Question Connecting across APs

[superphb]

Hi, I wonder if anyone can help?

My scenario:

Hardware used: Draytek Vigor 2860 VDSL router, TP-Link EAP115 Access points. DL-Link 24 port managed switch.

Consider two wireless access points on a 192.168.8.0 range (as an example). AP1 192.168.8.10 and AP2 192.168.8.11. If I connect successfully, as a wireless client, to AP1 I'm given an appropriate IP address from the DHCP scope from the Vigor 2860. e.g. 192.168.8.50. Both APs are connected to the same port on the 2860. My device (laptop in this scenario) can now access the internet etc and (if I have the correct username/password) http to the AP admin page of the device it's connected to and configure the AP if needed.

However, what I would also like to do is while connected to AP1 is http to AP2 (which is on the same network) and administer that device. But I cannot. I cannot http or even PING it.

They use the same gateway IP (192.168.8.1) AND, crucially, neither AP has "isolate AP" ticked (just in case anyone mentions that).

So, why can I not connect across this network to the other AP (on the same network)? Any help appreciated. Many thanks

 

[thecoolnessrune]

If it really is all in the same IP space then you have something blocking. Connect to your switch on the same VLAN as your APs and Router. You should get an IP from your router, be able to browse, and be able to ping both APs. Can you do so?

If you can, but you can't from the AP, then the AP is still isolating somehow.

 

[ch33zw1z]

Post vlan config

 

[superphb]

Ok, connected a laptop (wired) to one of the switchports which is configured with the vlan setting that the APs are connected to. Had to config the laptop NIC for the VLAN ID.

Laptop set to obtain ip automatically, which it duly did, and it can access the interwebs. However, from cmd cannot ping EITHER AP but can ping the gateway successfully.

 

[ch33zw1z]

Ok, are the WAP's using a VLAN?

What's the VLAN config for the LAN?

 

[superphb]

Ok so more config info as follows:

To allow the two APS to connect to the one port of the Vigor I use VLAN tagging on the Vigor which uplinks to the D-Link switch where there are ports which are configured to allow the VLANs configured on the Vigor to percolate through and these are the ports that the APs are connected to.

Each AP has two SSID's, one for secure access, one for guest. Let's say AP1 has SECURE1 and GUEST1 and AP2 has SECURE2 and GUEST2. So VLAN tagging needs to be used to allow the two different/separate 'networks' on the same AP.

VLAN ID's of 10 and 11 are configured on the Vigor and the same VLAN ID's are configured on the D-Link and APs.

 

[ch33zw1z]

Sounds like there's a config issue somewhere. You can draw a map on paper if it helps keep track of everything.

Start with the Vigor, there's a VLAN guide in the appendix: https://www.draytek.co.uk/support/d...4/send/456-3844/706-vigor2860-user-guide-v4-2

Sounds like you're using tag-based VLAN's, and no firewall rules to block traffic between VLAN's

In there, it says on page 671 that when configuring with tag-based VLAN's, all your ports will be trunk ports. so whichever port you have run to the Dlink really shouldn't matter.


Confirm the settings and move on to the D-Link managed switch, which model btw? latest firmware?

I've not been required to set a VLAN on my NIC, so I find that a little odd.

Confirm the settings are in place on the switch.

If all is looks correct, move on to the AP's and confirm their configuration.

Feel free to post some screenshots of the config menu's if you like. My gut says the D-Link isn't setup with a trunk port

 

[superphb]

Hi, D-Link switch is a DGS-120-24 (latest firmware)

re: VLAN ID on my laptop. The laptop is a little old. All I can say is before I went into the NIC setting and changed it to the right VLAN ID it didn't pick up a DHCP IP address. After changing, it did and had connectivity. I suppose that it may be the same reason that on the APs (on the different SSIDs) you can stipulate the VLAN ID to allow the SSID access to that LAN.


config of the VLANs on the D-Link


config of the VLANs on the Vigor (note: LAN5 is the work LAN and LAN4 and LAN3 (not seen) for guest browsing. Using the inter LAN routing config screen I allow LAN5 access to the wired work LAN, LAN1)


config on the AP

Just to confirm; there is nothing wrong per se about how the setup is working for me (everybody is accessing what they should be accessing). The only niggle is that i cannot connect to AP1 (to look at the admin page) when connected to AP2. Thanks

 

[ch33zw1z]

Ok, a couple suggestions...

First, looking through the Vigor config guide(hope i grabbed the right version), I was comparing your screen shot to what the guide shows. Am I correct in saying that you don't have any check boxes chosen for which ports on the Vigor are assigned to the VLANs? I counted both pictures check boxes from Left to Right, and if it matches then only SSID2 is checked, see Below...



Second, based on this Dlink manual, VLAN trunking seems similar to the Vigor, where just assigning the VLANs to the same port is enough...

https://www.dlink.com/fr/fr/-/media...-1210/manual/dgs_1210-smart-series-manual.pdf

http://forums.dlink.com/index.php?topic=41342.0
http://forums.dlink.com/index.php?topic=60578.0;prev_next=prev#new

anyways, just something I noticed.

which port from the Vigor goes to which port on the Dlink?

Edit: Also, ensure the "uplink" port is a member of untagged vlan 1 as well so untagged traffic can flow over the network as well

For the AP's, what's the management vlan section configed as ?

 

[superphb]

Hi, the Vigor 2860 I have has 6 ports. Port six is configured for LAN5 & 4 which are tagged 401/402. The D-Link is configured and aware of 401/402 on ports 1-4. I use port 1 of the D-Link as the 'uplink' from the Vigor port 6 and therefore ports 2/3/4 of the D-Link are available to use for my APs.

I see what you are saying about untagged traffic but I don't really need untagged packets on those ports. I suppose my security is explicit rather than implicit.

 

[ch33zw1z]

Hi, the Vigor 2860 I have has 6 ports. Port six is configured for LAN5 & 4 which are tagged 401/402. The D-Link is configured and aware of 401/402 on ports 1-4. I use port 1 of the D-Link as the 'uplink' from the Vigor port 6 and therefore ports 2/3/4 of the D-Link are available to use for my APs.

I see what you are saying about untagged traffic but I don't really need untagged packets on those ports. I suppose my security is explicit rather than implicit.

Ok, so the next place I would look is management vlan settings on the AP's

You could also plug the AP's directly into the vigor and see if the problem changes. If it does, then you know the problem is somewhere between the vigor and D-Link, or at the dlink itself.

 

[superphb]

Ok ch33zw1z, I'll double check my settings. Thanks for all your guidance. I'll sign off for now as it's my last day before the holidays. Enjoy the festivities and I'll catch you after. Regards.

 

[ch33zw1z]

Sure man, good luck, and happy holidays.