a few reasons:

  • Traffic regarding 192.168.0.0/24 should not be broadcast on an SSID on an entirely separate subnet
  • The AP is asking for its own MAC address using ARP and then answering itself, which is nonsensical
  0  
  0  
#2
Options