Welcome to TP-LINK Tech Support Forum
+ Reply to Thread
Results 1 to 12 of 12
  1. #1

    CPE210 drops connection when using mgmt vlan

    Model : CPE210

    Hardware Version : V2

    Firmware Version : CPE210_2.0-up-ver2-1-6-P1[20170908-rel45234]

    I have two CPE210, hardware version 2, one acting as AP and one as client. I have assigned them static IPs, 192.168.5.10 (AP) and 192.168.5.16 (client).

    When I don't assign mgmt vlan I can connect to the two devices using a manually set static IP on my computer (192.168.5.3) and connecting the network cable from my computer to the LAN input on the PoE injector. The two devices keep having a good and stable connection.

    I then remove the static IP from my computer setting it in DHCP mode and receive an IP adress from the DHCP server (with range = 192.168.100-199). As soon as I do that I can no longer connect to (nor ping) either of the CPE210s, even though they are on the same subnet as my computer. They keep having a stable connection as verified by plugging another computer into the client and receiving an IP adress within the DHCP range and is able to surf the internet.

    I go back to static IP on my computer and connect to the AP to set management vlan to 5, which is the vlan my computer is on using an EdgeRouter X as the brain to provide the DHCP server (actually a bunch of DHCP servers with corresponding vlans). The important part is that the bits and bytes going in to the AP is a trunc of several vlans.

    I can successfully set the mgmt vlan to 5, and is then able to connect to the AP using DHCP on my computer. Everything would be a happy party then, if it wasn't for the reason that the AP at that point start losing its connection to the client every 4-5 seconds. If I log in to the the AP I can see that the number of connected devices flashes between 0 and 1 for about 4-5 seconds in each state. If I log in to the client I can see that the timer keeping track of the connection to the AP never reach more than 4-6 seconds and is then reset to 0.

    Maybe this is firmware related or there is something else I'm missing. I noticed in another thread ( http://forum.tp-link.com/showthread....des-KRACK-fix) ) that there is a new firmware for HW version 3, but that it also works on CPE210 V2. Maybe someone can confirm this again in this thread, or maybe see beyond the troubleshooting already performed by me
    Last edited by peltors; 02-05-2018 at 12:16. Reason: Providing device information

  2. #2
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,428
    There was a recent beta fixing mgmt VLAN problems, see http://forum.tp-link.com/showthread....eatre-Improved

    It most certainly is contained in latest firmware 2.1.11 of 2018-01-26.

  3. #3
    Quote Originally Posted by R1D2 View Post
    There was a recent beta fixing mgmt VLAN problems, see http://forum.tp-link.com/showthread....eatre-ImprovedIt most certainly is contained in latest firmware 2.1.11 of 2018-01-26.
    Good idea. Unfortunately my HW (CPE210 v2) is not listed. How sensitive is the HW version in relation to the specifications of the firmware?

  4. #4
    Quote Originally Posted by R1D2 View Post
    There was a recent beta fixing mgmt VLAN problems, see http://forum.tp-link.com/showthread....eatre-ImprovedIt most certainly is contained in latest firmware 2.1.11 of 2018-01-26.
    I upgraded to latest firmware as specified by you. I havenít had time to set mgmt VLAN and try, but I still couldnít connect to the devices when my computer got its IP via DHCP server and the signal to the AP is a trunc.

  5. #5
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,428
    Quote Originally Posted by peltors View Post
    I upgraded to latest firmware as specified by you. I haven’t had time to set mgmt VLAN and try, but I still couldn’t connect to the devices when my computer got its IP via DHCP server and the signal to the AP is a trunc.
    It's a bad idea to use DHCP for stationary devices. I use static IPs for routers, switches and APs and using the mgmt VLAN with static IPs works fine.

    Yes, you have to use a trunk port for connecting the CPE to your switch/router, so you also need to assign a VLAN ID(s) to the CPE's SSID(s) later on if your switch/router doesn't use a native VLAN. For initial setup you need to connect to the AP by a wired connection. Most easy way to achieve this is to connect your laptop/PC to an access port with VLAN membership and PVID of the mgmt VLAN.

