08-19-2021 07:24 AM
Hello Everybody,
I'm facing an issue that goes beyond my IT knowledge. I have a RV345 router with a multiple vlan configuration and a few APs using tagged vlan. Everything has been working fine with Ip Source Guard enable until I installed a WiFi range extender and I connected a new device. The device connected to the wifi range ext cannot connect to internet when the Ip Source Guard is enable, if I turn the Ip Source Guard Off then the device can connect to the internet. When the Ip guard is off, the RV345 arp table shows that all the devices connected to the router trough the range ext are using the range extender mac address with multiple ip address. Does anybody have any explanation about this behavior? Any advise to make the range extender working with the Ip Source Guard?
Thanks a lot,
Cristian
Cristian
08-20-2021 12:13 PM
Hi
>>> all the devices connected to the router trough the range ext are using the range extender mac address with multiple ip address.
In IP-Src-Guard, you can bind only 1-mac-address to 1-ipaddress...so there is nothing you could do more than that on RV34X.
- if there are say 2 lan-clients each with its own ipaddress, connected to the wifi-extender and as you have observed, both are using the mac-address of the extender-device...
- in that case in ip-src-guard you can only bind once the mac-address of the wifi-extender to only one of the lan-client's ipaddr, and only then that lan-client (with the ipaddress added in ip-src-guard list) can connect to internet...
So for your deployment, with the wifi-extender connected, you are better off disabling ip-src-guard
08-21-2021 07:30 AM
Hi nagrajk1969,
thanks for helping me one more time. I did several tries and finally I found a configuration that it's working. I can confirm that all devises connected to the extender in the arp table have the mac address of the extender. The extender has two mac address: the ip associated to the first mac address (mac1) is used to configure it using http, the second mac (mac2) appears in the arp table when a device try to connect to the internet. So I did as following: I used static dhcp for the above mentioned mac addresses and for, let's say, one device (dev1) that I want to connect through the extender, so each mac has its own ip. At this moment the Ip Src Guard is off, all the three mac appears in the the Lease Table of the Security page, dev1 can connect to internet. Then I added the dev1 with its own ip and the extender mac2 to the Ip Guard Static binding table. I turned on the Ip Src Guard and dev1 can still connect to the internet. Moreover if I connect others devices to the extender network tnow hey can navigate too.
Maybe there was one thing that I made wrong the first time, I added the mac2 with it's own ip to the static ip src binding table, this was probably preventing other devices to connect to internet... what do you think about this solution?
My Best,
Cristian
08-22-2021 10:42 AM - edited 08-22-2021 10:48 AM
Ok. I guess i got confused reading your response...let me understand this
1. Lets say that you are assigning on vlan1 and the dhcp-server ip-pool is 192.168.1.100/24 to 192.168.1.200/24 (with the default-gw ipaddr of 192.168.1.1 which is the vlan1 ipaddress of RV340)
2. Lets say that the extender ipaddress is a statically configured ipaddress of 192.168.1.11/24, which will be used to access the GUI of the wifi-extender
a) and on extender, lets assume that
the mac-1 address is 00:76:b8:62:89:22 and
the mac-2 address "00:0a:f7:69:10:29"
3. And on RV340, You have added in "Static-DHCP" the below 2 ip-addresses and binded them to mac-1 and mac-2 address respectively?...is this right?
192.168.1.11 - 00:76:b8:62:89:22 (mac-1 of extender)
192.168.1.100 - 00:0a:f7:69:10:29 (mac-2 of extender)
right?
4. And next in ip-src-guard, you enabled the service ip-src-guard, and then statically added the below entry:
192.168.1.100 - 00:0a:f7:69:10:29 (mac-2 of extender)
- is above right so far?
- dis you also add the 192.168.1.11 entry binded to mac-1 address in the ip-src-guard?
- do you see the list of all the static-dhcp entries in the "ip-source-guard" page...is it empty (in my setup i see that its empty, although i have applied point-3 step above)
5. So now you are saying, after the steps in point-4 above,
- now dev1 can access internet....this i guess will work becos you have added this binding of dev1-ipaddress+mac-2-address
- and all other devices (devices2 onwards) behind the extender are now able to access internet?...without any additional entries in the ip-src-guard?????
6. After adding the entries in as done in point-3 and point-4 above, did you check by doing a "Apply/Save (permanent-save to startup)" and reboot of the RV340?....is it all working after the save and reboot?
Note: Before you do a save and then reboot, ensure that in "Firewall" you have enabled "Remote Management" and then apply-save and then reboot....becos afer reboot in case you cant access the GUI from lan (due to say ip-src-guard being enabled) you can still access from wan-interface...
As far as i understand, after the steps you have done, only dev1 should be able to access (and maybe any traffic generated from extender with mac1-address) internet and lan-network....BUT i dont understand how other devices connected to extender are able to browse the internet...after adding dev1 entry in ip-src-guard....something;s not right
08-22-2021 01:46 PM
Hi,
Thanks for you are answer, I'll start from the end.
1. I was in the situation that I described in the previous post. More devices could connect to the extender even if the ip src guard was on with only dev1 bind to mac2 in the static table.
2. Later I noticed that I was having problems with the dhcp server: I couldn't add any new devices using the main AP wifi. So I played the rv34x reboot card.
3. Now everything works as it should be, only the dev1 with ext-mac2 can exit to internet.
So for my purpose now I'm fine. I needed the extender just for an outdoor device.
4. Going back to your last message. I did as you described until point 3. About point 4, I didn't statically add the two ip-mac of the extender to the ip src static table. Basically I skipped your point 4 and went to point 5.
5. The rv34x reboot fixed the dhcp server issues and enabled the ip src guard correctly, actually I don't like unriquired reboots but I can't exclude that I didn't some mess by doing multiple entries of the same static IP... learning phase sometimes pass through mistakes...
As far as I concern I would close the thread.
Thanks a lot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide