Yey! you do talk!! awesome! thank you for the video and we really appreciate the previous videos but his is a huge step towards voice and showing us your knowledge and skills!! great job.
Heya @Katlo Tech, thanks for dropping by. Appreciate your feedback, I do talk (yay), my old videos I was talking, but as this video clearly shows, my PC struggles a lot (and so do I :)) and many of my "talking points" got lost due to garbled messages, getting cut-off, or simply lost because my PC can't handle it. Also, when I have voice-recording, my video tends to get so long, my PC struggle to render it (this one takes 5+ hrs to render, so if there's a typo I need to correct, I will need another 5hrs to fix it). Thanks again for the kind words!
Hi i love your videos! i have an omada controller, er605 and pi-hole running as dns. omada does the dhcp. as you probably know, the hostnames are not resolved by tp-link. i came across mDNS but i'm not sure if this is the solution. In the mDNS settings i have to choose "Service Network" and "Client Network". I´m not sure what to do =)
Hey there @FAGabriel, thanks for the kind words and thanks for dropping by the channel. mDNS is a good alternative if you only want basic name resolution. It has its own quirk, but it works. Or if you like, you can experiment with using your PiHole as a DNS server for the additional adblocking support but it's been awhile since I used PiHole, I can't recall if you need to make PiHole as a DHCP server to make it resolve local DNS names or if you need to edit the hosts file. For mDNS you can refer to this for quick video guide, note that menu may have looked different because of the firmware updates but the general idea and settings should be very similar, if not the same: ruclips.net/video/GJqtt-h7c2c/видео.htmlsi=AQVRMpmummgzd7DH&t=408 Finally, there's a 3rd party DNS but I have not tried it: github.com/dougbw/coredns_omada Good hunting!
I'm trying to understand why I bought managed switches for my home network if they can't do stateful ACL. Could have saved myself several hundred dollars.
heya @joshmouch, thanks for dropping by the channel. Btw, I am assuming you need VLANs, and because of that, you WILL need a managed switch when connecting to Gateway/Router even if you are not using an Omada Gateway (i.e. other non-TP Link router), because unmanaged switch doesn't support VLANs. However, if you don't need VLANs, and just want a flat network, then any unmanaged switch is fine.
Good evening! Well done and thank you on all of your knowledge you are sharing. I followed your PPSK video here in hopes of identifying my issues. All devices are able to connect to vlans outside of primary network (guest, IoT, etc), but none are able to connect to primary network. Can you point me in the right direction of where to investigate?
hello @user-tz4zq7uz3h. thanks for dropping by the channel, you are welcome and thanks for the kind words. Just to make sure, when you say "Primary Network", I am assuming VLAN 1 (the default VLAN out of the box). As For PPSK, if you mean, you watched LC EP20, I did cover PPSK there and even covered "Primary" Network. Here is the exact time stamp for PPSK for Primary Network (pause the video if you have to): ruclips.net/video/QgoW2BBQHkQ/видео.html I did not cover PPSK in this EP-34, but I may create a new video as soon as I am able to own an EAP that supports it. But in a nutshell, PPSK for VLAN 1 just means don't add any VLAN on the "VLAN Assignment" of the PPSK screen since it's untagged. Thanks again and good hunting!
@@deadmeats Who would have thunk it, it's the little details that matter. Please accept my thanks! Do you have a paypal or cashapp accepting donations for the work you do?
@@azwholeman Hey, no worries. My old video has no voice over and it's easy to miss. Don't worry about donation and paypal and stuff, just "Like"ing the video is enough.
hello joshmouch, thanks for dropping by the channel. As for your inquiry, I just want to clarify that Gateways and APs are different devices and they work independently on their own ACLs but are "affected" by each other because they are connected. Consider this scenario: since the Access Point is closer to your clents, any ACL you add here (i.e. Deny Device A at Access Point) will invalidate any Gateway ACL (i.e. Allow Device A at Gateway). It means even if you allow ALL in your Gateway, Device A will not even reach Gateway's ACL because it is already barred at the entry point. Now, consider this another scenario: Device A is allowed at Access Point, but Denied at Gateway (i,.e. no internet), this means that even if Device A can connect to the AP's SSID, it won't be able to access the Internet. So you need to consider how the packet flows from one device to the endpoint. Hope that helps... Good hunting!
Hello @Dead Meat! Great video tutorial by the way! I have a quick question. Why do you connect the controller to the gateway? I am asking because I have connected my controller to the switch, as per tp-link's instructions. Are there any benefits to your method?
Hey @John Smith, thank you for dropping by the channel. There are several reasons I have it configured like this, mainly based on my own "anecdotal limited personal" experience (so take what I said with a whole sack of salt :)) a) Makes me sure that my controller is connected to VLAN 1 b) Gateways have ample ports to support the direct connection to Controller. If it ever needed more "VLAN 1" ports, it's easy to add a switch that supports (or doesn't strip) VLAN Tags. c) The switch I use only have 8 ports for video demo/test, so freeing up a slot is a huge relief when I'm doing my tests. In this lab, I already use 5 ports, leaving me with 3 ports to use for demo purpose. Makes it easier to move my test cable with 3 open slots. d) Many of my ACLs operate on Switch level, so I would like to skip connection to it in case i lock up my Switch. So those are the benefits to me. However, performance wise, there is really no benefit to it if you don't constantly meddle with connected cables on the switch, TP-Link's suggestion is for the best and you should follow that.
