Let me preface this by saying that I’m a total networking beginner.
The configuration I attached is for the RB5009 and CRS310 switch.
I also attached the diagram for how they are connected. In short, the setup works fine for any device that’s connected to the bridge on the router, even through the APs.
However, when I connect to any of the access ports on my switch (trusted, management, untrusted), the connected device gets an IP address from the DHCP server the DNS is correctly configured, a TCP connection is established, but then, it times out and I receive no response back.
I can ping 8.8.8.8 from the switch just fine and if disable VLANs on a given port in my switch and connect my device to it, everything works fine. Only when I try to connect using VLANs, my requests timeout.
This is an example request from the device connected to the switch and is using VLAN 10 (Trusted). I doubt it’s a firewall issue because the problem persists even after I disabled ALL the firewall rules.
* Host google.com:80 was resolved.
* IPv6: 2a00:1450:400e:801::200e
* IPv4: 142.250.179.142
* Trying 142.250.179.142:80...
* Local Interface en7 is ip 10.10.0.249 using address family 2
* Local port: 0
* Connected to google.com (142.250.179.142) port 80
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
* Recv failure: Operation timed out
* Closing connection
curl: (56) Recv failure: Operation timed out
I think I figured out the issue. When I plugged my switch directly to the trunk port on my router, everything worked as expected. Which leads me to conclude that my VLAN unaware APs are the cause of the problem. As to why I’m using VLAN unaware APs, well, I bought them way before this setup and they’re expensive. I don’t want to throw them discard them.
Won’t that make all the devices connected via the switch part of the same VLAN? I want the segregation to happen also at the switch level, I want to have different ports associated with different VLANs. Or am I misunderstanding you?
You should either read more about how VLANs are configured or make a more detailed scheme with all devices you want to separate through VLANs. If you want to pass multiple VLANs through VLAN-unaware APs, that can be impossible due to some devices just drop VLAN-tag from e-frame. If so, your only option is probably to use L2 encapsulation or L3 forwarding between subnets of home and office.
The connection from your 5009 to the switch via proper direct trunk port works fine.
If you attempt to connect two smart devices in between some dumb devices, results are never guaranteed.
Suggest your connection points include small managed switches if neeed be so it looks like
50009 -----> small managed switch -------> small managed switch ---------> CRS310
The decos, hang off the small managed switches. In this way you have a viable managed trunk port route from 5009 to CRS310.
You can then assign each AP its own VLAN, or same VLAN if you wish, and just untag that vlan on the small managed switch on the port heading to the AP.
You can also segregate locally at the dumb APs further, by having different SSIDs and passwords for access.
I guess the idea is that it’s impossible to have wired connection between APs, since locations are called home and office, they are separate. And APs build a wireless bridge. In that case, it doesn’t matter if APs are directly attached to CRS and RB, or through small smart switches and trunk ports.
Wrong again, many people have wired connections between APs. Very common if one is using a AP based router as an AP/switch. Even my capac has two ports so that I can wire in from the main router and yet feed another smart or dumb device from the other connection. Depends on the type of AP and the requirements.
I don’t say it’s impossible, I only say that scheme states there’s WiFi 7 between APs, not wire. We can only guess if it’s possible to wire them or not, until topic starter returns back with answers
Happens, everyone can miss details
Since topicstarter wants to save his APs, my proposal still remains - use wireless bridge as transport for EoIP or L2TPv3 tunnel or setup L3 routing between segments.
I guess the idea is that it’s impossible to have wired connection between APs, since locations are called home and office, they are separate. And APs build a wireless bridge. In that case, it doesn’t matter if APs are directly attached to CRS and RB, or through small smart switches and trunk ports.
This is spot on.
use wireless bridge as transport for EoIP or L2TPv3 tunnel or setup L3 routing between segments.
I’ll have a look and see if anything here is applicable to my situation. Thank you
I did some further investigation and I intercepted the traffic on the router:
As you can see, the egress requests from my device 10.10.0.254 is properly tagged, so the APs are forwarding the tags just fine but then, somewhere along the way, the response from 142.250.179.142 (google.com) is lost and never make it back to 10.10.0.254.
Is this still caused by the VLAN unaware APs or is this a routing problem / misconfiguration?
Try to establish EoIP between RB and switch so traffic flows through tunnel. This way you will exclude AP problems or state that they’re involved and go with this solution. If the problem persists, the problem is with either RB or switch (but I personally can’t spot it for now). If not - either use tunnel solution or play around APs - try to firmware upgrade them or read docs if they support VLAN trunking properly.
Alright, EoIP tunnel created between Switch and Router and assuming I configured it correct (new config export attached), the outcome is still the same
Traffic is flowing through the tunnel from both the router and the switch as you can see from the screenshot. crs_config_weoip.rsc (3.16 KB) rb5009_config_weoip.rsc (10.5 KB)
My assumption is that EoIP should be set as tagged in /bridge/vlan like regular port (someone should confirm this or you may try it out yourself) as I don’t see any tagged traffic in torch output.
