Difficulty access the internet using my VLAN as an Guest Access Point

cxcmax

Dear Group,

I am having some difficulty setting up my VLAN which is connected/linked to a Wireless Access Point(TP Link device), this is to allow access to the internet over 'VLAN ID 20' and in theory not see my LAN. There does not appear to be any Access to the Internet for some reason, needing some advise/help on possible cause?

I am using a Negate 2100, my main IP range for the LAN begins '192.168.XX.XX/24', which uses subnet Mask '255.255.255.0', and is connected to a managed layer 2 switch HP 1920G 24 Ports POE. The VLAN on the HP Switch is assigned to Port 23, I have tried this as 'untagged' and 'tagged', I can however from my PC(ethernet connection to the LAN) ping the IP address I assigned to the VLAN ID 20(via Netgate setup) which is address 172.16.0.1/28 with some success. My Wireless Access Point is connected to Port 23 on my Switch, the Switch is connected to my Netgate then this is connected to my BT Broadband.

I have gone through the instructions here, https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html#figure-vlans-interface-list

My WAN or BT Broadband is 'mvmetas0', my main default LAN is 'mvneta1'.

My VLAN setup part - VLAN ID 20 and my Parent Interface is my main LAN

My interfaces setup, this named the new interface 'OPT1', I changed this to user friendly name e.g. 'AP' -

And I also mirrored or setup the a basic VLAN on my HP Switch and assigned this ID 20 to Port 23(which is what my Wireless Access Point is connected to)

The Firewall rules I used on the Netgate -

(I came across a YouTube posting) they indicated I select 'Invert match' the idea was to stop the person seeing the LAN which is why I selected the 'LAN net' option in the dropdown menu.

Finally, DHCP settings -

Many thanks, any pointers greatly appreciated.

Chris

bPsdTZpW

@cxcmax Hmm, you seem to be attempting to use a single physical connection between the pfSense router and your switch for both LAN packets and VLAN packets. I'm not sure that this works.

I recommend trying the below with your WAN disconnected and your AP restricted to connections only from a trusted device, until you get it working:

If your AP can use VLAN tags (and you trust it to do so), you can tell it to accept and emit packets on its wired internet port with VLAN tag 20 ("tagged" mode). Then select a physical port (say igb2) on your router. Create VLAN 20 on the router with parent interface igb2. Now setup and enable the network port "VLAN 20 on igb2" on some interface, say "VLAN 20 ifc". This tells the router to expect VLAN 20-tagged packets on igb2, and to route them to the interface "VLAN 20 ifc". Then cable igb2 to your AP.

If your AP doesn't use VLAN tags (or you don't trust it to do so -- I'm in this camp, 'cuz something might penetrate the AP), you can use two switch ports to do something similar. Connect port A (which you need to designate on the switch as an "access" (untagged) port and a member of VLAN 20) to the AP. Then connect port B (which you need to designate as a "trunk" (tagged) port and a member of VLAN 20) to igb2 on your router. What happens here is that packets from the AP enter switch port A, which tags them with VLAN 20. The switch then emits those tagged packets out port B. The router expects VLAN 20 packets on igb2, which it then routes to the interface "VLAN 20 ifc".

Setup any firewall rules you need (such as to block access from the VLAN 20 network to your wired LAN, and possibly the other way around, too). Test those rules. Now add rules allowing VLAN 20 to access the internet, connect your WAN, and try to ping something on the internet (e.g.1.1.1.1 ) from a client connected to the AP.

EveningStarNM

This post is deleted!

EveningStarNM

Is there a route between the VLAN and the internet? Does it work when you disable firewall filtering in System>Advanced>Firewall?

JKnott

@cxcmax said in Difficulty access the internet using my VLAN as an Guest Access Point:

Access Point(TP Link device), this is to allow access to the internet over 'VLAN ID 20' and in theory not see my LAN. There does not appear to be any Access to the Internet for some reason, needing some advise/help on possible cause?

Some TP-Link gear has problems with VLANs. The TP-Link AP I used to use did. What model is yours.

@bPsdTZpW

Hmm, you seem to be attempting to use a single physical connection between the pfSense router and your switch for both LAN packets and VLAN packets. I'm not sure that this works.