@@deadmeats Thank you very much for your welcome as well as for your quite honest, quick, and elaborate answer!!! I understand you and your needs 100%. The fact that tp-link has the controller on the switch instead of the gateway makes me somehow uncomfortable because my limited 'networks' knowledge and logic would like me to have the controller connected to the gateway. However, I will give it a try and check if things are functioning as they should or not and later deside what is best based on performance metrics and network speeds. Other than that I would like to also thank you for the great training videos you have created and provided to all of us 😉. Please keep up the great work!!! You have earned a much obliged subscriber ✌️
@@J0hnSm1th Heya, thanks for the kinds words and warm remarks :). I am glad the videos are helping you out. The first two episodes of this series should help cover 90% of the Home use-cases when it comes to VLANs and ACLs, and the rest are more of niche use cases that doesn't show up too often but are "interesting" to implement. Thanks again!
Hello @sid kris, thanks for dropping by the channel. I may not have articulated many of the areas of this video so let me just break it down so I am assure I answer your question correctly/properly: a) As you can see on 01:00 mark of the video, the Gateway LAN Port is connected to Switch "trunk" Port 1. Then this Switch "trunk" Port 8 is connected to Access Point (AP) [Gateway Switch Access Point]. The "trunk" ports1 and 8 belongs to a network profile of "All". "All" contains ALL of the VLANs that has been defined in the Omada SDN. Therefore, the APs will always have ALL of the VLANs. b) When you said "update each port with each one of the VLAN ids", that is part of "Access Port" set up around 21:22 mark of the video. By updating each port and testing ALL of the VLAN ids, I made sure that the "trunk" port profile connectivity between Switch Port 1 and the Gateway is working as I intended it to be. What I mean is, if "All" profile does contain VLAN 10, 20, etc and I have DHCP configured in them, then every time I configure a port as an "access port" which means, it can only carry a Single VLAN (unlike "trunk" that carries multiple VLANs) then clients can get an IP that is tied to that VLAN. So in short, I was showing how "Access" port works c) As for last part of your comment "wouldnt that limit your APs connected to allow access to specific SSIDs?" - I want to make sure I clarify this: SSID does not equate to VLAN. You can have multiple SSIDs connected to one VLAN and you can have single SSID connected to multiple VLANs (if you have multiple Access Points). But you are correct that the AP will be limited to the VLAN for which it is connected to, that is if the port is in trunk mode and the AP supports trunk mode, then it will have ALL of the VLANs, otherwise, the AP will only get limited to a single VLAN (native/untag) . Omada APs supports VLANs and like I said in a), I have it connected to a "trunk" Switch port 8 and not to any of the "access" Switch port. However, for APs that doesn't support VLANs, it will be dependent on the "access" port VLAN which VLAN ID they receive (regardless of SSID defined on that Access Point, remember SSID VLAN). Hope this helps, thanks for dropping by the channel and happy hunting in the world of networking!
Thanks for the video! Question - I want to make a very similar setup but I want to put the default VLAN1 into a black hole and setup a new default Management VLAN. I've tried everything but cant seem to get it work. Is this something you have ever done in the past!?
hey @stevek6418, thanks for dropping by the channel. The last time I tried it was about 3 or 4 years ago, and it brought me a lot of head ache and heart ache at the time. I have not revisited that process again though, but I found an article that might help you out. It is from, 2022 so hopefully, the process is much simpler. Back then, it was brutal, but from the looks of that guide, it has matured a lot (maybe because of a lot of complaints in the past haha). Link below: www.tp-link.com/us/support/faq/2814/#:~:text=Go%20to%20Config%20%3E%20Services%2C%20enable,must%20select%20the%20management%20VLAN.
@@stevek6418 yaiks, didn't know it is still a pain, thanks for the info :). when I get the chance to tear down my lab set up, I will look into it again. I only have one controller, and can barely squeeze a video out in a month so am trying to minimize my downtime :).
Great video! I followed along on my setup but I have a question. I have a NVR that's on my "10-Home LAN". I have NO ACLs setup and I have my HOME computer on "01-Admin WiFi" but I cannot connect to this NVR on the opposite VLAN, unless I put the HOME computer on the "10-Home WIfI" which has the 10 vlan also. Is there some issue with WiFi VLAN talking to Wired VLANs that are different (even with no ACLs?)
I stumbled around in the OC200 and figured out if I stripped the VLAN assignments off the WiFi and set the ports on the switch to "all" everything talks together. I thought this could be circumvented through mDNS, maybe its a level 3 switch is what i'm trying to accomplish. Ideally im looking to setup a "home wifi and lan" and also an IOT wifi and lan, and let devices on the home wifi or lan tell the IoT devices to do things (homekit with apple). Seems I cannot get this to work unless everything is either 1. on the same LAN or 2. i dont actually set the wifi / lan names to actual VLAN numbers which i suppose defeats the purpose. Do you have any videos i can learn more on how to do this?
