Welcome to TP-LINK Tech Support Forum
+ Reply to Thread
Results 1 to 11 of 11
  1. #1

    Unhappy TP-Link AC50 + CAP1750 to replicate setup from ZyXEL NXC2500 + NWA3560-N

    Model :

    Hardware Version :

    Firmware Version :

    ISP : [/COLOR]

    Hi community,

    I need to replicate a setup I have with the ZyXEL products but I am not finding how to do it.
    This is the setup I have for the ZyXEL products:

    - 2 Static LAN IP addresses on the same Subnet: One IP address will be blocked by the firewall the other one will be allowed by the firewall (I can not change the behavior of the firewall).
    - 2 SSID's: One is the enterprise network the other one is a guest network with captive portal
    - Clients that connect to the enterprise network get an IP address from the enterprise DHCP, going out from the WLAN Controller using the 1st static IP address
    - Clients that connect to the guest network will get an IP address from the WLAN Controller DHCP Server and will do a SNAT using the 2nd static IP address after authenticated in the captive portal (I can add routing rules with source, destination, next-hop, etc.)
    - The AP's are connected on its own network managed by the WLAN Controller with its own DHCP Server

    Is it possible with this products from TP-Link?
    From what I have seen, they are to limited compared to the ZyXEL products...
    Hope it would be possible to accomplish something similar with the TP-Link because our client already bought the products and can not send it back...

    If it helps, here the GUI demo from the ZyXEL WLAN Controller NXC2500 (Username: demo / Password: demouser): http://nxc2500demo.zyxel.com.tw/

    Thank you for any help!

  2. #2
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,198
    Quote Originally Posted by michael.santos View Post
    - 2 Static LAN IP addresses on the same Subnet: One IP address will be blocked by the firewall the other one will be allowed by the firewall (I can not change the behavior of the firewall).
    On the same subnet? Do you mean over the same physical cable in different subnets (VLANs)? Anyway, with TP-Link gear you would use two VLANs (two subnets) to separate two SSIDs for the enterprise and guest network.

    - 2 SSID's: One is the enterprise network the other one is a guest network with captive portal
    Should be possible. You can choose to have a portal on one SSID and normal access to the enterprise network on the other SSID. However, you need to have a VLAN-capable router.

    - Clients that connect to the enterprise network get an IP address from the enterprise DHCP, going out from the WLAN Controller using the 1st static IP address
    - Clients that connect to the guest network will get an IP address from the WLAN Controller DHCP Server and will do a SNAT using the 2nd static IP address after authenticated in the captive portal (I can add routing rules with source, destination, next-hop, etc.)
    While the AC50 has a built-in DHCP server, it does not do routing or NATing as far as I know. You will need a router for this, but for VLANs you will need it anyway, so: yes this setup should be possible with TP-Link's AC50.

  3. #3
    Quote Originally Posted by R1D2 View Post
    On the same subnet? Do you mean over the same physical cable in different subnets (VLANs)? Anyway, with TP-Link gear you would use two VLANs (two subnets) to separate two SSIDs for the enterprise and guest network.
    Hi, thank you for your answer. Yes, I need them on the same subnet (same VLAN). On the ZyXEL NXC2500 I have 2 physical cables attached to the WLAN Controller switch. Each port has its own IP address from the same Subnet/VLAN. One of this IPs is whitelisted on the enterprise firewall. To simplify I will try to explain how it is setup on ZyXEL (with not real IP addresses/ranges on this example):

    - I have activated on the ZyXEL WLAN Controller 3 VLAN interfaces with ID 1 (Enterprise Network), ID 30 (Guest Network) and ID 40 (APs Network). Two with VLAN Tagging (ID 30 and 40), one without VLAN Tagging (ID 1).
    - For each VLAN ID I can assign an IP address, subnet and gateway. I also can activate an DHCP Server or DHCP Relay. For VLAN IDs 30 and 40 I setup an static IP address (that would be assigned as gateway on the clients) with DHCP Server (192.168.30.x and 192.168.40.x) and for ID 1 I setup a static IP address with DHCP Relay to the Enterprise DHCP Server.
    - For each VLAN I can assign a ethernet interface (physical port) from the WLAN Controller 6-port switch. Port 1 is assigned to VLAN ID 1, port 3 to VLAN ID 30, port 6 to VLAN ID 40.
    - For each ethernet interface I can assign an IP address. For port 1 I have a static IP address (192.168.0.1), port 3 I have a static IP address (192.168.0.200) and port 6 I left the default IP address and subnet from 0.0.0.0/0.0.0.0
    - The APs are pre-configured (when still on standalone mode) to receive their IP address over VLAN ID 40 and are connected to physical port 6.
    - I have 2 SSIDs. For each one I can choose the forwarding mode (tunnel or local bridge) and assign a VLAN interface. SSID with assigned VLAN ID 1 (Enterprise) is configured with tunnel forwarding mode, the SSID with assigned VLAN 30 (Guest) is configured with local bridge forwarding mode.
    - For the captivel portal I can assign wich VLAN IDs should support it.
    - On the routing policy I have a policy for VLAN ID 1 (Enterprise) where it should route all its traffic throw port 1. For VLAN ID 30 I have a policy for NATing all its traffic throw port 3 with SNAT defined as 192.168.0.200.
    - On the WLAN Controller firewall I add some policies to disallow access to the management of the WLAN Controller and enterprise network from the guest network.
    - The IP address 192.168.0.200 is the IP address on the existing enterprise firewall that is allowed to access the internet, all other IP addresses from this network (192.168.0.x) only have access to the internet throw a proxy server that already exists.

