Hi! I want to configure a cAP ac. I need to generate 2 SSID (Working + Guests).
Both SSID are successfully configured (VLAN 1, VLAN 80). The problem is on routing, when I’m connected on SSID Guests (VLAN 80), if I change my IP address for an IP of network Working (VLAN 1) I can do ping for hosts in VLAN 1.
Is it possible that I need to enable some option in Routerboard for a successfull isolation of VLANs??
You can see my cAP ac configuration, on below text:
most windows NIC drivers silently strip VLAN tags on ingress. So when a tagged frame comes in, it will strip VLAN tag and then treat it as untagged frame. On egress it will send out untagged frames (what happens next is up to the link party)
ether1 is not configured to reject untagged and/or alien VLAN frames. Depending on the rest of settings and on bridge implementation in ROS it might mean that it will accept untagged frame, keep it untagged in transit and then forward it untagged to any other bridge member ports.
To secure trunk port one has to set frame-types=admit-only-vlan-tagged ingress-filtering=yes to make sure only tagged frames are allowed and that frames belonging only to relevant VLANs are accepted.
The problem with above solution is that, if ether1 is intended as hybrid port (one VLAN untagged, the rest tagged[]), port security can’t work on anything. Hence it’s best to have all VLANs tagged on all links between network infrastructure devices (switches, routers, …) and only have untagged (or exceptionally hybrid if device explicitly supports/requires it) ports on edge of network (normal hosts).
[] Note that VID=1 is implicit default setting throughout ROS and it turns out it’s safe to think of untagged (or “native” in some dialects) frames to belong to VLAN with VID=1.
Recommend use a different vlan from vlan1, that causes problems in configurations especially that diff vendors treat vlan1 differently.
As was pointed out, what are you attempting to connect to OUT of ether2??
Thanks for all your answers.
But no one solutions pourposed by all off you resolves my trouble.
I receive a cable with vlan 1(untagged), and vlan 80 tagged which is connected to ether1. I use this VLANs for emit 2 SSID.
The ether2 function is extends vlan1 till a switch for users who connects directly via ethernet cable.
But if AP not separate correctly the both vlans, any computer who is connected on final switch, can received an IP addres from vlan1 (work) or vlan80 (guests) randomly.
On initial configuration I have used ether2 as access port (vlan80) only for test the behaviour about vlans. But finally ether 2 only transmits vlan1 (untagged)..
Where are the Linux machines connected?
Where from are you pinging them?
What is you production environment layout?
I can guess, that the problem lies somewhere else, not on the cAP.
But too little information for anything more specific.
I think the same, but the problem is on cAP, I try to do same test on non-production environment, no good results.
Duplicated pings are produced when I connect a Linux host on ether 2.
If I connect same host on wlan 1,2,3 or 4 answers are not duplicated. Only via ethernet cable.
Check how many icmp packets to 8.8.8.8 are actually leaving cAP on eth1 and how many are returning.
I still tend to blame the switch on the left for that behaviour.
If you dont want the VLANs to be able to communicate with each other on layer 3, i.e. ICMP traffic, you should block this with firewall rules
Then regarding “duplicate ping packets”, think it will be best to show this in a packet capture as evidence, I personally dont think you should disable IP Forwarding, etc.