Hey @@baygentst thanks for the kind words and welcome to the channel, and to the world of networking :). What you need to learn is about Access Port and Trunk VLAN, and then what is SSID. I did cover these ideas (trunk vs access port) in this video but not very detailed. All the network devices (Gateway, Switch, Access Point) are all interconnected using Trunk Port (you can refer to the very first part of network diagram). In TP-Link Omada, the "All" Profile is a trunk or a combination of ALL VLANs defined in SDN. I don't have a separate video for it, but I did cover what is "Access Port" in 21:23 in this video also covered SSID and its tie up to VLAN in 26:29 For your question, the Home LAN and WiFi just needs to be on the same VLAN. Don't confuse WiFi, SSID as the same as a "VLAN", WiFi SSID is not the same as a VLAN. What I mean is, you can have multiple WiFi SSID tied to a single VLAN so what you name your SSID doesn't really matter "technically". Now, to achieve multiple VLANs in your AP, your AP needs to support trunk hence, your AP needs a trunk uplink port (the connection between AP and Switch/Gateway needs to be "All" or a custom VLAN profile that caries your Home and IoT wifi. Here's what I can suggest: 1. Learn what a VLAN is 2. Learn what is an Access Port 3. Learn what is a trunk Port 4. Learn how Trunk Ports work when connecting network devices (not end-user device, but Gateway to Managed Switch, or Managed Switch to Access Point, or Gateway to Access Point) 5. Learn how Trunk Ports work when connecting to end devices i.e. PCs, IP Phone As for your set up, you are on to it: you need to set the WiFi to the VLAN otherwise everything will be on "native" LAN IP addressing. Check out the WiFi discussion at 26:29 Happy hunting!
@@deadmeats Archie thanks for the response! I thought I understood what I was doing and was able to successfully ping around my network but I still have more networking learning to do (mostly a noob here). All my problems originate from the following example. Iphone is on WIFI vlan10, AP is setup to "ALL" such that it can trunk line to the switch. The switch to router(gateway) port is also set to "ALL" so it can trunk line to the router(gateway). My IoT devices (WIFI) are then on VLAN 107, so when I try to control something (via homekit) on my phone on WIFI VLAN10, I assumed the AP would trunk to the switch the switch would trunk to the gateway and the gateway would repeat my request back to switch then the AP then to the VLAN 107. I think this is called "reflecting". I setup an ACL rule to allow bi-direction on vlan10 to vlan107 also (playing around). I got some more homework to do because it still does not work correctly. When does "tagging" vlans come into play or this VLAN reflecting?
@@baygentst Heya, not sure what is VLAN reflecting, but VLAN tag should be the ID for what VLAN the network packet/traffic it belongs. I am not sure how everything is connected in your system, and I have no experience with Apple Home Kit so I suggest you try the following: Trunk and Access Port exercise (assumption: you have a trunk uplink between switch and gateway, no ACL; you must have at least two devices for testing): a) Configure 2 ports in switch with VLAN 1 (Admin). All clients must have VLAN1 IP. Use a PC A and another wired devices (let's call it PC B) check if those ports are getting the correct IP. If you are getting a wrong IP, then you need to check the uplinks. Use your PC A to ping the PC B (and vice versa) and the internet. Do not proceed till you get this working. b) Do step a again, but this time around, configure the 2 ports for VLAN 10. All clients must have VLAN10 IP. Use a PC A and another wired devices (let's call it PC B) check if those ports are getting the correct IP (Your IP must be different than when it's connected to VLAN 1). If you are getting a wrong IP, then you need to check the uplinks. Use your PC A to ping the PC B (and vice versa) and the internet. Do not proceed till you get this working. c) Do step a again, but this time around, configure the 2 ports for VLAN 107. All clients must have VLAN107 IP. Use a PC A and another wired devices (let's call it PC B) check if those ports are getting the correct IP (Your IP must be different than when it's connected to VLAN 1 and VLAN 10). If you are getting a wrong IP, then you need to check the uplinks. Use your PC A to ping the PC B (and vice versa) and the internet. Do not proceed till you get this working. d) Connect PC A to VLAN 1, connect PC B to VLAN10, and connect a 3rd wied device to VLAN 107. Ping each other. If you can't see one another, check the PC or device's icmp or firewall settings. Do not proceed till you get this working. e) If you reach this stage, your Gateway to Switch is working. Trunk and Access Point exercise: a) Create three NEW SSIDs b) Configure first SSID as VLAN 1, name SSID as VLAN 1 c) Configure 2nd SSID as VLAN 10, name SSID as VLAN 10 d) Configure 3rd SSID as VLAN 107, name SSID as VLAN 107 e) Connect at least 3 wireless devices to SSID VLAN 1. All 3 Clients must have VLAN1 IP, check if WLAN clients are getting the correct IP . If you are getting a wrong IP, then you need to check the uplinks. Use your PC A to ping the PC B and and the internet. Do not proceed till you get this working. f) Connect at least 3 wireless devices to SSID VLAN 10. All 3 Clients must have VLAN10 IP, check if WLAN clients are getting the correct IP . If you are getting a wrong IP, then you need to check the uplinks. Use your PC A to ping the PC B and and the internet. Do not proceed till you get this working. g) Connect at least 3 wireless devices to SSID VLAN 107. All 3 Clients must have VLAN107 IP, check if WLAN clients are getting the correct IP . If you are getting a wrong IP, then you need to check the uplinks. Use your PC A to ping the PC B and and the internet. Do not proceed till you get this working. h) Connect 1 device at VLAN 1 SSID, another at VLAN 10 SSID, and the 3rd to VLAN107 SSID. Ping each other. They should all reply i) If you reach this stage, then your Gateway to Switch to AP is working Now you can try the mDNS and AppleHomekit stuff. Unless you get the basics working, I suggest you focus on getting them right. Then later on, you can proceed to the nexts step (i.e. mDNS, ACLs, IoT commands, etc). I did cover all these on the video, but using a shorter version of testing but you may have some customization. The steps I laid out is to make sure whatever customization you applied is correct. Happy hunting!
