With Isolated VLANs, printers able to communicate after power on but eventually stop responding on network

All Unifi equipment (USG-Pro, myriad of switches, mostly AC Pros)

We’ve got about 50 VLANs/networks. Users get dumped onto their own isolated VLAN based on their RADIUS user when connecting to the network via WPA2-Enterprise. Everyone connects to a single SSID.

For example:

  • John connects to BusinessWifi SSID with WPA2-Enterprise username and password that dumps him onto VLAN 1000, 10.0.0.0/24.
  • Greg connects to BusinessWifi SSID with WPA2-Enterprise username and password that dumps him onto VLAN 1001, 10.0.1.0/24.
  • Larry connects to BusinessWifi SSID … onto VLAN 1050, 10.0.50.0/24.

We have a firewall rule in place that blocks InterVLAN traffic. We created one Network Group that contains all of the VLANs (10.0.0.0/24, 10.0.1.0/24, …, 10.0.50.0/24) and drop all connections in that Network Group with the following settings:

  • Drop Established and Related
  • Don’t match on IPsec
  • on LAN_IN

Here is a common setup example for an individual user:

  • John’s laptop is connected with IP 10.0.0.5
  • John’s iPhone is connected with IP 10.0.0.6
  • John’s printer is connected with IP 10.0.0.250 (static)

When the printer is first powered on, John’s laptop and phone can see and print to his printer without issue.

The use case for this weird setup is this: John can be in his office, or in the lobby, or in someone else’s office, etc. connected to the single “MyBusinessSSID” and always be on his own isolated VLAN, so that he can communicate to other devices on his isolated VLAN regardless of where he’s at on campus. Mainly used to be able to print from anywhere on campus.

After some minutes (or hours, I haven’t observed much consistency), the printer stops accepting print jobs, stops responding to pings. This is indicative of the network traffic getting dropped, in my opinion, but I can’t think of why. Since they’re on the same network, they shouldn’t be subject to the InterVLAN firewall rule that we’ve created. Power cycling the printer is enough to get it to resume normal activity responding to pings and accepting print jobs.

This is not specific to one brand of printer or one brand of computer. It’s 100% network related but I don’t know what exactly.

Any ideas?

I have not done this type of setup with a complete UniFi system so it is not an issue that I have encountered before.

Something to note: In applicable situations where I can create a regular WPA2-Personal SSID for a user (ie, JohnsOfficeSSID), these problems don’t happen.

Didn’t see an option to edit my first post, but I should clarify: Printers are dumb and don’t know how to connect to WPA2 Enterprise. For them, we have a separate SSID that is Open but with MAC RADIUS Authentication. They get dumped onto the same user VLAN (ie, John’s computers on the WPA2-Enterprise SSID connect to the same VLAN as John’s printers on the Open MAC RADIUS Auth SSID).

Still haven’t figured this one out, unfortunately. Just bumping up the topic to maybe get some fresh eyes on it.