Re: WAX630E VLAN bug

This reads more like a firewall or filtering issue. Or are we facing some mDNS (Multicast DNS gateway) configuration on these WAX630E?

---

@ToniRod wrote:
I'm facing the issue only when the printer and the laptop are connected to the same Access Point but with different VLAN SSID. Connecting them to two different Access Points, and still with different VLAN SSID works well, which suggests it's not a firewall issue.

---

Two SSIDs. still two networks, two different VLANs, two different IP subnetworks. And the IPv4 traffic must flow over the firewall. What does Wireshark collect when attempting to access the printer Web UI from the laptop? Sure, there could be additional L3 or L2 issues prohibiting establishing a connection, e.g. on the WAX630E. Start capturing traffic, proof a ping will go through, then we can see what fails on establishing a TCP session.

@DavidGo please chime in here, appears different users are experiencing issues on the WAX630E

Hi @ToniRod,

I will ask our support team to reach out to you and log a case.

Best Regards,

Julien R.  

As promised, I'm sharing the traffic capture. Several scenarios to try to isolate the issue.
I've tried to interpret the results but not sure if I'm doing it properly. Any help is welcome.

TEST CASE 1: Ping OK

Laptop (VLAN unaware) connected to SSID on VLAN10 on AP1
- Printer connected to SSID on VLAN50 on AP1
- AP1 connected to VLAN aware switch on port 4
- Switch connected to FW allowing all traffic (for diagnostics purpose) from VLAN10 to VLAN50
- Port 4 mirrored to port 6, connected to another laptop to capture switch traffic

Laptop traffic capture
- file: 1.same-ap_ping-ok_client.pcapng
- We see the ICMP ping request and reply, VLAN unware

AP1 traffic capture
- file: 2_same-ap_ping_ok_ap.pcap
- We see the request leaving the AP1 on VLAN10 and entering on VLAN50
- We see the response leaving the AP1 on VLAN50 and entering on VLAN10

Switch traffic capture
- file: 3_same-ap_ping-ok_switch.pcapng
- traffic is consistent with the laptop and AP1 capture

TEST CASE 2: HTTP KO
- Laptop (VLAN unaware) connected to SSID on VLAN10 on AP1
- Printer connected to SSID on VLAN50 on AP1
- AP1 connected to VLAN aware switch on port 4
- Switch connected to FW allowing all traffic (for diagnostics purpose) from VLAN10 to VLAN50
- Port 4 mirrored to port 6, connected to another laptop to capture switch traffic

Laptop traffic capture
- file: 1_same-ap_http-ko_client.pcapng
- The handshake seems to happen but there are unexpeted SYN/ACK received by the client and the TCP connection gets reset

AP traffic capture
- file: 2_same-ap_http-ko_ap.pcap
- The handshake begins but there is an issue with the ACK. It leaves the AP1 on VLAN10 but never enters the AP1 on VLAN50
- I believe the printer never receiver the ACK and then resent SYN/ACK.
- This suggest at this time an issue with the FW / Router

Switch traffic capture
- file: 3_same-ap_http-ko_switch.pcapng
- The handshake begins and actually ends. We see the ACK on VLAN10 comming from the AP1 and we see the ACK on VLAN50 going to the AP1
- Which now suggest the AP1 is dropping the ACK entering the AP1 on VLAN50
- Strange also, the AP1 sends to the switch ACK with wrong VLAN/MAC pairs (frame no 11). To be sure those comes from the AP1, I've captured the traffic on port 4 of the switch configured as RX (ingress) only

Zip file with the capture: https://drive.google.com/file/d/1lbJEulcTv0t6qEz4cM5OGYY--HI4lA4C/view?usp=sharing 

Thanks for the help.

Some feed-back from Netgear support.

First, Netgear support tried to reproduce the bug with a 610Y access point.

They couldn't reproduce it.

Then, Netgear support was able to reproduce the bug on the WAX630E and it was raised to the development team.

I was then told the bug is known since several months, but not fixed yet.

In summary, for the time being, VLAN capability doesn't work on the WAX630E.