I have dual ISP one is Static and second is DHCP. and our Camera, door access, Wi-fi and other device is working on static ISP line. otherwise our static line is down then how to work our secondary ISP and our camera, access door and other device? Please suggest which device use me to working both ISP line for one down?
hey @rajnikantkanzariya3413, thanks for dropping by the channel. If you need Dual WAN with Back Up/Redundancy, you can get any of the following Gateways: * ER-605 v2.0 - good if you are on budget * ER-7206 - good high performing Multi-WAN (more than 2 WANs) router Alternative: * ER-707-M2 - expensive but can have 2.5Gb WAN * ER-7212PC - a bit expensive, but good Gateway+Controller+PoE in one box!!!
can you please confirm this device is working static and DHCP both line ? and how to configure static and DHCP dual isp? it's available on Amazon in India ?
Hey @Jarkko Pentinniemi, thanks for dropping by the channel. I do not have any visibility on when the feature will go live for ER-8411. Best way to any feature implemented is to influence TP Link by contacting their support or post in their official community forum. You can still do a lot of things without Stateful ACL, in fact, I have the same functionality discussed here, implemented on NeXTGen LAN (starting with EP38 ruclips.net/video/pNrdLjBXPYQ/видео.html) which relies solely on Switch.
Hello @MRGPH, thanks for dropping by the channel. The ER-7206 have 2 dedicated WAN Ports and 2 flexible 2 LAN/WAN ports, a total of 4 WAN ports for Load Balancing. You can find more technical specs at the product page here: www.tp-link.com/us/business-networking/omada-sdn-router/er7206/ Good hunting!
I appreciate the time you have put into making these awesome videos! It’s really helping me design my network. I do have a question. I would like to chromecast through my different VLANs (secure to IoT). I have tried to setup mDNS (_googlecast._tcp.local) and tried to disable muilticast to unicast conversion without success. Do you know how I can fix this to make it work?
Hey @Andrew Witten, thanks for dropping by the channel and for the kind words. As for Google Chrome, I'll be honest and straight: I don't have it and don't know how it works :). However, I did a little digging and found a few articles (I'll post a link below) This guy got chromecast working across VLANs: community.tp-link.com/en/business/forum/topic/257264 This article has a step by step, but saw a reply that it does not always work: community.tp-link.com/en/business/kb/detail/412610 And this newer topic is a continuation of that discussion: community.tp-link.com/en/business/forum/topic/593654?sortDir=ASC&page=1 Sorry, I don't have much experience with Chromecast :(....and thanks again for dropping by the channel...
@@deadmeats thank you for the reply! I was able to get it to work after talking to the TP Link team, although some aspects don’t quite work. Apparently, Samsung TVs cast over SSDP (Simple Service Discovery Protocol) and DIAL (Discovery and Launch) which is not supported over VLAN at the moment. I might need to setup a proxy or something. I’ll keep watching your videos because you have a great setup! Thank you
@@andrewwitten2099 Hey man, thanks for getting back and sharing your experience. It looks like SSDP is really a challenge, while I may not have direct experience with it, I did read some threads about it. Here's one article that discuss SSDP but with Rokus and Unifi, the guy has to use a Raspberry Pi to get his stuff working so that issue is not just affecting TP Link but also other brands. Maybe you can find some clue on what he did for Pi: devops.mentacityventures.com/unifi-mdns/ Thanks again Andrew, and Happy Hunting!
As of July 31, 2023, Gateways I personally tested to support all the functionalities in this video: ER-8411, ER-7206, ER-605 v1 and v2
Yey! you do talk!! awesome! thank you for the video and we really appreciate the previous videos but his is a huge step towards voice and showing us your knowledge and skills!! great job.
Heya @Katlo Tech, thanks for dropping by. Appreciate your feedback, I do talk (yay), my old videos I was talking, but as this video clearly shows, my PC struggles a lot (and so do I :)) and many of my "talking points" got lost due to garbled messages, getting cut-off, or simply lost because my PC can't handle it. Also, when I have voice-recording, my video tends to get so long, my PC struggle to render it (this one takes 5+ hrs to render, so if there's a typo I need to correct, I will need another 5hrs to fix it). Thanks again for the kind words!
