The Apple Airport’s Dirty Little Secret

secrect

As part of the massive effort to build a new house I started trying to figure out the data network that we needed.  As most people know, you end up with a LOT of devices on a network these days.  Mobile devices, Whole Home Audio, Laptops, Thermostats, DVR, Televisions, DVD Players, just about everything.  Some things in my house were wired and some wireless.  The wired network was easy so this is more about the wireless, and SPECIFICALLY the Apple Airport’s dirty little secret about the Guest Network.

The Layout

For the new house I decided on Apple Airport Extreme devices throughout the house.  I liked the performance the reliability and the ease of setup.  Most attractive was the fact Apple devices support a “roaming” network configuration that is well documented and easy to set up.  That is, until you get to the Guest Network which I will detail in a minute.  Below is the basic setup I decided on based on the roaming setup.

  • Primary Airport Express – Basement (NAT/DHCP)
  • Roaming Airport Express – Kitchen (Bridge Mode)
  • Roaming Airport Express – Office (Bridge Mode)

It was incredibly easy to setup and configure.  Everything worked great until I got to testing the Guest Network.  The nice thing is with a single Airport in DHCP/NAT you can assign a different Network Subnet range for the guests.  Come to find out, They are isolated from the other network on a tagged VLAN 1003.  I thought this was very cool and having done some reading and knowing I have a managed switch I was able to tag the roaming Airport’s as needed on VLAN 1003 which allowed the guests connected to roaming units to get an IP address.  Everything seemed fine….

The Apple Airport Roaming Guest Network Speed Issue

After many hours of testing and reading I was getting horrible download on the guest network.  I narrowed the situation down to whenever a user connected to one of the bridge mode Airports.  If you connected to the Primary speed was fine, but not on a roaming unit.  You got a DHCP address and got online but download was maybe 1/10th of the speed while upload was fine.  I began to search more and found many people were having this problem

The issue is that Apple uses VLAN 1003 tagged on the Airport, BUT they actually do NOT support using a managed switch with the same VLAN Tag!!  I was seriously baffled at what I found.  They have said they only support the roaming configuration with Airports connected to each other via the built-in LAN ports, OR an unmanaged switch.  They flat-out do not support using a high-end managed switch tagging and passing the traffic.  In fact, in reading the Apple forums they admit the problem and refuse to fix the bug.

The Apple Airport Roaming Guest Network Speed Possible Work Around

Once I figured out the issue I decided myself to only leave the Guest Network active on the Primary Airport for now, but you can resolve this, in a crazy fashion.  Essentially you need a dumb, unmanaged switch connected in the following manner, but someone on the Apple Community tried and said the issue still persists

  • Primary Airport Running WAN Port —> Internet Connection
  • Primary Airport Running DHCP/NAT LAN Port —> Unmanaged Switch
  • All Roaming Airport Running Bridge Mode WAN Port —> Unmanaged Switch
  • Unmanaged Switch —> Managed switch

According to the Apple documentation this should work, but I’ve not tried it and as I mentioned someone else did and says it’s still a no go.  It’s a pretty piss poor obvious bug by Apple they just continue to ignore.

About Chris Colotti

Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.

15 comments

  1. Couldn’t you create a VLAN on your managed switch (any # besides 1003) just for guest Wi-fi, and use it in Untagged mode on all ports for your interconnect? Basically create an “unmanaged” network that is still separate and lives on your managed switch?

    • Because the guest traffic exiting the AP is actually tagged I don’t see how that could work. The 3 ports on the AE are not tagged themselves by port either, so connecting an AE to a port that is untagged will only pass the non guest traffic. One port has to carry untagged on any other VLAN BUT in order for the guest traffic the same port MUST be tagged for 1003. It’s the nature of VLAN’s on the same port. I still have not tested the isolated 5 port unmanaged switch just for the AE’s but I have a diagram if I ever wanted to try it.

      What you are suggesting would only work if the guest traffic was on a specific port which would mean then itself is untagged on that port and it’s definitely not running that way.