Hope it get fixed fast, otherwise I will have to change the access points and try to get a refund from Netgear.

Thanks for those who tried to help in this.

@ToniRod Not sure if you've seen what I've posted in the other thread regarding this issue, but support also told me they are aware of this issue, but there are no plans to fix it. According to the representative who was in charge of my case, a fix "is not possible", and that I should look into alternative models.

So these are conflicting accounts here. In any case, whether a fix is possible or not, I am not waiting around - I have already returned the product for a refund and am shopping for alternatives. They're probably not going to be from Netgear though.

Changing the vendor does not unload the burden for acquiring know-how and experience dear @tchubaba 

Wow mate, you're just a ray of sunshine uh?

I've left some questions and hints for you in your original thread. You still out here for shopping your own home-made bugs. Two dedicated access ports on your security appliance for a total of three networks and security zones.. Oh well....certainly the WAX630E bug the OP is talking of here, isn't it? Sad to see Netgear customers are sending back devices for no obvious reasons. And I'm seriously hate to waste my own unpaid, unfunded time here.

Perhaps you shouldn't then. Perhaps you should find some more fulfilling activities so that you can live a happier life. Life's too short to live it so bitter. I wish you the best.

Thanks @tchubaba for you're feed-back.

I will wait for the support feed-back about a potential fix date as I still hope this VLAN bug is fixed. Indeed all other features I need work well and I believe the WAX630E is still a strong access point for anyone not needing VLAN capability.

But if no clear anwser, I will sadly have to return the access points and buy other brand AP as VLAN capability is mandatory for my use cases. Actually WAX630E shouldn't be advertised as supporting VLANs until the bug is fixed.

I will keep the thread updated as soon as I have a feed-back from support.

Could be useful for other WAX630E users.

Hi, just wanted to chime in. I'm having exactly the same issue on the WAX220, so maybe the whole WAX series has a broken VLAN implementation. A "won't fix"-approach by Netgear would be inacceptable and I'm looking forward to a firmware upgrade.

@schumaku 

It seems that you don't understand the underlying problem. That's ok, but please stop being condescending, that's not very helpful. Thanks!

Hi,

I've got a feed-back from Netgear support.

They indeed are working on a fix but, as it's common with vendors, they cannot provide an expected release date.

Netgear support made a proposal of replacing the 2 access points with a different model not having this VLAN bug but I declined as it was a downgrade in other capabilities.

At the end, I had to resign myself to ask for a refund as I cannot wait anymore and I need to find an alternative. I hope now it gets promptly processed.

I confirm AX4200 WiFi 6 Access Point (WAX220) has the same inter VLAN routing issue in firmware v1.3.0.1 see also https://community.netgear.com/t5/Business-Wireless/Inter-VLAN-routing-issue-only-via-Wi-Fi/td-p/2337...

@MrJoshW can you give us any news on the awaited firmware release to fix this nasty inter vlan communication issue?

@hase3 What we face here is some L2 bridge issue within the VAPs the same access point, we know the WAX630E might be affected. Of course, this problem does affect inter VLAN routing done on on other systems - I understand earlier reports misleadingly talked of the same. Please avoid posting misleading information.

Misleading? It's the exact same issue as described here. Which apparently, still hasn't been fixed.

Oh, by the way, my VLANs work great now. Everything is the same, including configuration. The only thing different is the AP, which I have replaced with one from a competitor.

I had to resign myself in returning the access points.

I've bought access points from a competitor and now my VLANs are working properly.

Kudos to Netgear. They were fast in processing the return of the access points and with the refund as well.

I'm seeing the exact same thing, I thought it was something broken with the device on the other VLAN being unable to actually route traffic, but I guess it is the AP.  When you got a refund on this issue had you bought it from Netgear?

It would also be good to get an update on the devs, this is a pretty big bug and issue for anyone trying to segment devices.

I opened a ticket on this topic. After several months, they provided a patch for the WAX220. Everything related to inter-VLAN-routing seems to work now. I guess soon there will be patches for the other devices too.