Best video I have seen so far on Omada setup. Thank you
hey @alfred576, thanks for the kind words and thanks for dropping by the channel, glad it works for you.
Finally, i just cantt follow without someone talking. Thanks
@ wbzial, thanks for the feedback. Glad this video is still useful despite the audio issues :)...
Hi i love your videos! i have an omada controller, er605 and pi-hole running as dns. omada does the dhcp.
as you probably know, the hostnames are not resolved by tp-link.
i came across mDNS but i'm not sure if this is the solution. In the mDNS settings i have to choose "Service Network" and "Client Network". I´m not sure what to do =)
Hey there @FAGabriel, thanks for the kind words and thanks for dropping by the channel. mDNS is a good alternative if you only want basic name resolution. It has its own quirk, but it works. Or if you like, you can experiment with using your PiHole as a DNS server for the additional adblocking support but it's been awhile since I used PiHole, I can't recall if you need to make PiHole as a DHCP server to make it resolve local DNS names or if you need to edit the hosts file.
For mDNS you can refer to this for quick video guide, note that menu may have looked different because of the firmware updates but the general idea and settings should be very similar, if not the same: ruclips.net/video/GJqtt-h7c2c/видео.htmlsi=AQVRMpmummgzd7DH&t=408
Finally, there's a 3rd party DNS but I have not tried it: github.com/dougbw/coredns_omada
Good hunting!
I'm trying to understand why I bought managed switches for my home network if they can't do stateful ACL. Could have saved myself several hundred dollars.
heya @joshmouch, thanks for dropping by the channel. Btw, I am assuming you need VLANs, and because of that, you WILL need a managed switch when connecting to Gateway/Router even if you are not using an Omada Gateway (i.e. other non-TP Link router), because unmanaged switch doesn't support VLANs. However, if you don't need VLANs, and just want a flat network, then any unmanaged switch is fine.
Good evening! Well done and thank you on all of your knowledge you are sharing. I followed your PPSK video here in hopes of identifying my issues. All devices are able to connect to vlans outside of primary network (guest, IoT, etc), but none are able to connect to primary network. Can you point me in the right direction of where to investigate?
hello @user-tz4zq7uz3h. thanks for dropping by the channel, you are welcome and thanks for the kind words. Just to make sure, when you say "Primary Network", I am assuming VLAN 1 (the default VLAN out of the box). As For PPSK, if you mean, you watched LC EP20, I did cover PPSK there and even covered "Primary" Network. Here is the exact time stamp for PPSK for Primary Network (pause the video if you have to): ruclips.net/video/QgoW2BBQHkQ/видео.html
I did not cover PPSK in this EP-34, but I may create a new video as soon as I am able to own an EAP that supports it. But in a nutshell, PPSK for VLAN 1 just means don't add any VLAN on the "VLAN Assignment" of the PPSK screen since it's untagged. Thanks again and good hunting!
@@deadmeats Who would have thunk it, it's the little details that matter. Please accept my thanks! Do you have a paypal or cashapp accepting donations for the work you do?
@@azwholeman Hey, no worries. My old video has no voice over and it's easy to miss. Don't worry about donation and paypal and stuff, just "Like"ing the video is enough.
Do the Gateway ACL rules work for AP's, too? It seems like they go by a different set of rules, but I'm still experimenting.
hello joshmouch, thanks for dropping by the channel. As for your inquiry, I just want to clarify that Gateways and APs are different devices and they work independently on their own ACLs but are "affected" by each other because they are connected. Consider this scenario: since the Access Point is closer to your clents, any ACL you add here (i.e. Deny Device A at Access Point) will invalidate any Gateway ACL (i.e. Allow Device A at Gateway). It means even if you allow ALL in your Gateway, Device A will not even reach Gateway's ACL because it is already barred at the entry point. Now, consider this another scenario: Device A is allowed at Access Point, but Denied at Gateway (i,.e. no internet), this means that even if Device A can connect to the AP's SSID, it won't be able to access the Internet. So you need to consider how the packet flows from one device to the endpoint. Hope that helps...
Good hunting!
Salamat! xd
heya @SergeantTrigger, thanks for dropping by the channel and the comment. salamat ng marami!
Hello @Dead Meat!
Great video tutorial by the way!
I have a quick question. Why do you connect the controller to the gateway? I am asking because I have connected my controller to the switch, as per tp-link's instructions. Are there any benefits to your method?
Hey @John Smith, thank you for dropping by the channel. There are several reasons I have it configured like this, mainly based on my own "anecdotal limited personal" experience (so take what I said with a whole sack of salt :))
a) Makes me sure that my controller is connected to VLAN 1
b) Gateways have ample ports to support the direct connection to Controller. If it ever needed more "VLAN 1" ports, it's easy to add a switch that supports (or doesn't strip) VLAN Tags.
c) The switch I use only have 8 ports for video demo/test, so freeing up a slot is a huge relief when I'm doing my tests. In this lab, I already use 5 ports, leaving me with 3 ports to use for demo purpose. Makes it easier to move my test cable with 3 open slots.
d) Many of my ACLs operate on Switch level, so I would like to skip connection to it in case i lock up my Switch.