    So, what I need is to have something similar with the TP-Link products. The downside on this setup is that I can not change any existing enterprise configuration (firewall, switches, etc.).
    Basically I need to have 2 SSIDs, one where the clients get the IP address from the existing DHCP Server from the enterprise, another one where the clients get the IP address from a DHCP Server configured on the WLAN Controller and where they need to authenticate throw the captive portal to have internet access.

    If the TP-Link does not provide NATing, how can I solve the problem? Would a TP-Link TL-WR710N Router help with this setup?
    Now I understand the big price difference between the AC50 and the NXC2500: with the NXC2500 it is almost everything possible.
    Thank you for any help you all can provide!

    EDIT: Difference between tunnel and local bridge forwarding mode (from ZyXEL user guide):
    - Set the forwarding mode with “Local bridge” when the traffic of AP would go through the NXC directly.
    - Set the forwarding mode with “Tunnel mode” when the traffic of AP might not go through the NXC directly. The tunnel mode setting could force all the traffic to go into the NXC.
    Last edited by michael.santos; 06-10-2017 at 12:08.

  4. #4
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,198
    Quote Originally Posted by michael.santos View Post
    Y
    - I have activated on the ZyXEL WLAN Controller 3 VLAN interfaces with ID 1 (Enterprise Network), ID 30 (Guest Network) and ID 40 (APs Network). Two with VLAN Tagging (ID 30 and 40), one without VLAN Tagging (ID 1).
    So you have 3 VLANs (ID 1, 30 and 40) and therefore three subnets. Yes, even the one with tag VID 1 is a VLAN, although maybe only internally.

    - For each VLAN ID I can assign an IP address, subnet and gateway.
    So you have different subnets segmented into 3 VLANs. No problem with a TP-Link managed switch, you could assign VLANs, subnets, VLAN interfaces with a static IP and routes to a gateway and back to a VLAN interface.

    I also can activate an DHCP Server or DHCP Relay. For VLAN IDs 30 and 40 I setup an static IP address (that would be assigned as gateway on the clients) with DHCP Server (192.168.30.x and 192.168.40.x) and for ID 1 I setup a static IP address with DHCP Relay to the Enterprise DHCP Server.
    - For each VLAN I can assign a ethernet interface (physical port) from the WLAN Controller 6-port switch. Port 1 is assigned to VLAN ID 1, port 3 to VLAN ID 30, port 6 to VLAN ID 40.
    - For each ethernet interface I can assign an IP address. For port 1 I have a static IP address (192.168.0.1), port 3 I have a static IP address (192.168.0.200) and port 6 I left the default IP address and subnet from 0.0.0.0/0.0.0.0
    - The APs are pre-configured (when still on standalone mode) to receive their IP address over VLAN ID 40 and are connected to physical port 6.
    This are typical tasks for servers and switches. VLAN 40 seems to be a "Default" or "Management" VLAN, which is not really needed to assign IPs to an AP, but it could be set up this way, too.

    - For the captivel portal I can assign wich VLAN IDs should support it.
    Same as on TP-Link's APs, except that you assign it to the SSID, which in turn is assigned to a VLAN in Multi-SSID setup, so it's just another view of the same thing.

    - On the routing policy I have a policy for VLAN ID 1 (Enterprise) where it should route all its traffic throw port 1. For VLAN ID 30 I have a policy for NATing all its traffic throw port 3 with SNAT defined as 192.168.0.200.
    That are typical tasks for a router (hence the term routing).

    - On the WLAN Controller firewall I add some policies to disallow access to the management of the WLAN Controller and enterprise network from the guest network.
    Ah, it's got a firewall, too.

