Re: WAX620 NAT mode is terribly unstable and unusable

JakeJ · ‎2023-10-31

WAX620 with firmware V10.6.1.1
I'm trying to set up a guest wifi using NAT configuration.

Connecting to the SSID with NAT enabled, strange network behaviour is observed.

Initial connection opening any web page or youtube app, whatever takes very long time 10 to 20 sec.

After the first connection, network flows smoothly but stuttering sometimes.

Measured throughput is as good as other bridged normal setting SSIDs.

There seems to be a mistake in firmware handling some kinds of packet like DNS or ACK? I'm not sure.

In addition, one possible misleading configuration is "DHCP Offer Broadcast to Unicast".

When this setting is "Enabled", devices that connect to the NAT SSID receive DNS nameserver configuration from the upper network. IPv6 nameserver in my case. That causes connected devices totally unusable.

So usually for a guest WiFi network, NAT and DHCP Offer disabled would be the possibly configuration. I believe.

This behavior is already acknowledged? Working to resolve in the future firmware?

Thanks

schumaku · ‎2023-11-01

Reads like something is very wrong with the NAT config or the WAX6xx config in general.

Have defined an IP subnet not in use on any other local LAN or VLAN? Overlapping IP subnets probably?

An IPv6 DNS server must be able to resolve IPv6 and IPv4, including the fallback from IPv6 to IPv4. Check using https://ipv6-test.com/ for example FMI - from both a direct SSID as well as for the NATed SSID connection.

When using the NATed SSID, only IPv4 can be available, as the many-2-one NAT in place does support IPv4 only, using the WAX6xx LAN IP as the target for the NAT address.

The DHCP Offer Broadcast to Unicast is available to reduce the burden of massive broadcast traffic on the wireless. Unclear why and how this should make a difference in the way the DNS is used from the NATed SSID - essentially the same DNS config is in use either way.

JakeJ · ‎2023-11-01

Thanks for replying.

My another attempt to make a guest network with wax620 is:

setting a bridged SSID with VLAN=2, DHCP offer disabled, and install a OpenWrt Hyper-V virtual machine as a router

between VLAN=2 and untagged LAN.

Under this condition, everything works fine.

As for IPv6. When NAT and DHCP both are enabled, connected client PC gets IPv6 nameserver address of

the upper network but doesn't get IPv6 address assigned to the PC. Ipv6 address advertisement seems not working to NAT network. I think that's why.

So far, for me, just NAT setting does not work well.

schumaku · ‎2023-11-01

@JakeJ wrote:

As for IPv6. When NAT and DHCP both are enabled, connected client PC gets IPv6 nameserver address of

the upper network but doesn't get IPv6 address assigned to the PC. Ipv6 address advertisement seems not working to NAT network. I think that's why.

So far, for me, just NAT setting does not work well.

Would you mind to show how a common system on this NATed SSID does announce an IPv6 DNS address? Here what I get (while connected to a full dual-stack IPv6/IPv4 network, but only connecting to the NATed SSID) e.g. Windows shows, including which DNS server is accessed:

Z:\Users\xxxxxxx\> ipconfig /all

Drahtlos-LAN-Adapter WiFi 2:

Verbindungsspezifisches DNS-Suffix: local
Beschreibung. . . . . . . . . . . : Intel(R) Wi-Fi 6 AX210 160MHz
Physische Adresse . . . . . . . . : <<snip>>
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse . : fe80::fc5:eea3:4fdf:7275%11(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : 172.20.20.30(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Lease erhalten. . . . . . . . . . : Mittwoch, 1. November 2023 17:08:05
Lease läuft ab. . . . . . . . . . : Donnerstag, 2. November 2023 17:08:05
Standardgateway . . . . . . . . . : 172.20.20.1
DHCP-Server . . . . . . . . . . . : 172.20.20.1
DHCPv6-IAID . . . . . . . . . . . : 557109238
DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx
DNS-Server . . . . . . . . . . . : 8.8.8.8
NetBIOS über TCP/IP . . . . . . . : Aktiviert

Z:\Users\xxxxxxx\> nslookup
Standardserver: dns.google
Address: 8.8.8.8

>

All relevant IPv6 details I see here is the link-local IPv6 address, and the DHCPv6-Client-DUID.

