guest network does not work when bridging airport express to extreme

What's different between the test and work and your home config? At home, does your "main" base station do PPPoE?

For those who are seeing the problem where Google sites load and other sites don't when you're associated to the Guest Network on the Extender base station, I have an idea for a brief experiment to figure out what the underlying problem is, so Apple will have a more concrete bug description to work with.

This experiment is only for those who see Google sites load, but most other sites do not load. If you have a problem where no sites load at all, this experiment is not for you.

On your Mac that you're using as the Guest Network Extension test client, as a temporary test, try adjusting your MTU down from 1500 to something much lower like 1420. You can do this in "System Preferences > Network > Wi-Fi > Advanced > Hardware", by changing "Configure:" from Automatic to Manually, and by changing MTU from "Standard (1500)" to Custom, and typing in 1420. Then hit "OK" to dismiss the sheet and then "Apply" to make the MTU change take effect.

See if that lets you connect to sites besides Google. Unlike most websites, Google automatically limits their TCP MSS (Maximum Segment Size; kind of like a TCP-layer equivalent to the IP-layer concept of an MTU) to 1380, which would be equivalent to an IP-layer MTU of 1420. This might be why you can get to Google but not other sites, which use the much more common default MSS of 1460.

If that lets you surf the web fine from the guest network of the extender base station, then there may be an issue where something's not controlling the MTU or the MSS correctly. So your client might be trying to send full-sized 1500-byte MTU frames that, unbeknownst to it, are too big for one of the network links between it and "the Internet". These frames might be getting dropped or corrupted in a way that keep the client machine from being able to discover that it needs to use a smaller MTU.

If 1420 works, then try 1492. If 1492 also works, try 1496.

If MTU's up to and including 1492 work, but 1493+ don't work, then you probably have a PPPoE link involved in your broadband connection, and something's going wrong with MTU or MSS control involving the combination of the PPPoE link and Guest Network Extension.

If MTUs up to and including 1496 work but 1497-1500 don't, then something may be going wrong involving MTUs for VLAN-tagged frames (Apple uses VLAN tagging to separate Guest Network Extension traffice from your main LAN traffic on the connection between the extender and the main AP).

This test could probably be done in less than 15 minutes:

1. Reproduce the problem without changing anything. Join the Guest Network of the extender base station (your AirPort Express) and confirm that google.com loads but other websites don't.
2. Set the 1420 MTU on the Wi-Fi interface of your Mac test client. Try to load a few webpages including Google.com and others. If the other pages still don't load, you're done. This problem probably isn't related to MTU's or MSS's.
3. If 1420 worked, then the problem is related to MTU's or MSS's. Set your Mac to a 1492 MTU. Try to load a few webpages including Google and others. If the other pages don't load anymore, you're done. This problem is MTU related, but might not be specific to PPPoE or VLAN tagging (or your ISP requires an even smaller PPPoE MTU than usual).
4. If 1492 worked, try 1496. Try to load a few webpages including Google and others. If the other pages don't load anymore, this means the problem is related PPPoE MTU's. If they still work, then it means the problem is likely related to VLAN tagging's effects on MTU/MSS. Either way you're done. I suppose you could try 1497 just for giggles, but if 1496 works and 1500 doesn't, 1497 will most likely fail just like 1500, and it still points to MTU problems related to VLAN tagging.

I think you are on to something. 1496 MTU works, but 1497 MTU and higher does not work for most sites other than google.

I can also confirm this. 1496 works, but above that nothing but google.

Spiff,

That's some good detective work!

I thought I'd add a little more related info that others may find helpful. In my initial attempts I wasn't getting as far as those who could only access Google sites.

I have an Airport Extreme 5th Gen as my primary router. I also have another Extreme 5th gen and 4th gen, plus three Airport Express 4th gen, all in bridge mode.

At first, my ethernet bridged Airport Extreme and Airport Express would not acquire DHCP for devices on guest networks. I tried using a static IP in the guest network range when connecting, but that didn't get me anywhere. The guest network on a bridged device was basically useless.

I figured it had something to do with switches between my bridged Airports and the primary Airport Extreme. Your post made me realize I needed to add the guest network VLAN (1003) to my switches and enable it for all Airport and switch ports.