    So, what I need is to have something similar with the TP-Link products. The downside on this setup is that I can not change any existing enterprise configuration (firewall, switches, etc.).
    Basically I need to have 2 SSIDs, one where the clients get the IP address from the existing DHCP Server from the enterprise, another one where the clients get the IP address from a DHCP Server configured on the WLAN Controller and where they need to authenticate throw the captive portal to have internet access.
    No problem with VLANs. Just don't expect the WiFi controller to do things it is not supposed to do. It should manage APs, but doing routing, firewalling, NATing, tunneling, bridging etc. is nothing I would expect from a WiFi controller, adding too much complexity and dependencies to an existing network topology. You will have to do those things with a router or a L3-switch if using an AC50.

    Now I understand the big price difference between the AC50 and the NXC2500: with the NXC2500 it is almost everything possible.
    Yes, it seems that the Zyxel has everything built-in to do all those sorts of things not really belonging to a WiFi controller. Can it also brew coffee, which you will need a lot of if trying to change settings in such a complex setup?

    But seriously, the AC50 is just a WiFi controller, nothing more. The CAPs provide Multi-SSIDs assigned to multiple VLANs, which allow for separate subnets. What happens on those subnets in respect to providing IPs, routing, firewalling, NATing, traffic separation, tunneling, bridging etc. must be done with switches and routers, which - in the simplest case - may be realized by a single Linux server or by dedicated hardware of your choice. I think it's just another philosophy to do such things to where they belong and yes, it is reflected in the price of the product. OTOH, if you don't have any routers, switches, DHCP servers etc. the Zyxel is very handy to support all those functionality, so you don't need no additional hardware.

    But why does your customer move from the Zyxel system to a solution, which needs a completely different setup? What's the reason for this move (just curious)?

  5. #5
    Hi, thank you for your answer.

    I know that routing, NATing and firewall is not supposed to be done by a WLAN Controller, but in this case, where the client is a little hotel that just has one router from the ISP with firewall rule that only the IP from the reception has direct internet access without going throw a proxy (we can not change any configurations in the router), the ZyXEL solution is great at relative low cost.
    My client does not changed the system, it is a new client wich is identical with another client where I implemented the ZyXEL System, but this time, the client already bought the hardware.

    I know you would not expect a WLAN Controller to do the same as the one from ZyXEL, but their flagship model NXC5500 (http://www.zyxel.com/uk/en/products_.../specification) can also do all this, an if you do not activate the unneeded functions, it does not eat additional resources. The WLAN Controllers from Aruba Networks (HP Company) does have this functions too, they also explain why they have this function on their products: https://community.arubanetworks.com/...ba/ta-p/180082.

    It would be great if TP-Link could upgrade their WLAN Controllers to support this kind of functionality, it would add value to the product and would only be activated if needed, so it would not compromise on performance for "normal" operation.

    Well, I will see what I can do with the TP-Link hardware so that the client does not need to add to much costs to the solution.
    Functionality vs. price, I still prefer the ZyXEL line of products.
    Last edited by michael.santos; 06-12-2017 at 07:50.

  6. #6
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,198
    I'm in the hotspot business, too, and even our smallest hotel can easily afford a cheap router and a switch to separate the hotspot WiFi from their internal systems. With our cloud-based portal and an AC50, they even need only a VLAN-capable switch for 20 bucks connected to the ISP's router in order to secure their network from unauthorized accesses. IMHO, WiFi controllers should not interfere with routing or firewalling, that's just not their business according to the KISS principle (keep it small & simple). That's BTW the reason I don't buy Ubiquiti products: they are just adding unneeded functionality at the price of being expensive (e.g. the Edge Point switch for 550 bucks - completely overpriced).

  7. #7
    What kind of router and switch do you normally use for this kind of projects? Switch with VLAN support for 20 bucks? Seems very cheap! Also from TP-Link?

    I have used some cheap TP-Link routers for some home projects, but for business I do prefer the ZyXEL brand. They seem to have more mature (software wise) products. They have a new cute little hotspot system for tiny Shops/Cafés, the UAG50 with ticket printer for guest accounts, just take a look!

    I have a spare TP-Link TL-WR710N here with DD-WRT on it and I will check if I can use it with the AC50 and the CAP1750...

    Thanks for your help!

    Regards from Portugal...

  8. #8
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,198
    Quote Originally Posted by michael.santos View Post
    What kind of router and switch do you normally use for this kind of projects? Switch with VLAN support for 20 bucks? Seems very cheap! Also from TP-Link?
    Sure, the TL-SG105E/108E Easy Smart Switches have basic VLAN support and are the cheapest of their class, although end-user prices did raise somewhat in last two months (25 Euro for the SG105E and 34 Euro for the SG108E at the moment at Amazon, which currently is in its "high-price phase" ). As router we use any device capable of supporting a LAN and a separate guest LAN as most of the ISP-provided routers do. If different subnets are not available, we use anything from TL-ER5120 to OpenWRT- or pfsense-based systems, depending on customer's choice and budget.