So those are the benefits to me. However, performance wise, there is really no benefit to it if you don't constantly meddle with connected cables on the switch, TP-Link's suggestion is for the best and you should follow that.
@@deadmeats Thank you very much for your welcome as well as for your quite honest, quick, and elaborate answer!!! I understand you and your needs 100%. The fact that tp-link has the controller on the switch instead of the gateway makes me somehow uncomfortable because my limited 'networks' knowledge and logic would like me to have the controller connected to the gateway. However, I will give it a try and check if things are functioning as they should or not and later deside what is best based on performance metrics and network speeds. Other than that I would like to also thank you for the great training videos you have created and provided to all of us 😉.
Please keep up the great work!!! You have earned a much obliged subscriber ✌️
@@J0hnSm1th Heya, thanks for the kinds words and warm remarks :). I am glad the videos are helping you out. The first two episodes of this series should help cover 90% of the Home use-cases when it comes to VLANs and ACLs, and the rest are more of niche use cases that doesn't show up too often but are "interesting" to implement. Thanks again!
why do you update each port with each one of the VLAN ids? wouldnt that limit your APs connected to allow access to specific SSIDs?
Hello @sid kris, thanks for dropping by the channel. I may not have articulated many of the areas of this video so let me just break it down so I am assure I answer your question correctly/properly:
a) As you can see on 01:00 mark of the video, the Gateway LAN Port is connected to Switch "trunk" Port 1. Then this Switch "trunk" Port 8 is connected to Access Point (AP) [Gateway Switch Access Point]. The "trunk" ports1 and 8 belongs to a network profile of "All". "All" contains ALL of the VLANs that has been defined in the Omada SDN. Therefore, the APs will always have ALL of the VLANs.
b) When you said "update each port with each one of the VLAN ids", that is part of "Access Port" set up around 21:22 mark of the video. By updating each port and testing ALL of the VLAN ids, I made sure that the "trunk" port profile connectivity between Switch Port 1 and the Gateway is working as I intended it to be. What I mean is, if "All" profile does contain VLAN 10, 20, etc and I have DHCP configured in them, then every time I configure a port as an "access port" which means, it can only carry a Single VLAN (unlike "trunk" that carries multiple VLANs) then clients can get an IP that is tied to that VLAN. So in short, I was showing how "Access" port works
c) As for last part of your comment "wouldnt that limit your APs connected to allow access to specific SSIDs?" - I want to make sure I clarify this: SSID does not equate to VLAN. You can have multiple SSIDs connected to one VLAN and you can have single SSID connected to multiple VLANs (if you have multiple Access Points). But you are correct that the AP will be limited to the VLAN for which it is connected to, that is if the port is in trunk mode and the AP supports trunk mode, then it will have ALL of the VLANs, otherwise, the AP will only get limited to a single VLAN (native/untag) . Omada APs supports VLANs and like I said in a), I have it connected to a "trunk" Switch port 8 and not to any of the "access" Switch port. However, for APs that doesn't support VLANs, it will be dependent on the "access" port VLAN which VLAN ID they receive (regardless of SSID defined on that Access Point, remember SSID VLAN).
Hope this helps, thanks for dropping by the channel and happy hunting in the world of networking!
Thanks for the video! Question - I want to make a very similar setup but I want to put the default VLAN1 into a black hole and setup a new default Management VLAN. I've tried everything but cant seem to get it work. Is this something you have ever done in the past!?
hey @stevek6418, thanks for dropping by the channel. The last time I tried it was about 3 or 4 years ago, and it brought me a lot of head ache and heart ache at the time. I have not revisited that process again though, but I found an article that might help you out. It is from, 2022 so hopefully, the process is much simpler. Back then, it was brutal, but from the looks of that guide, it has matured a lot (maybe because of a lot of complaints in the past haha). Link below:
www.tp-link.com/us/support/faq/2814/#:~:text=Go%20to%20Config%20%3E%20Services%2C%20enable,must%20select%20the%20management%20VLAN.
@@deadmeats Thanks for the info! It is certainly still a headache as well lol. I will keep trying though. Cheers.
@@stevek6418 yaiks, didn't know it is still a pain, thanks for the info :). when I get the chance to tear down my lab set up, I will look into it again. I only have one controller, and can barely squeeze a video out in a month so am trying to minimize my downtime :).
Great video! I followed along on my setup but I have a question. I have a NVR that's on my "10-Home LAN". I have NO ACLs setup and I have my HOME computer on "01-Admin WiFi" but I cannot connect to this NVR on the opposite VLAN, unless I put the HOME computer on the "10-Home WIfI" which has the 10 vlan also. Is there some issue with WiFi VLAN talking to Wired VLANs that are different (even with no ACLs?)
I stumbled around in the OC200 and figured out if I stripped the VLAN assignments off the WiFi and set the ports on the switch to "all" everything talks together. I thought this could be circumvented through mDNS, maybe its a level 3 switch is what i'm trying to accomplish. Ideally im looking to setup a "home wifi and lan" and also an IOT wifi and lan, and let devices on the home wifi or lan tell the IoT devices to do things (homekit with apple). Seems I cannot get this to work unless everything is either 1. on the same LAN or 2. i dont actually set the wifi / lan names to actual VLAN numbers which i suppose defeats the purpose. Do you have any videos i can learn more on how to do this?