  6. #6
    Quote Originally Posted by R1D2 View Post
    It's a bad idea to use DHCP for stationary devices. I use static IPs for routers, switches and APs and using the mgmt VLAN with static IPs works fine.

    Yes, you have to use a trunk port for connecting the CPE to your switch/router, so you also need to assign a VLAN ID(s) to the CPE's SSID(s) later on if your switch/router doesn't use a native VLAN. For initial setup you need to connect to the AP by a wired connection. Most easy way to achieve this is to connect your laptop/PC to an access port with VLAN membership and PVID of the mgmt VLAN.
    Yes, I always use static IPs for stationary devices. I did exactly what you describe using trunc and access ports respectively. I didn't assign VLAN IDs to the CPEs SSIDs b/c I collect the trunc in a VLAN aware switch and splitting it there.

    I got this to work yesterday. I set the mgmt VLAN on the CPE210s and they didn't drop connection. I'm still a bit confused that this part didn't work fully until the last firmware. Seems like a central part of the functionality.

  7. #7
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,428

    Management VLAN made easy

    Quote Originally Posted by peltors View Post
    I'm still a bit confused that this part didn't work fully until the last firmware. Seems like a central part of the functionality.
    No, it did work before since the feature was introduced (I do this all the time), but it had been enhanced again in December.

    Since I had to set up a MGMT VLAN just today for a customer and to show an example for others with the same demand, I document all necessary steps here:

    The network uses a LAN with VID 1 and a MGMT VLAN with VID 100. The laptop, CPE and router are interconnected using a TL-SG105E. Router is a TL-WDR4300 using OpenWRT as its firmware.

    First, set up the switch. Until everything is in place, leave your laptop connected on port 1 and assign it an unused static IP, say 192.168.0.10:

    Name:  mgmt-vlan3.png
Views: 0
Size:  42.8 KB

    - Ports 1 and 2 are plain untagged LAN ports, members of VLAN 1 only.
    - Port 1 is used for setting things up and uses the subnet 192.168.0.0 during setup to reach all devices.
    - Ports 3 and 4 are trunk ports with tagged VLAN 1 and 100.
    - Port 5 is an untagged MGMT port for the laptop (later to be connected) in VLAN 100.

    PVIDs are as follows:

    Name:  mgmt-vlan4.png
Views: 0
Size:  23.3 KB

    Untagged ingress traffic on trunk ports will be assigned PVID 1 (LAN), the Default VLAN. Untagged ingress traffic on port 5 will be forwarded to the MGMT VLAN 100. Apply and save the switch settings.

    Now connect the CPE to port 2 of the switch and set it up as follows. In menu "Wireless", enable Multi-SSID (even if you plan to use only one SSID). Enable VLAN tagging for the SSID, assign it to the LAN subnet (VID 1):

    Name:  mgmt-vlan2.png
Views: 0
Size:  14.8 KB


    In menu "Network" set a static IP for MGMT. If you want to use NTP time servers on the Internet for the CPE, add a default gateway and DNS servers. If you choose to use a NTP server running on your router and do not want to allow Internet access for the CPE itself, just leave the default gateway and DNS server entries empty:

    Name:  mgmt-vlan1.png
Views: 0
Size:  25.2 KB

    Now enable the Management VLAN of the CPE. You will lose connectivity at this point. Connect the CPE to port 4 of the switch to regain connectivity to its web UI through port 5. You could connect the laptop to port 5 now to save settings on the CPE, but you could also finish the setup first, then save settings on the CPE later.

    Set up the router. Add a new interface for the MGMT subnet, assign a trunk port for LAN/MGMT traffic, install firewall zone for MGMT and - if you need due to the firewall's default policy - add a route from MGMT to WAN if Internet access is required (depends on the decision about which NTP server to use etc.). Of course, those steps may differ on your router, but on OpenWRT it's done this way and I show it only to make the principle clear:

    Code:
    config interface 'mgmt'
        option proto 'static'
        option ifname 'eth0.100'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'
    
    config switch_vlan
        option device 'eth0'
        option vlan '100'
        option ports '5t 0t'
    First config section installs an interface for the MGMT VLAN with VID 100 and IP 192168.100.1. Second config section creates a trunk port on WDR4300's port labeled "4" (the 5t). 0t is an internal trunk to the CPU needed to forward traffic to the firmware.

