× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Reply

Re: WAX630E VLAN bug

ToniRod
Guide

WAX630E VLAN bug

Hello,

 

I'm having issues with my 2 WAX630E units.

VLANs are not working properly.

 

Configuration:

- Netgear MS510TXM Managed switch

- 2 WAX630E AP, AP1 and AP2

- 2 VLANs:  A & B

- 2 SSID: SSID A for VLAN A and SSID B for VLAN B on both AP, same configuration

- AP1 & AP2 switch port configuration identifcal: Trunk Port, both VLAN A & B are tagged

- 2 clients: a Laptop and a Printer

- There is a Router / firewall allowing everything from VLAN A to VLAN B (for testing purposes)

 

What I observe:

  1. Laptop on AP1 SSID A + Printer on AP1 SSID B: HTTP access to printer configuration KO
  2. Laptop on AP2 SSID A + Printer on AP2 SSID B: HTTP access to printer configuration KO
  3. Laptop on AP1 SSID A + Printer on AP2 SSID B: HTTP access to printer configuration OK
  4. Laptop on AP2 SSID A + Printer on AP1 SSID B: HTTP access to printer configuration OK
  5. Laptop wired  VLAN A + Printer on AP1 SSID B: HTTP access to printer configuration OK
  6. Laptop wired  VLAN A + Printer on AP2 SSID B: HTTP access to printer configuration OK

 

Ping from laptop to printer works in all 6 scenarios.

This not expected behaviour is observed as long as the clients are connected to the same AP.

 

Any know issue ?

Any suggestion to fix this ?

 

Regards,

Toni.

 

Message 1 of 35
schumaku
Guru

Re: WAX630E VLAN bug

This reads more like a firewall or filtering issue. Or are we facing some mDNS (Multicast DNS gateway) configuration on these WAX630E?

Message 2 of 35
ToniRod
Guide

Re: WAX630E VLAN bug

Hi, actually mDNS is disabled on both AP.

Regarding firewall, all traffic is allowed from VLAN A to VLAN B.

I'm facing the issue only when the printer and the laptop are connected to the same Access Point but with different VLAN SSID. Connecting them to two different Access Points, and still with different VLAN SSID works well, which suggests it's not a firewall issue.
Message 3 of 35
schumaku
Guru

Re: WAX630E VLAN bug


@ToniRod wrote:
I'm facing the issue only when the printer and the laptop are connected to the same Access Point but with different VLAN SSID. Connecting them to two different Access Points, and still with different VLAN SSID works well, which suggests it's not a firewall issue.

Two SSIDs. still two networks, two different VLANs, two different IP subnetworks. And the IPv4 traffic must flow over the firewall. What does Wireshark collect when attempting to access the printer Web UI from the laptop? Sure, there could be additional L3 or L2 issues prohibiting establishing a connection, e.g. on the WAX630E. Start capturing traffic, proof a ping will go through, then we can see what fails on establishing a TCP session.

Message 4 of 35
ivant088
Aspirant

Re: WAX630E VLAN bug

I have the same problem with wax630e. File sharing and chromecast do not work across vlan. Ping no issue. Previous wireless access point from another brand works fine in this setup.
Message 5 of 35
schumaku
Guru

Re: WAX630E VLAN bug

@DavidGo please chime in here, appears different users are experiencing issues on the WAX630E

Message 6 of 35
ToniRod
Guide

Re: WAX630E VLAN bug

Thanks schumaku for the help.
Indeed, I've already captured the packets at 3 different points:
- client laptop
- access point
- switch by mirroring the port the access point is connected to

Something looks wrong to me.
I'm currently out for summer Holliday's. As soon as I'm back home within 3 weeks, I will share the packets capture.
Message 7 of 35
JulienR
Sr. NETGEAR Moderator

Re: WAX630E VLAN bug

Hi @ToniRod,

I will ask our support team to reach out to you and log a case.

Best Regards,

Julien R.  

Message 8 of 35
ToniRod
Guide

Re: WAX630E VLAN bug

As promised, I'm sharing the traffic capture. Several scenarios to try to isolate the issue.
I've tried to interpret the results but not sure if I'm doing it properly. Any help is welcome.