Hey @@baygentst thanks for the kind words and welcome to the channel, and to the world of networking :). What you need to learn is about Access Port and Trunk VLAN, and then what is SSID. I did cover these ideas (trunk vs access port) in this video but not very detailed. All the network devices (Gateway, Switch, Access Point) are all interconnected using Trunk Port (you can refer to the very first part of network diagram). In TP-Link Omada, the "All" Profile is a trunk or a combination of ALL VLANs defined in SDN. I don't have a separate video for it, but I did cover what is "Access Port" in 21:23 in this video also covered SSID and its tie up to VLAN in 26:29
For your question, the Home LAN and WiFi just needs to be on the same VLAN. Don't confuse WiFi, SSID as the same as a "VLAN", WiFi SSID is not the same as a VLAN. What I mean is, you can have multiple WiFi SSID tied to a single VLAN so what you name your SSID doesn't really matter "technically".
Now, to achieve multiple VLANs in your AP, your AP needs to support trunk hence, your AP needs a trunk uplink port (the connection between AP and Switch/Gateway needs to be "All" or a custom VLAN profile that caries your Home and IoT wifi.
Here's what I can suggest:
1. Learn what a VLAN is
2. Learn what is an Access Port
3. Learn what is a trunk Port
4. Learn how Trunk Ports work when connecting network devices (not end-user device, but Gateway to Managed Switch, or Managed Switch to Access Point, or Gateway to Access Point)
5. Learn how Trunk Ports work when connecting to end devices i.e. PCs, IP Phone
As for your set up, you are on to it: you need to set the WiFi to the VLAN otherwise everything will be on "native" LAN IP addressing. Check out the WiFi discussion at 26:29
Happy hunting!
@@deadmeats Archie thanks for the response! I thought I understood what I was doing and was able to successfully ping around my network but I still have more networking learning to do (mostly a noob here).
All my problems originate from the following example. Iphone is on WIFI vlan10, AP is setup to "ALL" such that it can trunk line to the switch. The switch to router(gateway) port is also set to "ALL" so it can trunk line to the router(gateway).
My IoT devices (WIFI) are then on VLAN 107, so when I try to control something (via homekit) on my phone on WIFI VLAN10, I assumed the AP would trunk to the switch the switch would trunk to the gateway and the gateway would repeat my request back to switch then the AP then to the VLAN 107. I think this is called "reflecting". I setup an ACL rule to allow bi-direction on vlan10 to vlan107 also (playing around).
I got some more homework to do because it still does not work correctly. When does "tagging" vlans come into play or this VLAN reflecting?
@@baygentst Heya, not sure what is VLAN reflecting, but VLAN tag should be the ID for what VLAN the network packet/traffic it belongs. I am not sure how everything is connected in your system, and I have no experience with Apple Home Kit so I suggest you try the following:
Trunk and Access Port exercise (assumption: you have a trunk uplink between switch and gateway, no ACL; you must have at least two devices for testing):
a) Configure 2 ports in switch with VLAN 1 (Admin). All clients must have VLAN1 IP. Use a PC A and another wired devices (let's call it PC B) check if those ports are getting the correct IP. If you are getting a wrong IP, then you need to check the uplinks. Use your PC A to ping the PC B (and vice versa) and the internet. Do not proceed till you get this working.
b) Do step a again, but this time around, configure the 2 ports for VLAN 10. All clients must have VLAN10 IP. Use a PC A and another wired devices (let's call it PC B) check if those ports are getting the correct IP (Your IP must be different than when it's connected to VLAN 1). If you are getting a wrong IP, then you need to check the uplinks. Use your PC A to ping the PC B (and vice versa) and the internet. Do not proceed till you get this working.
c) Do step a again, but this time around, configure the 2 ports for VLAN 107. All clients must have VLAN107 IP. Use a PC A and another wired devices (let's call it PC B) check if those ports are getting the correct IP (Your IP must be different than when it's connected to VLAN 1 and VLAN 10). If you are getting a wrong IP, then you need to check the uplinks. Use your PC A to ping the PC B (and vice versa) and the internet. Do not proceed till you get this working.
d) Connect PC A to VLAN 1, connect PC B to VLAN10, and connect a 3rd wied device to VLAN 107. Ping each other. If you can't see one another, check the PC or device's icmp or firewall settings. Do not proceed till you get this working.
e) If you reach this stage, your Gateway to Switch is working.
