I’ve recently acquired a couple of TAP200 access points, all running the latest FW, TAP200_R_00.07.06.3.
These access points are connected with a respective trunk to a TSW202 managed switch.
The switch is connected with another trunk to a OpenWRT router.
My network is divided into 8 different VLANs, which all of the devices are aware of. VLANs are numbered in even 10’s. One of these VLANS is a management VLAN (10) for all networking equipment. The next VLAN is 20, and so on. All IP-addresses in the network have their VLAN in the third segment, so a 192.168.20.X address means VLAN20.
To make a long story short, I’m suspecting that the TAP200s different SSIDs (all running one separate VLAN), are forwarding their clients’ DNS requests over the management VLAN, and not on the VLAN the clients are connecting to.
Since I’ve removed WAN access from the management VLAN, explicit queries to DNS servers on the internet go unanswered. DNS queries to the router’s local interface however works. So the only problems I get are for the units which require a different DNS server than the one the router provides.
I’ve verified this by enable logging of rejected packets in the management zone on the OpenWRT router. which outputs:
Sat Jan 20 16:08:54 2024 kern.warn kernel: [ 7496.622822] reject infra forward: IN=eth3.10 OUT=eth0 MAC=[REDACTED] SRC=192.168.20.115 DST=126.96.36.199 LEN=80 TOS=0x00 PREC=0x00 TTL=62 ID=25814 PROTO=UDP SPT=57238 DPT=53 LEN=60
Which I’m reading to say, that the package came in on VLAN10 (which belongs to a zone called “infra”), but the source IP indicates VLAN20, destination is 188.8.131.52 on port 53.
Now, maybe I’m just too much of a novice on networking equipment, but I would have thought that the DNS requests from a specific VLAN would stay on that VLAN, so that they may follow the firewall rules on my router. To see that VLAN10 is now carrying traffic from VLAN 20 is somewhat baffling to me.
From the limited amount of options on the TAP200’s settings page, I haven’t been able to find anything that would make this work as I imagine it should work. If this is a feature or a bug, I’m not entirely clear on…?