That works fine. It's what I do here. However, TP-Link gear often has problems with VLANs.

cxcmax

This post is deleted!

cxcmax

@eveningstarnm said in Difficulty access the internet using my VLAN as an Guest Access Point:

Is there a route between the VLAN and the internet? Does it work when you disable firewall filtering in System>Advanced>Firewall?

Sorry, not sure how to do this and I am starting to think its my switch that may be the root cause as I may not be configuring this right for my VLAN 20.

cxcmax

@bpsdtzpw HI

Apology for my lack of knowledge here which is most likely the reason this is not working. When I go and create the VLAN; Interfaces Assignments, I am only able to see two ports available for me to use which I can select as the Parent 'mvneta0'; WAN and ;'mnveta1'; LAN . The WAN is the PPOE interface for BT infinity. I did manage to connect to the Wifi Access Point and was able to see activity on that pfsense dashboard, under the window or Traffic Graphs I setup as the 'AP' however when I ran an a ipconfig test is showed I was still getting an IP address from my main LAN configuration 192.168.xx.xx and not the 172.16.0.1 I allocated. I tried a Windows 10 IP 'ipconfig /release' and a 'renew' but no change. The partial success was down to me changing the Switch port settings, mainly guess work :) changed to 'Tagged' and port type 'Trunk'; but I and really just using trial and error here which is not ideal.

cxcmax

@jknott said in Difficulty access the internet using my VLAN as an Guest Access Point:

Some TP-Link gear has problems with VLANs. The TP-Link AP I used to use did. What model is yours.

Hi

The model is "TP Link Omada EAP245 radio access point", there is a VLAN setting the default is or was NOT enabled. My logic or thinking is the physical connection to the switch port would dictate it should work but saying that it did allow me to specify a VLAN ID, so I set this to 20 which is the VLAN I am trying to work.

I must say I removed the VLAN 20 configuration from the Switch, left this as the default VLAN 1, it works or I can access the AP with no issues and use the Internet, is the issue that I am not communicating clearly with pfsense and my Switch maybe.

Many thanks
Chris

cxcmax

@bpsdtzpw

I went through your repose once more, I think I have twigged what you are meaning plus I came across this previous article - https://forum.netgate.com/topic/143635/pfsense-and-vlan-help-hp-switch/3

In a nutshell it is now working, I assigned the PVID or the VLAN ID to the interface or port I use for my LAN. I tried a ipconfig command(Windows machine) and I got the IP address I allocated plus its corresponding 'Subnet Mask'. Plus, I could not see any other device on my LAN, these where hidden, which is what I was trying to achieve also. Still plan make changes, see what happens, but I now have a better understanding how it works.

Thanks, and thanks to everyone, for your replies.

Chris

stephenw10

I don't see any mention here of configuring the switch in the 2100 to pass the tagged VLAN 20 traffic to the HP switch. In it's default mode (port based VLANs) it will pass all traffic to all port so should work even if not an ideal setup. If you have changed the switch mode though it wonlt pass at all until it;s configured there.
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html

Steve

bPsdTZpW

@stephenw10 That's a good point. It means that probably the OP's VLAN 20 packets are getting passed around to everything on her LAN, but that only looks like it's not occurring because the hosts aren't responding to them.

papdee

@cxcmax I think your setup is slightly over complicating things.
I don't have pfSense in front of me but the basic gist of what you need to do (and you should undo your settings):

1. If you have access to a cheap dumb L2 switch swap out your managed HP switch for the time being. The cheap dumb L2 switch will simpy pass through the VLAN tags unfettered which is what you want at this point and you can focus entirely on the pfsense and the AP. Assume the netid you are using for your VLAN2 is 10.0.2.0/24 and your pfsense is 10.0.2.1/24 and AP 10.0.2.2/24.

2. Create a virtual AP on your EAP 225. Call your virtual AP guest or internet_only or whatever. Set its IP to 10.0.2.2/24 and gateway and DNS to 10.0.2.1. Set its VLAN tag to 2 ( you might find the VLAN settings on your EAP 225 in a different menu option than the IP settings option ). Leave the management interface on LAN netid no VLAN. Save your settings. The AP config is now done.

