VLAN Puzzle
I would appreciate assistance diagnosing a VLAN problem. Now that many homes have Ethernet cables installed from most rooms to a central patch panel, some users find that the patch panel is not a great location for their WiFi router (actually, any WiFi access point). They would rather place the router at a different location. However, with only a single Ethernet cable from the patch panel to that location, they need to find a way to connect both their internet connection (WAN) and also local devices to that router. The obvious solution is, "run more Ethernet cables". This is often impractical. VLAN provides another solution. Use one Ethernet cable to carry both the router to Internet (WAN) traffic and the router to local devices (LAN) traffic. Here is an example:
The Internet Host and the customer router are not aware that they are using a VLAN because they are connected to "Port Based" (untagged) VLAN ports. (Port 1 on each Netgear switch.) Likewise, the router LAN port and the local devices are not aware they are using VLAN because they are also connected to "Port Based" (untagged) VLAN ports. However, one port on each switch is an 802.1Q "tagged" VLAN. WAN traffic is tagged for VLAN 1 and every other port is tagged for VLAN 2. IGMP Snooping is disabled on both switches.
This solutions works wonderfully. The puzzle comes when a mesh satellite is added to the configuration. Netgear's Orbi line of WiFi systems requires that mesh satellites must be connected to the router LAN port. (They cannot appear to be connected to the WAN port.) As long as the router is configured in 'router mode', a satellite can be connected directly to a router LAN port (location 1) or connected to one of the ports on the GS108Ev3 (location 2).
However..... If the Orbi router is put into 'access point mode' (AP), then the mesh satellite will function correctly only when it is connected directly to one of the router LAN ports. If connected to the GS108Ev3, 'wired' connections to the mesh satellite still function, but WiFi connections FAIL.
I cannot understand what could be different between 'router mode' and 'AP mode' that would cause this.
I have reproduced the puzzle using TP-Link managed switches. Same results:
- In router mode, a satellite connected to the router using an 802.1Q tagged VLAN port behaves normally.
- In AP mode, a satellite connected to the router using an 802.1Q tagged VLAN fails to support Guest WiFi devices.
What I am looking for is an explanation or a suggestion for how to document "what is happening?"
My naive understanding of managed switches is:
- When a packet comes into an untagged port, the switch inserts a 802.1Q Header into the frame with the PVID assigned to that port***:
- If the packet is sent out a "tagged" port, this Header remains in the frame. (even if it passes through dozens of Ethernet switches on its way through the network).
- Eventually the packet comes out an untagged port and that Header is removed.
- i.e. "what goes in, comes back out."
*** PVID:
* What does "not already addressed (tagged)" mean? Do untagged ports accept tagged packets?
What if..... when the Orbi is put into AP mode, it treats the link to the satellite as a tagged VLAN link? Some packets are "tagged" for special treatment. This (somehow?) gets mangled by the managed switch and these frames just disappear. Or, when they come out the other end, both their original 802.1Q Header and the switch 802.1Q Header have beeen stripped and the packet is not recognized as coming from an Orbi unit?
Or....maybe..... When in AP mode, the switch puts an 802.1Q Header on some frames and the managed switch (a) replaces them with the PVID or does not put the PVID on them and thus those frames are part of a VLAN that is not defined on the managed switch?
Annoys me no end that a knowledgeable Netgear engineer could answer this is five minutes. "No, dummies. THIS is why a managed switch messes up AP mode." (sigh. They are not being paid to talk to customers.)
It looks like the way to check out this theory is to snoop on both the router LAN port and the satellite LAN port to record what is "going in" and "coming out" on both ends. This requires more managed switches to mirror those two Ethernet links and two Ethernet adapters to get the data into a computer running Wireshark. Going to be an enormous tangle of cables.
The VLAN config looks about right in the scheme on the initial post.
Since you are using some ports as a tagged trunk, I assume this config is not the simple port based one, much more the advanced VLAN config with the appropriate PVID set for each VLAN so untagged frames incoming are sent to the right VLAN.
A possible difference in AP mode is that the Orbi WAN and LAN port are bridged, and the Loop Protection will (read: must!) jump in, and close some ports, since the "loop test" frames the switch does send-out are coming back on a different port - some port will be disabled, and the relevant LEDs will flash.
Worth disabling the Loop Detection to start with?
However: From the IT network professional view, I still can't understand what should make a difference on the Orbi Systems AP mode WAN and LAN port, and why Netgear (and trusted senior community members like @CrimpOn and @FURRYe38 - hello friends - insist) there seems to be some difference. Reminds me somehow to the NTGR Nighthawk Mesh systems obviously using some other, IEEE standards compliant Mesh protocol - which are also badly fail on any kind of Plus (renamed to == Easy Smart Managed), Smart Managed, Fully Managed switches. Probably again that Layer 2.5 abstraction layer introduced along with IEEE 1905.1 or something proprietary serving a similar purpose?
Something similar must apply to the Orbi Guest network (or any Orbi Router <-> Satellite for wireless) on the wire level.
Had never been involved in any Orbi or Orbi Pro systems Beta, and have sold off my second hand Orbis due to that poorly documented (or at least rarely explored) behaviour, prohibiting correct interoperability with business class and business standards. This is why I keep my mouth usually shut on the Orbi community 8-)