    I have a spare TP-Link TL-WR710N here with DD-WRT on it and I will check if I can use it with the AC50 and the CAP1750...
    Of course DD-WRT or OpenWRT would be a very good choice in terms of the flexibility you are used from the Zyxel software, but I don't know the HW capabilities of the TL-WR710N. Anyway, with DD-WRT/OpenWRT you have a powerful Linux system with all of the needed functionality to get the AC50 running with your system concept.

  9. #9
    Hi R1D2, thank you for the information.

    I have tried now to get the system working with a DD-WRT Router with VLAN support but without success. I think I will quit, something I have done quickly with the ZyXEL is taking so much time with the TP-Link...

    How does the AC50 controls the CAP1750 AP? Wich Port on AC50 should the AP's connect? If I have 2 SSID's for 2 Networks (192.168.0.x and 192.68.1.x), wich IP addresses should the AP's get, 192.168.0.x or 192.168.1.x?

    Can you give me some configuration hints for this simple example:

    - AC50 and CAP1750 connected together without any other connection on the AC50, with 2 SSID's on 2 different networks with each one using the DHCP Server on the AC50 (192.168.0.x and 192.168.1.x). I think the DHCP Server on the AC50 with the option "For AP and Client" should do it or am I wrong?

    With this setup, I should connect with a notebook to the 1st SSID and get an IP address from the 1st network (192.168.0.x). Do the same for the 2nd SSID and get an IP address from the 2nd network (192.168.1.x)

    Can this simple task be done? If not, I will have to say to my client to sell this *poor* product and buy the ZyXEL products. I can do this with even a cheap router with DD-WRT! This is driving me nuts! Sorry...

    Thank you again for any help you can provide...
    Last edited by michael.santos; 06-13-2017 at 16:00.

  10. #10
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,198
    Quote Originally Posted by michael.santos View Post
    How does the AC50 controls the CAP1750 AP? Wich Port on AC50 should the AP's connect? If I have 2 SSID's for 2 Networks (192.168.0.x and 192.68.1.x), wich IP addresses should the AP's get, 192.168.0.x or 192.168.1.x?
    I would connect the CAPs to the AC50 first before configuring anything. The default IP of the AC50 is 192.168.0.253, so this is the management network. AFAIK, the CAPs use UDP broadcasts to find the AC50 controller. The AC50 in turn will provision the CAP and establish a permanent connection to it. That's cool, because it means that it does not matter what IP the AC50 has as long as the CAPs are in the same subnet (they are if you didn't change anything before adopting them to the controller). So, just designate one network as the management network.

    Can you give me some configuration hints for this simple example:

    - AC50 and CAP1750 connected together without any other connection on the AC50, with 2 SSID's on 2 different networks with each one using the DHCP Server on the AC50 (192.168.0.x and 192.168.1.x). I think the DHCP Server on the AC50 with the option "For AP and Client" should do it or am I wrong?
    If you use Multi-SSID, you need to use VLANs and have to define trunk ports on the AC50 to have it recognize VLANs. Either use internal DHCP for both networks or use an external DHCP server such as DD-WRT's dnsmasq. Just set up two networks on DD-WRT. Define a trunk port on the DD-WRT router and connect it to a trunk port on the AC50. As with every VLAN you need to eventually direct traffic into the subnet assigned to the VLAN at the terminating point. See the topology in the User's Guide for setup in the same LAN.

    Note, that if you use DD-WRT's dnsmasq as DHCP server, you need to set DHCP option 60 to "TP-LINK" and DHCP option 138 to the IP of the AC50 in order to have the the CAP be informed about the AC50's IP. So, if you have the default IP 192.168.0.253 for the AC50, set DHCP option 138 to this IP and make sure the controller can be reached by the CAP by using either an IP from the same subnet for the CAP or by defining a static route to the AC50 if using different IPs. Test first with the AC50, the CAP and the DD-WRT router in the same subnet.

    With this setup, I should connect with a notebook to the 1st SSID and get an IP address from the 1st network (192.168.0.x). Do the same for the 2nd SSID and get an IP address from the 2nd network (192.168.1.x)
    Yes, if you did create two DHCP servers on the AC50, you should get two different IPs if connecting to different SSIDs. Did you configure the AC50's port the CAPs are connected to as a VLAN trunk?
    Last edited by R1D2; 06-14-2017 at 00:40.

  11. #11
    Dear All

    TP-Link is also planning to launch out USG (Unified Security Gateway) products which will combine Wireless Controller, VPN Router and Firewall together in the future.
    You can keep an eye on our official website.


 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Copyright © 1996-2017 TP-LINK Technologies Co., Ltd. All rights reserved.