3. Go to pfSense and create a new VLAN2 on the network adapter you are connecting to the switch. Set its IP to 10.0.2.1/24.

4. Go to DHCP server and and add a new DHCP pool for VLAN2 e.g. 10.0.2.100 - 10.0.2.200. Set the gateway to 10.0.2.1 and dns to 10.0.2.1.

5. Go to DNS (best use the forwarder as its easier) and make sure it is listening on all interfaces or highlight those interfaces you need including VLAN2.

!!! At this point connect to the AP using Wifi you should be able to access the internet !!!

6. Go to firewall and click on LAN add a new rule for IN drop VLAN2 NET. This will prevent users on VLAN2 from accessing hosts on LAN.

!!! At this point connecting a notebook to Wifi AP you can try to scan hosts on your LAN network which should be blocked !!!

7. Remove the dumb switch and reintroduce the HP managed switch. If the HP managed switch is using comware OS then the two access ports you are connecting both the AP and pFsense into must be switched to either hybrid or trunk. Unlike Cisco IOS comware OS requires you to specify which VLANs can traverse the trunk port. Set it to VLAN 1 and 2 (1 is needed to access the management of the AP).

!!! At this point you should be able to access the internet using the HP switch !!!

stephenw10

@papdee said in Difficulty access the internet using my VLAN as an Guest Access Point:

If you have access to a cheap dumb L2 switch swap out your managed HP switch for the time being. The cheap dumb L2 switch will simpy pass through the VLAN tags unfettered which is what you want at this point and you can focus entirely on the pfsense and the AP.

I would avoid doing that if at all possible. An unmanaged switch will usually pass all tagged traffic but you cannot be sure of that until you try it. Additionally it will pass it to all ports. Any device on another port could tag it's traffic and become a member of that VLAN. It's much better to use a managed switch and control where the tagged traffic goes.

@papdee said in Difficulty access the internet using my VLAN as an Guest Access Point:

Go to firewall and click on LAN add a new rule for IN drop VLAN2 NET. This will prevent users on VLAN2 from accessing hosts on LAN.

A firewall rule on LAN will allow or prevent hosts on LAN accessing VLAN2 but it will not prevent hosts on VLAN2 accessing LAN.
You need a rule on VLAN2 to prevent that. You also need a pass rule on VLAN2 to allow any traffic from wifi clients, otherwise it will all be dropped.

Steve

cxcmax

@stephenw10

Hi and thanks to everyone also who has contributed to what must be a simply problem. I am going to look go through the steps listed in the "../Switch-Overview" give this a whirl. @stephenw10 the only thing that is confusion me a little is the LAN ports.
I am only using the one port to connect to my Switch, LAN1, I assume in the example in the documentation I am basically just substituting 'LAN4' for my 'LAN1'

Chris

stephenw10

Yes, you can use any port as the trunk to the external switch.

Steve

papdee

@stephenw10 Relying on VLAN's for security is foolhardy. VLAN hopping through a switch is easily accomplished with a few simple commands on a linux box. VLAN's were not designed for security, they were designed for segmenting networks.

stephenw10

@papdee said in Difficulty access the internet using my VLAN as an Guest Access Point:

VLAN hopping through a switch is easily accomplished with a few simple commands on a linux box.

Can you demonstrate that? I'd like to test it if you have the commands.

Steve

bPsdTZpW

@papdee said in Difficulty access the internet using my VLAN as an Guest Access Point:

@stephenw10 Relying on VLAN's for security is foolhardy. VLAN hopping through a switch is easily accomplished with a few simple commands on a linux box. VLAN's were not designed for security, they were designed for segmenting networks.

I think that depends on how you're using VLANs. If you depend upon hosts to tag their packets correctly [1], then yes, it's trivial to hop VLANs. If you require each host to use a specific switch port as an untagged access port that is a member of a particular VLAN, then the host should not be able to hop VLANs without a bug or misconfiguration in the switch. (Because the switch adds the VLAN tag on packets entering the access port, and removes them from packets exiting the access port). Of course "misconfiguration" could include errors involving nested VLANs and multiple switches.

[1] Don't do that!

stephenw10

Mmm indeed, I would hope nobody is having hosts tag their own traffic in anything other than a test environment. Obviously that is no sort of security.