We're seeing something that looks a bit like client separation - a PC can't talk to a printer on the same network (both on wifi, both using the same SSID, both on the same VLAN and same IP network, not necessarily both on the same AP though). How can I check for this on 17.15.1? I'm not really convinced it is this, because *sometimes* we can print. But maybe it's because they are on sometimes on different APs? Any other suggestions about how the network could be the problem would be welcome. Thanks, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours.
What devices are you using and are you using wireless.npk, wifi-qcom(-ac).npk, CAPSMAN?... Regards, Jason Hecker <https://www.upandrunningtech.com.au> <https://www.upandrunningtech.com.au> On Fri, 18 Oct 2024, at 17:18, Karl Auer via Public wrote:
We're seeing something that looks a bit like client separation - a PC can't talk to a printer on the same network (both on wifi, both using the same SSID, both on the same VLAN and same IP network, not necessarily both on the same AP though).
How can I check for this on 17.15.1?
I'm not really convinced it is this, because *sometimes* we can print. But maybe it's because they are on sometimes on different APs? Any other suggestions about how the network could be the problem would be welcome.
Thanks, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
Please feel free to deal with this email during your own working hours.
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Fri, 2024-10-18 at 17:41 +1100, Jason Hecker wrote:
What devices are you using and are you using wireless.npk, wifi- qcom(-ac).npk, CAPSMAN?...
router: rb9005 (RB5009UG+S+) switch: CSS610-8P-2S+IN APs : cAP ac /system package print Columns: NAME, VERSION, BUILD-TIME, SIZE # NAME VERSION BUILD-TIME SIZE 0 wireless 7.15.3 2024-07-24 10:39:01 884.1KiB 1 routeros 7.15.3 2024-07-24 10:39:01 11.6MiB 2 dude 7.15.3 2024-07-24 10:39:01 1240.1KiB Packages in /capsman are: routeros-7.15.3-arm.npk routeros-7.15.3-mipsbe.npk wifi-qcom-ac-7.15.3-arm.npk wireless-7.15.3-mipsbe.npk wireless-7.15.3-arm64.npk Reasonably sure, but have not checked, that the APs are using wifi-qcom-ac. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours.
This is so not a Friday arvo issue. Dave Browning dlbNetworks 0413 579 391 <tel:0413579391> | dlbnet.works <https://dlbnet.works/> PO Box 171, Jimboomba QLD 4280 <https://maps.google.com/?q=PO%20Box%20171,%20Jimboomba%20QLD%204280> | 1800 DLB NET <tel:1800DLBNET> <https://www.facebook.com/profile.php?id=100095083032088> <https://www.instagram.com/dlbnetworks/> <https://www.linkedin.com/company/dlbnetworks>
On 18 Oct 2024, at 4:18 pm, Karl Auer via Public <public@talk.mikrotik.com.au> wrote:
We're seeing something that looks a bit like client separation - a PC can't talk to a printer on the same network (both on wifi, both using the same SSID, both on the same VLAN and same IP network, not necessarily both on the same AP though).
How can I check for this on 17.15.1?
I'm not really convinced it is this, because *sometimes* we can print. But maybe it's because they are on sometimes on different APs? Any other suggestions about how the network could be the problem would be welcome.
Thanks, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
Please feel free to deal with this email during your own working hours.
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Yeah, tricky one for a Friday arvo, but now that I have a beer in hand I feel better inclined to think about it :- D The only client isolation sort of behaviouri I can tbink of,, assuming all your bridges are set up ok (and if they weren't you'd likely be seeing more trouble than that ;) is 'default forwarding' behaviour on the wireless interfaces. Forwarding enabled means that a client connected to an ap can pass l2 frames to other clents connected to the same ap - forwarding disabled means tgey can't - eitger way, clients can still reach peers connected to any bridges attached to the ap interface. So pretty much opposite to what you're describing... Could it be the other way around? Cheers! -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Karl Auer via Public Sent: Friday, 18 October 2024 5:19 PM To: MikroTik Public <public@talk.mikrotik.com.au> Cc: Karl Auer <kauer@nullarbor.com.au> Subject: [MT-AU Public] client separation? We're seeing something that looks a bit like client separation - a PC can't talk to a printer on the same network (both on wifi, both using the same SSID, both on the same VLAN and same IP network, not necessarily both on the same AP though). How can I check for this on 17.15.1? I'm not really convinced it is this, because *sometimes* we can print. But maybe it's because they are on sometimes on different APs? Any other suggestions about how the network could be the problem would be welcome. Thanks, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
If you are using CAPsMAN tunnels and have configured your Bridge Horizon to be identical on them all (ie some value set) then it will cause the opposite effect to Client Isolation on the AP in that it will block communication between devices on different APs. Regards, Patrick On Fri, 18 Oct 2024 at 19:23, Mike Everest via Public < public@talk.mikrotik.com.au> wrote:
Yeah, tricky one for a Friday arvo, but now that I have a beer in hand I feel better inclined to think about it :- D
The only client isolation sort of behaviouri I can tbink of,, assuming all your bridges are set up ok (and if they weren't you'd likely be seeing more trouble than that ;) is 'default forwarding' behaviour on the wireless interfaces.
