This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN between Astaro SW and TP-LINK TL-WA901ND not working

I'm exerimenting with a new network at home with a Astaro Home edition as the heart. For WLAN I have bought a TP-LINK TL-WA901ND. It's a cheap access point so I don't expect mush of it. However it has a few features I like to try out. One of them is that it can handle up to 4 SSID and tie them to VLANs. But, I have not been able to make that work yet.

Before I start blaming the hardware, I want to make sure I have configured everything correctly. Since I have never worked with VLANs before, chances are that I have made a mistake.

My setup is simple: Astaro box have three interfaces, WAN, LAN and WLAN. The WAN is not connected to anything yet and the LAN is Ethernet standard created by the installation wizard (10.0.0.1/24). On the WLAN I have configured three VLANs: Private (VLANID 10, 192.168.10.1/24), Guest (VLANID 20, 192.168.20.1/24) and Open (VLANID 30, 192.168.30.1/24). The physical interface is connected directly to the access point without any switched in between.

The access point is configured to host 3 SSID corresponding to the Astaro setup and tag each with the appropiate VLAN. According the official documentation the access point uses 802.1Q for VLAN.

I have also configured DHCP servers on all VLANs and liberal packet filter rules for testing (VLANs -> Any -> Any).

So far, so good. I can connect to all SSID with corresponding security. But I never get a DHCP lease and if I configure IP manually I can't get traffic to the Astaro box or vice versa.

If I turn of VLAN tagging and configure the WLAN inteface as Ethernet standard, all works as expected.

Here is some things I am wondering about: Is there a problem connecting directly between two divices using VLAN without a VLAN aware switch? Even when I turn on VLAN on the access point it has a non VLAN IP address for management (I have tried to put it one 192.168.0.2 and 192.168.10.2 without any difference), can that interfere with the VLANs? Have I missed anything with my configuration?

This thread was automatically locked due to age.

0 erucolindo over 14 years ago
I might have missunderstood the capabilities of the access point. From the manual:

Multi-SSID - AP can support up to 4 SSID.

Enable VLAN - Check this box to enable the VLAN function. The AP supports up to 4 VLANs. All wireless PCs in the VLANs are able to access this AP. The AP can also work with an IEEE 802.1Q Tag VLAN supporting Switch. If this Switch enables the Tag VLAN function, besides all wireless PCs, only the PCs in the VLAN same with SSID1 are able to access the AP. If a PC is directly connected to the LAN port of the AP, please make sure that its adapter supports Tag function, or this PC will not be able to access the AP.

SSID - Enter a value of up to 32 characters. The same Name (SSID) must be assigned to all wireless devices in your network. In Multi-SSID operation mode, enter SSID for each BSS in the field "SSID1" ~ "SSID4".

VLANID - The ID of a VLAN. Only in the same VLAN, can a Wireless PC and a wired PC communicate with each other. The value can be between 1 and 4095. If the VLAN function is enabled, when AP forwards packets, the packets out from the LAN port will be added with an IEEE 802.1Q VLAN Tag, whose VLAN ID is just the ID of the VLAN where the sender belongs.

Under "Enable VLAN" it sound like the wireless client have to support VLAN, but under "VLANID" it sounds like the AP adds the tag.

Help me out here, does anyone understand this?
Cancel
Vote Up 0 Vote Down

Cancel
0 loctite over 14 years ago in reply to erucolindo

Hi, were you ever able to get the TP-link AP working with vlans and dot1Q tagging?
I tried to set up a similar solution to yours yesterday and I think I'm caught on the same problem.

From the looks of it the D-link APs have more comprehensive vlan support, I may return the TL-WA901ND and get one of them instead. Unless you were able to come up with a working solution using the TL-WA901ND?
Cancel
Vote Up 0 Vote Down

Cancel
0 erucolindo over 14 years ago

Hi!

No, I did not get it working. But I gave up pretty quickly, so it might be possible. I am not sure if the problem was with the access point or the network adapter.

If you have any luck with it, please let me know.

BTW, besides not getting VLAN to work, I have been happy with the performance of the access point.
Cancel
Vote Up 0 Vote Down

Cancel
0 loctite over 14 years ago

Thanks for the quick reply.
I'll give it another shot tonight, perhaps I'll mirror the AP's switchport to get a better view of whats going on.
I'll let you know how it goes.
Cancel
Vote Up 0 Vote Down

Cancel
0 loctite over 14 years ago in reply to loctite

I gave it another try yesterday but got nowhere.
By changing PVID on the swhitchport the TP-link is attached to I could change which interface on the Astaro that receives the dhcp request - regardless of vlan number assigned to the ssid. From what I can gather this must mean that the AP does not send the frames with vlan tags after all.

Perhaps it is possible to separate clients on layer two using this AP but I had hoped to get the clients in different subnets.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 14 years ago

The access point is configured to host 3 SSID corresponding to the Astaro setup and tag each with the appropiate VLAN. According the official documentation the access point uses 802.1Q for VLAN.

Hi, in my limited experience with VLANs (see https://community.sophos.com/products/unified-threat-management/astaroorg/f/53/t/32409), I found that you have to set the VLAN device (switch or AP) to UNTAG the 'ports' and TRUNK the port going to Astaro.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 loctite over 14 years ago in reply to BarryG

Thanks for your input Barry, your Netgear vlan guide was of great help as I was setting up my switch.

I did as you suggested and tried setting the up the AP with two SSIDs on different vlans and the switchport to the AP as untagged. Unfortunately the problem remains, the Astaro still sees only packets from whatever vlan you set the PVID to. When I chose a PVID that wasn't trunked to the Astaro no packets get through to the firewall.

I did a final test and set the "Acceptable Frame Types" filter in Port PVID Configuration to "Vlan only" and that blocked all traffic from the AP. I believe this is proves that the TP-Link AP isn't tagging the frames as it should.
Cancel
Vote Up 0 Vote Down

Cancel
0 loctite over 14 years ago

As a quick update in case anyone else considers a TP-link AP:

I received a Cisco WAP4410N in exchange for the TL-WA901ND and this AP works fine with two SSIDs on different vlans. The TP-link AP must have been faulty somehow, in addition to vlans not working throughput was very variable and never above 1Mbit/s.
Cancel
Vote Up 0 Vote Down

Cancel
0 Monstahund over 13 years ago in reply to loctite

OK the Thread is quite old but i know answer for the Problem.
There is an bug at the TPLINKs AP FW for the 901ND.
When using VLAN Multi SSID all Fields for the 4 possible Vlans must contain an value.

For example if using SSID 1 for Vlan 1 and SSID 2 for Vlan 2 logically 1+2 is entered. Now you need an dummy value for SSID 3 and SSID 4 then it works.

I encountered this error and requested for an firmware patch at TPLINK German Support. They answered that the Tech Lab is working already on a fix.

Maybe this information prevents some Guys throwing away their 901ND`s.
Cancel
Vote Up 0 Vote Down

Cancel