      Believe me there is no other way around it, that thread on the apple community is VERY long and many have confirmed tagging is the only way to get 1003 to pass on a managed switch, but the speed is killed.

      • Did you see this fix from Apple? https://discussions.apple.com/thread/4787934?start=45&tstart=0
        It fixed the issue for me. Looks like the poor performance was due to an MTU issue.
        But then again: I’m using an Airport Extreme, not an Express

        • WHat exactly fixed the issue That thread is pretty dated talking about 7.6.4 and the Extremes are running 7.7.3 which is the latest, I’m not using Expresses for Guest Connections.. I don’t see any resolution in that post regarding the VLAN tagging affecting performance. This VLAN issue is well known to apple but unless the VLAN issue relates to MTU on the switch port I did not see that.

          It also assumes that all things are connected directly to the extreme which DOES work, the issue is managed switches with VLAN’s in between the devices as I documented. It’s yet to work on any managed switch setup I have tried. I have yet to try the unmanaged swotch for all the airports uplinked to a single managed switch, but someone mentioned they tried it and it does not work. APple simply does not “support” the use of VLAN 1003 and won’t fix the VLAN performance issue that happens on managed switches, yet they use VLAN 1003 in their unit for Guest access. They maintain it all works if you connect all devices to the main Extreme but that’s not physically possible in a distributed setup where all things go back to a main managed switch.

          • Hi,
            I’m not sure this is related to managed switches. I had four AE’s running the latest firmware. When I have three extremes connected directly to the primary one I still see the speed problem on the Guest network when I am connected to one of the non primary AE’s.
            Regards

  2. details, shmetails

  3. AirPort is a hot mess (look it up on Urban Dictionary). If you want close-to-enterprise level equipment, go to Ubiquiti (founded by former Apple employee Robert Pera), at least until Apple cleans up AirPort. UniFi access points aren’t perfect, but they beat the crap out of AirPort. UniFi APs support a limited number of SSID VLAN associations and work well with managed switches.
    I’m not associated with Ubiquiti other than as a (mostly) satisfied consumer.

  4. i’ve not noticed that issue, with 40+ airports and managed switches. I set my STP up carefully, though

  5. Lonnie Abelbeck

    Apple *finally* fixed this issue with Firmware Update 7.7.7 (and 7.6.7 for older models), a managed switch using VLAN 1003 now works with the Airport guest network with full performance.

  6. I came here looking for the VLAN ID that the AE guest network is tagged with, so thanks for that.

    The solution is simple; you just need the ingress port on the managed switch to accept tagged frames and also have a native VLAN ID set – this means the tagged frames get forwarded with their VLAN ID and the untagged frames fall into the native VLAN. Result being you have two VLANs – one for your regular network and one for the guest network.
    By doing this you can even eliminate the need to have one ‘primary’ AE in NAT/Routed mode and instead manage all that on another (ahem, better) device.

  7. This page came up as a search result for Rapsberry Pi not connecting to internet using Airport Express Guest Network. I’m inexperienced when it comes to networking, but I can’t help but wonder if my issue is due to some of what you’re describing. In a nutshell, when I connect to my Airport Express network, the Pi runs fine. However, when I try to connect to the Airport Express Guest network, I get no internet connection, although connection to the router appears fine. I was hoping to connect to the Guest network using this Pi as an IoT project. Do you think this could be related to the issues you’re describing with the Guest network speed?

    • Test the Guest network with a laptop and see if it works….if it does then it’s working fine, rule out the Pi. Most likely this is not your issue since this is related to VLAN tagging, unless the Pi is tagging. Troubleshooting 101, just try the guest network as is with a laptop or other device. I’ve dumped all my airports now.

  8. came across this by coincidence.. I have three Airport Extremes wired into a cisco gateway router with VLAN 1003 configured. Works great, All three Airports are in bridge mode. Guest network appears to get full “speed” .. If I were to trade the the Extremes it would be for something with adjustable power output.

Leave a Reply

Your email address will not be published. Required fields are marked *