Forwarding enabled means that a client connected to an ap can pass l2 frames to other clents connected to the same ap - forwarding disabled means tgey can't - eitger way, clients can still reach peers connected to any bridges attached to the ap interface.
So pretty much opposite to what you're describing...
Could it be the other way around?
Cheers!
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Karl Auer via Public Sent: Friday, 18 October 2024 5:19 PM To: MikroTik Public <public@talk.mikrotik.com.au> Cc: Karl Auer <kauer@nullarbor.com.au> Subject: [MT-AU Public] client separation?
We're seeing something that looks a bit like client separation - a PC can't talk to a printer on the same network (both on wifi, both using the same SSID, both on the same VLAN and same IP network, not necessarily both on the same AP though).
How can I check for this on 17.15.1?
I'm not really convinced it is this, because *sometimes* we can print. But maybe it's because they are on sometimes on different APs? Any other suggestions about how the network could be the problem would be welcome.
Thanks, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
Please feel free to deal with this email during your own working hours.
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Fri, 2024-10-18 at 19:45 +1100, Patrick Sayer via Public wrote:
If you are using CAPsMAN tunnels and have configured your Bridge Horizon to be identical on them all (ie some value set) then it will cause the opposite effect to Client Isolation on the AP in that it will block communication between devices on different APs.
It is identical on all of them, but only in that none of them have a BridgeHorizon value set. In winbox: WiFi -> Datapath -> (select datapath) -> Bridge Horizon field is blank, with a down-arrow beside it. If, for example, the printer or the laptop were changing from AP to AP, and comms between clients on different APs were blocked, that would explain why it sometimes works. Not why the devices would waft from one AP to another, but still, plausible. I'm not sure if I am using CAPSMAN tunnels. I did find the "Client Isolation" checkbox though. It is set on one network, our guest wifi network, but not on any of the others, and not on the network with the printer and laptop in it. Regards, K. PS: This is not urgent. Sorry I didn't make that clear. Also, I will see what happens if I connect to the printer on an independent different router using actual wires. Just to make sure this is not, you know (waves hands) printer things. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours.
On Fri, 2024-10-18 at 19:22 +1100, Mike Everest via Public wrote:
Forwarding enabled means that a client connected to an ap can pass l2 frames to other clients connected to the same ap - forwarding disabled means they can't - either way, clients can still reach peers connected to any bridges attached to the ap interface. So pretty much opposite to what you're describing...
Yeah - unless the devices are moving unbidden between APs. Then when they happen to be on the same one it would all be rainbows, and when they are on different ones it would be not rainbows. It seems to be very nearly permanently not rainbows. Given that this is CAPSMAN, that forwarding setting would be somewhere in the configs on the controlling router, no? If so, where? Because I have not yet found it... unless "Client Isolation" is the winbox term for it. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours.
On Fri, 2024-10-18 at 17:18 +1100, Karl Auer via Public wrote:
We're seeing something that looks a bit like client separation - a PC can't talk to a printer on the same network (both on wifi, both using the same SSID, both on the same VLAN and same IP network, not necessarily both on the same AP though).
Well, ahem, cough, it was a printer misconfiguration. I dropped a little router with wifi beside the printer, associated the printer and a laptop to it, still couldn't see the printer. Checked the printer IP address to ping it and realised it was not in the network that the router was configured to provide. The printer was configured with a static IP address, one not in any network available in the building. The solution was to let the printer obtain its address via DHCP. I am puzzled as to how it ever worked at all, to be honest, but it demonstrably did work a few times and had in fact been working well for months up until a week or so ago. This is a mystery I don't intend to try to solve, though entertaining theories are welcome. On the up-side I learned heaps about client isolation, default forwarding and so on... Many thanks to all who contributed thoughts. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours.
participants (5)
-
Dave Browning
-
Jason Hecker
-
Karl Auer
-
mike@duxtel.com
-
Patrick Sayer