Can't see on how any IPv6 config should come to the client....

JakeJ · ‎2023-11-02

I tried to reproduce the problem that I had with NATted SSID.

But I could not reproduce the same situation again.

Therefore I'd like to close the case for now.

Thanks for your help.

Previously I had this configuration:

SSID1: normal bridged WiFi to the wired LAN

SSID2: temporary VLAN2 WiFi with a virtual machine OpenWrt router as a guest WiFi.

What I did was trying to add a problematic NATted SSID as SSID3.

I could not observe any problem. Whatever the setting of "DHCP offer" and "client isolation".

ipconfig shows all healthy. No IPv6 leakage from the upper network and no interference of DNS.

One more thing I noticed in the meanwhile was:

When "client isolation" is disabled, the clients in the NATted network can

discover Chromecast devices that blong to the upper network.

In this context, NATted SSID is not completely a "guest WiFi".

Probably "client isolation disabled" option allows some special protocols like DNS-SD to pass through.

Formerly I was using WAX214, in which there was "Guest WiFi" configuration and it did'nt behave like the NAT configuration in WAX620.

Thanks anyway.

> NAT SSID2 is now

Connection-specific DNS Suffix . : local
Description . . . . . . . . . . . : Intel(R) Wi-Fi 6 AX201 160MHz
Physical Address. . . . . . . . . : ************
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::************%5(Preferred)
IPv4 Address. . . . . . . . . . . : 172.31.6.177(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Lease Obtained. . . . . . . . . . : 2023年11月2日 7:09:00
Lease Expires . . . . . . . . . . : 2023年11月3日 7:08:59
Default Gateway . . . . . . . . . : 172.31.4.1
DHCP Server . . . . . . . . . . . : 172.31.4.1
DHCPv6 IAID . . . . . . . . . . . : 66*********
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-************
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled

JakeJ · ‎2023-11-07

Still BUGGY.

I switched back the setting to

SSID1 main network

SSID2 NAT guest network

then I started observing unstable connections on NAT SSID2 again.

DHCP leased addresses : ok

Nameserver: ok

Measured throughput: ok

Youtube playback stuttering.

Opening web pages super slow.

Sometimes good, somtimes bad.

I just suspect NAT router in the accesspoint is overloading or

doing too much extra work.

Anyway I hope the future firmware release will solve it.

Thanks.

JulienR · ‎2023-11-08

Hi @JakeJ,

I will ask a member of our support team to get in touch with you.

Thank you.

Best Regards,

Julien R.

ESGR · ‎2023-11-08

Please keep us updated if a solution is found to this. We are having the same issue. 2 WAX620's. One on first floor, one on second floor. I have set up a guest wireless on a VLAN through a Sonicwall TZ370. It does work but seems to be dropping clients consistently. When I log in to Insight, the connection by SSID graph literally looks like a saw tooth with all SSIDs going from say.......5 clients connected to 0, then back to 5 again. We also have clients on the first floor randomly deciding to connect to the second floor WAP, which is odd.

I have tried all sorts of settings changes. Running firmware 10.6.1.1. Tried dropping power level to half on both WAPs, changing channels and bandwidth to create separation. Nothing seems to be helping.

schumaku · ‎2023-11-08

@ESGR wrote:

Please keep us updated if a solution is found to this. We are having the same issue. 2 WAX620's. One on first floor, one on second floor. I have set up a guest wireless on a VLAN through a Sonicwall TZ370.

Obviously not the same.

@JakeJ does talk of the NATed SSID option, allowing to have a small isolated Guest IP subnet by each AP.

In your deployment, it appears you have an issue on one VLAN spanning all WAX6xx, with the L3 done on the Sonicwall. At the same time, there are no problems with the normal LAN or VLAN handling the non-guest network(S)?

ESGR · ‎2023-11-08

Apologize,

I will create a new thread.