    Remember to add the WDR4300's trunk port 4 (the 5t) to an existing LAN with VLAN 1, too:

    Code:
    config switch_vlan
        option device 'eth0'
        option vlan '1'
        option ports '2 3 4 5t 0t'
    Next, set up a MGMT zone in the firewall. I use default policy REJECT for forwarding and an explicit forwarding rule to allow traffic from MGMT to the WAN, but not to the LAN:

    Code:
    config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option custom_chains '1'
        option drop_invalid '1'
    
    
    config zone
        option name 'mgmt'
        option network 'mgmt'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
    
    
    config forwarding
        option src 'mgmt'
        option dest 'wan'
        option family 'any'
    Now connect the router to port 3 of the switch. Connect the laptop to port 5 of the switch (untagged member of MGMT VLAN) and change its static IP from the 192.168.0.0 subnet into an unused IP of the 192.168.100.0 subnet:

    Name:  mgmt-vlan5.png
Views: 0
Size:  26.0 KB


    That's all. Test the setup using the ping command.
    Last edited by R1D2; 02-05-2018 at 12:28.

  8. #8
    Thank you very much for a complete description.

    I pretty much did everything you describe, accept using multi SSID. I figured the trunc would pass between AP and client as a "package" without the need to split it. And it works for me, I take the signal from the client device and run it through a VLAN aware switch, then pass the trunc (removing one of the VLANs) to an VLAN aware access point where I assign different VLANs to different SSIDs.

    Is it possible that the connection is more stable splitting the VLANs in different SSIDs in the CPE210 as well?

  9. #9
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,428
    Quote Originally Posted by peltors View Post
    Is it possible that the connection is more stable splitting the VLANs in different SSIDs in the CPE210 as well?
    No, b/c more SSIDs mean more switching of the virtual wireless interfaces. If you don't need to separate WiFi networks, just leave it at one SSID.

    To make connections more stable between two CPEs, use 802.11n mode and 20 MHz channel width (WiFi speed then maxes out at 150 Mbps, but better than an unstable 300 Mbps). Also make sure both CPEs are exactly aligned to each other and have a free line of sight. Enable short GI, WMM and set the distance to Auto.

    Note that using the 2.4 GHz band for directional links can be problematic in dense populated areas. With CPE510 I could reach up to 90 Mbps data speed (~ 140 Mbps WiFi speed) compared to only effective 3 Mbps data speed with CPE210 on the same link over 600m.

  10. #10
    Quote Originally Posted by R1D2 View Post
    No, b/c more SSIDs mean more switching of the virtual wireless interfaces. If you don't need to separate WiFi networks, just leave it at one SSID.

    To make connections more stable between two CPEs, use 802.11n mode and 20 MHz channel width (WiFi speed then maxes out at 150 Mbps, but better than an unstable 300 Mbps). Also make sure both CPEs are exactly aligned to each other and have a free line of sight. Enable short GI, WMM and set the distance to Auto.

    Note that using the 2.4 GHz band for directional links can be problematic in dense populated areas. With CPE510 I could reach up to 90 Mbps data speed (~ 140 Mbps WiFi speed) compared to only effective 3 Mbps data speed with CPE210 on the same link over 600m.
    Really nice discussion, thank you for taking the time. I will implement the settings you specify. In the scenario I described the CPEs are 8 ft apart. Maybe that is a problem itself

    The CPEs will be placed in a rural area where there are not so many 2.4GHz networks.

  11. #11
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,428
    Oops, 8 ft are ~3m, right? Then you should reduce TX power, but the antenna gain may be still to high for such a micro distance.

  12. #12
    Quote Originally Posted by R1D2 View Post
    Oops, 8 ft are ~3m, right? Then you should reduce TX power, but the antenna gain may be still to high for such a micro distance.
    Yes, and the current distance is rather 1,5 m. Too close of course, but I have already reduced Tx power to 1 instead of 11. It will be nice to test with some further distance between them


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Copyright © 1996-2018 TP-LINK Technologies Co., Ltd. All rights reserved.