Since my AP has been installed I have noticed issues with devices communicating across VLANs. I decided to rebuild my network last weekend to see if it would help. I ended up having to add a lot of additional firewall rules that I didn’t need with my Unifi APs. Once I got Homekit stable everything seemed fine with the exception of AirPrint but my workaround for that was to just put it on my Admin network so it was on the same VLAN as my phones and computers. Just putting it on the Admin network was not the only thing I had to do. On the device menu in the Alta controller I had to set the network type and VLAN as well as switch all of the bypasses to yes.
Today I noticed a new issue. I just received my Aqara P2 Door and Window sensors that work off of Thread. When I tried to add them to my Home app they would fail. I have quite a few Thread based products. The only new device in my house recently is the AP6-Pro. I switched back over to my UniFi U6-Pro and was able to add the Aqara sensors without issue. Since Thread devices form their own network its surprising that switching out the AP enabled me to add the devices. Once the devices were added I was able to switch back over to the Alta AP and then stabilize all of the IoT devices by rebooting the hubs.
Its a pain to keep switching back and forth between the Alta and Unifi AP but the Alta AP is way more stable when it comes to speed and internet based traffic so I prefer to switch back to Alta when I do need to temporarily go back to Unifi.
@JRosen I’m curious what kind of firewall rules you are adding to your router to enable traffic across your VLANs and get things working. Is this just simple Mobile Phone<>Thread device communication across two different subnets, and is traffic hitting the router as expected without those rules?
It was mostly simple rules to allow groups of devices to talk from the IoT VLAN to the Admin VLAN based on the ports I could find from the manufacturers or that I saw being blocked by my rule to block all traffic between the VLANs. I also had to add a few rules to allow mDNS as just having mDNS enabled on the UDM-Pro wasn’t enough. Sometimes the traffic isn’t hitting the router or its making multiple attempts and after awhile it’s successful. I confirmed this by allowing my printer on the IoT VLAN have full access to the Admin VLAN. Sometimes I could see the printer from my iPhone and other times I couldn’t. When I could see the printer I was able to send a print job but it would work and then never see the response from the printer of the job completion so it would just keep retrying the print job. When it was a straight Unifi setup I had 3 rules to make this all work.
Allow established and related traffic.
Allow all Admin VLAN traffic to all VLANs.
Block all inter-vlan routing.
Setting up the Thread devices is through the Apple Home app on my phone and then they communicate with my Thread Boarder Routers (Apple TVs/Apple HomePod Mini’s) after that. The phone, Apple TVs and HomePods are all on the same VLAN so this issue I think is more routing, possibly IPv6 which I do not have enabled on my network.
I pulled the athstats, ifconfig, iwconfig and message log. I will send them over to you via email.
@Alta-Jeff Just wanted to follow up to see if you saw anything odd in the logs I sent over. Haven’t purchased any more thread devices but I plan to in the next few months. Also still seeing issues with devices on the same VLAN not able to communicate with each other. I constantly have to reset the Sonos connection to the app. Also still having issues with airprint and getting to the HP printers management console via http or https.
I don’t feel like I should need to, but I had to turn on IGMP Proxy on all SSIDs to get this to quiet down. But it still isn’t as stable and reliable as the APs I had install previously.
@Alta-Jeff Not sure if 1.1d was to help the issues you have seen in my logs but I did want to say it has resolved my AirPrint issue so I really appreciate that. I did the update, waited for a bit and then rebooted the AP and printer. I am now able to get to my printer on a different VLAN via HTTP and HTTPs. I am also able to AirPrint across VLANs which hasn’t worked since I setup the AP. The update also improved RX and TX drop rates on wifi0 and wifi1. Previously I was seeing over 100k drops and since last night I have less than 10.
I did notice a few possible issues in the new logs. It looks like my iPhone is hitting the AP and trying to associate to VLAN1, after a retry or two it switches to VLAN10 which is what it should be on. VLAN1 is my management VLAN so only switches and APs. I am also still seeing TX/RX errors on wifi0 and wifi1. Errors on wifi1 TX are over 8000k. Sending you my updated logs for reference.
@JRosen Glad to hear that the AirPrint issues are resolved. The fixes were specific to the issues you were having, but should help with IPv6 and VLAN bridging in general.
I’m not sure what you mean by the iPhone trying to associate to VLAN1. Is the SSID it is associating with on VLAN1, etc. or can you provider further details on the issue?