TEST CASE 1: Ping OK

Laptop (VLAN unaware) connected to SSID on VLAN10 on AP1
- Printer connected to SSID on VLAN50 on AP1
- AP1 connected to VLAN aware switch on port 4
- Switch connected to FW allowing all traffic (for diagnostics purpose) from VLAN10 to VLAN50
- Port 4 mirrored to port 6, connected to another laptop to capture switch traffic


Laptop traffic capture
- file: 1.same-ap_ping-ok_client.pcapng
- We see the ICMP ping request and reply, VLAN unware

AP1 traffic capture
- file: 2_same-ap_ping_ok_ap.pcap
- We see the request leaving the AP1 on VLAN10 and entering on VLAN50
- We see the response leaving the AP1 on VLAN50 and entering on VLAN10

Switch traffic capture
- file: 3_same-ap_ping-ok_switch.pcapng
- traffic is consistent with the laptop and AP1 capture


TEST CASE 2: HTTP KO
- Laptop (VLAN unaware) connected to SSID on VLAN10 on AP1
- Printer connected to SSID on VLAN50 on AP1
- AP1 connected to VLAN aware switch on port 4
- Switch connected to FW allowing all traffic (for diagnostics purpose) from VLAN10 to VLAN50
- Port 4 mirrored to port 6, connected to another laptop to capture switch traffic

Laptop traffic capture
- file: 1_same-ap_http-ko_client.pcapng
- The handshake seems to happen but there are unexpeted SYN/ACK received by the client and the TCP connection gets reset

AP traffic capture
- file: 2_same-ap_http-ko_ap.pcap
- The handshake begins but there is an issue with the ACK. It leaves the AP1 on VLAN10 but never enters the AP1 on VLAN50
- I believe the printer never receiver the ACK and then resent SYN/ACK.
- This suggest at this time an issue with the FW / Router

Switch traffic capture
- file: 3_same-ap_http-ko_switch.pcapng
- The handshake begins and actually ends. We see the ACK on VLAN10 comming from the AP1 and we see the ACK on VLAN50 going to the AP1
- Which now suggest the AP1 is dropping the ACK entering the AP1 on VLAN50
- Strange also, the AP1 sends to the switch ACK with wrong VLAN/MAC pairs (frame no 11). To be sure those comes from the AP1, I've captured the traffic on port 4 of the switch configured as RX (ingress) only

 

Zip file with the capture: https://drive.google.com/file/d/1lbJEulcTv0t6qEz4cM5OGYY--HI4lA4C/view?usp=sharing 

Thanks for the help.

 

Message 9 of 35
ToniRod
Guide

Re: WAX630E VLAN bug

Some feed-back from Netgear support.

 

First, Netgear support tried to reproduce the bug with a 610Y access point.

They couldn't reproduce it.

 

Then, Netgear support was able to reproduce the bug on the WAX630E and it was raised to the development team.

I was then told the bug is known since several months, but not fixed yet.

 

In summary, for the time being, VLAN capability doesn't work on the WAX630E.

Hope it get fixed fast, otherwise I will have to change the access points and try to get a refund from Netgear.

 

Thanks for those who tried to help in this.

Message 10 of 35
tchubaba
Guide

Re: WAX630E VLAN bug

@ToniRod Not sure if you've seen what I've posted in the other thread regarding this issue, but support also told me they are aware of this issue, but there are no plans to fix it. According to the representative who was in charge of my case, a fix "is not possible", and that I should look into alternative models.

 

So these are conflicting accounts here. In any case, whether a fix is possible or not, I am not waiting around - I have already returned the product for a refund and am shopping for alternatives. They're probably not going to be from Netgear though.

Message 11 of 35
schumaku
Guru

Re: WAX630E VLAN bug

Changing the vendor does not unload the burden for acquiring know-how and experience dear @tchubaba 

Message 12 of 35
tchubaba
Guide

Re: WAX630E VLAN bug

Wow mate, you're just a ray of sunshine uh?