I did that, and the guest network on the bridged Extreme 5th gen and 4th gen began working properly. (Both have two network switches between them and the primary Airport Extreme.)

On the ethernet bridged Airport Express (all 3 of them), I have the problem where clients can only connect to Google (and a few other select) sites. So I assume that this MTU problem is specific to the Airport Express in bridged ethernet mode.

Just to provide some additional info ... my switches are all smart switches ... several D-Link DGS-1210-24 .... and two different Cisco 8 port models. So adding the VLAN configuration was easy.

I might try patching one of the Airport Express directly into the primary Airport Extreme ... bypass switches .. and see if that makes a diference.

Since the Extreme handles this fine in bridged mode, hopefully this is something Apple can easily fix in the next update for the Express.

Follow-up. I bridged one of my Airport Express directly to the Airport Extreme without going through any switches. It still has the Google-only/MTU problem on the bridged guest network.

Airport Extreme 4th gen and 5th gen have no problem bridging guest network with the same primary Airport Extreme (if switch in between, VLAN 1003 must be enabled for ports in the smart switch), but Airport Express cannot bridge.

I am not using PPPoE ... straight DHCP.

Indeed, well done, Spiff.

I have an Airport Express (2nd gen) bridging an Airport Extreme (5th gen) and my guest network exhibited all the symptoms you describe for MTU problems with VLAN tagging (whatever that means 🙂).

On the extended guest network, at 1496 MTU and below, all sites work, but at 1497 and above, only the Google works.

Too bad I can't adjust MTU on my iOS devices - or can I?

Im experiencing a very similar situation with our Gen 5 Extreme and guest network. I'm not even trying to extend it i just want to enable guest access but whilst in bridge mode but i can't get any DHCP pass through from our internal Windows 2003 DHCP server.

Even if i enter static IP address details it shows as connected it still doesn't work in shape or form, i can't adjust the MTU seeting on the wireless devices iPads, phones etc as there are too many and they keep changing.

Come on Apple pull your finger :-D

Imagine Admin,

What you're trying to do will not work (for more fundamental reasons than the problems discussed in this thread).

The purpose of a guest network is to give the guests access to the internet without allowing access to other computers on your local network. As such, guests should not be able to talk to your DHCP server by design ... and even if you manually assign an IP address, the guests will not be able to talk to the existing router on your network, again, by design. It doesn't matter if you adjust MTU ... the guests are on VLAN 1003 and would only be able to talk to each other or any other device you managed to connect which operating on that same VLAN.

Basically if you are in bridge mode, the guest network feature will only work over the bridge if your main router is an Airport with guest networking enabled. Otherwise there is no router for the guest network to be bridged to.

I would not expect that to change.

The MTU problem is when an Airport Express is attempting to bridge a guest network where the main router is an Airport Extreme. That configuration should work, but for many of us it does not.

If you wanted to go crazy ... you could add another network card to your Windows 2003 Server and configure it for VLAN ID 1003. That card will be able to talk to devices on the guest network ... and guest DHCP clients should be able to send requests to your DHCP server over that network ... where you go from there with your routing at that point is up to you (internet sharing for clients on that adapter configured in W2K3 maybe?) Good luck if you pursue that path...it makes my head spin thinking about it.

Thank you for confirming my suspissions :-D

You make perfect sense and if i fancy loosing my mind i may look into the second network card option but for now i'll leave it be :-D

Spiff, are you aware of any way to adjust these same settings in iOS devices (iPhone or iPad)? Your suggestion worked for me on my MacBook.

Did anybody ever file a bug report with Apple about this problem?

Excellent news...and confirmed that it is working for me now too with 7.6.4.

Fingers crossed nothing important was broken!

Here it's still not working. (7.6.4)

I use "radius" WPA/WPA2 Enterprice as default and WPA/WPA Personal as guest network.

Still get no IP (dhcp) on the "simple personal" clients

(Redeye remote)

(Ecobee heater)

(iPhone/iPad)

But my PC can connect to the Personal network and did receive a DHCP IP?

pff.. looks a simple bugto me :-)