Trunk and Access Point exercise:
a) Create three NEW SSIDs
b) Configure first SSID as VLAN 1, name SSID as VLAN 1
c) Configure 2nd SSID as VLAN 10, name SSID as VLAN 10
d) Configure 3rd SSID as VLAN 107, name SSID as VLAN 107
e) Connect at least 3 wireless devices to SSID VLAN 1. All 3 Clients must have VLAN1 IP, check if WLAN clients are getting the correct IP . If you are getting a wrong IP, then you need to check the uplinks. Use your PC A to ping the PC B and and the internet. Do not proceed till you get this working.
f) Connect at least 3 wireless devices to SSID VLAN 10. All 3 Clients must have VLAN10 IP, check if WLAN clients are getting the correct IP . If you are getting a wrong IP, then you need to check the uplinks. Use your PC A to ping the PC B and and the internet. Do not proceed till you get this working.
g) Connect at least 3 wireless devices to SSID VLAN 107. All 3 Clients must have VLAN107 IP, check if WLAN clients are getting the correct IP . If you are getting a wrong IP, then you need to check the uplinks. Use your PC A to ping the PC B and and the internet. Do not proceed till you get this working.
h) Connect 1 device at VLAN 1 SSID, another at VLAN 10 SSID, and the 3rd to VLAN107 SSID. Ping each other. They should all reply
i) If you reach this stage, then your Gateway to Switch to AP is working
Now you can try the mDNS and AppleHomekit stuff. Unless you get the basics working, I suggest you focus on getting them right. Then later on, you can proceed to the nexts step (i.e. mDNS, ACLs, IoT commands, etc). I did cover all these on the video, but using a shorter version of testing but you may have some customization. The steps I laid out is to make sure whatever customization you applied is correct.
Happy hunting!
I have dual ISP one is Static and second is DHCP. and our Camera, door access, Wi-fi and other device is working on static ISP line. otherwise our static line is down then how to work our secondary ISP and our camera, access door and other device? Please suggest which device use me to working both ISP line for one down?
hey @rajnikantkanzariya3413, thanks for dropping by the channel. If you need Dual WAN with Back Up/Redundancy, you can get any of the following Gateways:
* ER-605 v2.0 - good if you are on budget
* ER-7206 - good high performing Multi-WAN (more than 2 WANs) router
Alternative:
* ER-707-M2 - expensive but can have 2.5Gb WAN
* ER-7212PC - a bit expensive, but good Gateway+Controller+PoE in one box!!!
can you please confirm this device is working static and DHCP both line ? and how to configure static and DHCP dual isp? it's available on Amazon in India ?
Do you have any information about ER8411 receiving this update which would allow stateful ACL sen DNS Proxy too.
Hey @Jarkko Pentinniemi, thanks for dropping by the channel. I do not have any visibility on when the feature will go live for ER-8411. Best way to any feature implemented is to influence TP Link by contacting their support or post in their official community forum.
You can still do a lot of things without Stateful ACL, in fact, I have the same functionality discussed here, implemented on NeXTGen LAN (starting with EP38 ruclips.net/video/pNrdLjBXPYQ/видео.html) which relies solely on Switch.
Heya, good news, I just noticed a beta firmware has been posted here community.tp-link.com/en/business/forum/topic/611292
@@deadmeats Yep, and it does not install through my controllor. Huge hassle to take router to standalone mode. :(
@@Enhancer1985 yaiks, indeed. I don't personally use beta myself as well, even if it takes a long time for the production one to get released.
How many wan LAN for loadbanlancing er7206 have?
Hello @MRGPH, thanks for dropping by the channel. The ER-7206 have 2 dedicated WAN Ports and 2 flexible 2 LAN/WAN ports, a total of 4 WAN ports for Load Balancing. You can find more technical specs at the product page here: www.tp-link.com/us/business-networking/omada-sdn-router/er7206/
Good hunting!
I appreciate the time you have put into making these awesome videos! It’s really helping me design my network. I do have a question. I would like to chromecast through my different VLANs (secure to IoT). I have tried to setup mDNS (_googlecast._tcp.local) and tried to disable muilticast to unicast conversion without success. Do you know how I can fix this to make it work?
Hey @Andrew Witten, thanks for dropping by the channel and for the kind words. As for Google Chrome, I'll be honest and straight: I don't have it and don't know how it works :). However, I did a little digging and found a few articles (I'll post a link below)
This guy got chromecast working across VLANs: community.tp-link.com/en/business/forum/topic/257264
This article has a step by step, but saw a reply that it does not always work: community.tp-link.com/en/business/kb/detail/412610
And this newer topic is a continuation of that discussion: community.tp-link.com/en/business/forum/topic/593654?sortDir=ASC&page=1
Sorry, I don't have much experience with Chromecast :(....and thanks again for dropping by the channel...
@@deadmeats thank you for the reply! I was able to get it to work after talking to the TP Link team, although some aspects don’t quite work. Apparently, Samsung TVs cast over SSDP (Simple Service Discovery Protocol) and DIAL (Discovery and Launch) which is not supported over VLAN at the moment. I might need to setup a proxy or something. I’ll keep watching your videos because you have a great setup! Thank you
@@andrewwitten2099 Hey man, thanks for getting back and sharing your experience. It looks like SSDP is really a challenge, while I may not have direct experience with it, I did read some threads about it. Here's one article that discuss SSDP but with Rokus and Unifi, the guy has to use a Raspberry Pi to get his stuff working so that issue is not just affecting TP Link but also other brands. Maybe you can find some clue on what he did for Pi: devops.mentacityventures.com/unifi-mdns/
Thanks again Andrew, and Happy Hunting!
@@andrewwitten2099 What were your ACL and mDNS settings? Struggling to get it working despite some updated how-tos on the TP Link website.