Message 13 of 35
schumaku
Guru

Re: WAX630E VLAN bug

I've left some questions and hints for you in your original thread. You still out here for shopping your own home-made bugs. Two dedicated access ports on your security appliance for a total of three networks and security zones.. Oh well....certainly the WAX630E bug the OP is talking of here, isn't it? Sad to see Netgear customers are sending back devices for no obvious reasons. And I'm seriously hate to waste my own unpaid, unfunded time here.

Message 14 of 35
tchubaba
Guide

Re: WAX630E VLAN bug

Perhaps you shouldn't then. Perhaps you should find some more fulfilling activities so that you can live a happier life. Life's too short to live it so bitter. I wish you the best.

Message 15 of 35
ToniRod
Guide

Re: WAX630E VLAN bug

Thanks @tchubaba for you're feed-back.

 

I will wait for the support feed-back about a potential fix date as I still hope this VLAN bug is fixed. Indeed all other features I need work well and I believe the WAX630E is still a strong access point for anyone not needing VLAN capability.

 

But if no clear anwser, I will sadly have to return the access points and buy other brand AP as VLAN capability is mandatory for my use cases. Actually WAX630E shouldn't be advertised as supporting VLANs until the bug is fixed.

 

I will keep the thread updated as soon as I have a feed-back from support.

Could be useful for other WAX630E users.

Message 16 of 35
rmean
Aspirant

Re: WAX630E VLAN bug

Hi, just wanted to chime in. I'm having exactly the same issue on the WAX220, so maybe the whole WAX series has a broken VLAN implementation. A "won't fix"-approach by Netgear would be inacceptable and I'm looking forward to a firmware upgrade.

 

@schumaku 

It seems that you don't understand the underlying problem. That's ok, but please stop being condescending, that's not very helpful. Thanks!

Message 17 of 35
ToniRod
Guide

Re: WAX630E VLAN bug

Hi,

 

I've got a feed-back from Netgear support.

They indeed are working on a fix but, as it's common with vendors, they cannot provide an expected release date.

 

Netgear support made a proposal of replacing the 2 access points with a different model not having this VLAN bug but I declined as it was a downgrade in other capabilities.

 

At the end, I had to resign myself to ask for a refund as I cannot wait anymore and I need to find an alternative. I hope now it gets promptly processed.

Message 18 of 35
hase3
Aspirant

Re: WAX630E VLAN bug

Message 19 of 35
hase3
Aspirant

Re: WAX630E VLAN bug

@MrJoshW can you give us any news on the awaited firmware release to fix this nasty inter vlan communication issue?

Message 20 of 35
schumaku
Guru

Re: WAX630E VLAN bug

@hase3 What we face here is some L2 bridge issue within the VAPs the same access point, we know the WAX630E might be affected. Of course, this problem does affect inter VLAN routing done on on other systems - I understand earlier reports misleadingly talked of the same. Please avoid posting misleading information.

Message 21 of 35
tchubaba
Guide

Re: WAX630E VLAN bug

Misleading? It's the exact same issue as described here. Which apparently, still hasn't been fixed.

Oh, by the way, my VLANs work great now. Everything is the same, including configuration. The only thing different is the AP, which I have replaced with one from a competitor.

Message 22 of 35
ToniRod
Guide

Re: WAX630E VLAN bug

I had to resign myself in returning the access points.

I've bought access points from a competitor and now my VLANs are working properly.

 

Kudos to Netgear. They were fast in processing the return of the access points and with the refund as well.

 

 

 

 

Message 23 of 35
Halcyonon
Tutor

Re: WAX630E VLAN bug

I'm seeing the exact same thing, I thought it was something broken with the device on the other VLAN being unable to actually route traffic, but I guess it is the AP.  When you got a refund on this issue had you bought it from Netgear?

 

It would also be good to get an update on the devs, this is a pretty big bug and issue for anyone trying to segment devices.

Message 24 of 35
rmean
Aspirant

Re: WAX630E VLAN bug

I opened a ticket on this topic. After several months, they provided a patch for the WAX220. Everything related to inter-VLAN-routing seems to work now. I guess soon there will be patches for the other devices too.

Message 25 of 35
Top Contributors
Discussion stats
  • 34 replies
  • 6136 views
  • 8 kudos
  • 11 in conversation
Announcements