Trouble Setting up 2 Vlans on one AP

shclark3

I am trying to set up a Access point with 4 SSID's and 2 Vlans. I want to make a private and a IOT net. I cannot get the Vlan to operate, I never get any DHCP leases on any device so I dont know where to even start troubleshooting. I can ping the X.X.X.1 of each subnet so I know it was created.. but that's it.

Here is the AP (TPlink 650) set up:
login-to-view

Here is the netgear POE Switch Setup:
login-to-view
and the next pagelogin-to-view

Here is the Vlans created on the Netgate2100
login-to-view

I assigned the vlans
login-to-view

Then I make sure they are members of the port. The cable is coming in through port 1 and carries the two vlans from the AP on it. Port 2 is the older AP I am replacing Which still works in the configuration pictured.
login-to-view

And here is the last screenshot from ports.
login-to-view

I am at a loss Hopefully it is a silly error easily spotted in this mess. I have been looking so long I cant see the trees through the Forrest.
I also did allow all on the firewall for IOT and Trusted.. just to make sure that wasn't preventing connection.

viragomann

@shclark3
Can you remove the PVID from both VLANs on the switch?

shclark3

@viragomann No. the required naming of some sort. I am only able to call them 1, 20 or 30.

viragomann

@shclark3
PVID commonly means, that the incoming packets get tagged on the concerned port.
But both VLANs must not be tagged on the switch on either port, since the packets are already tagged by the connected devices.

johnpoz

@shclark3 you can only have 1 untagged vlan on a port.. The PVID "Port VLAN ID" is the vlan the switch or device places untagged traffic into so it knows what else to do with it.

Your netgear should tell you what vlans are tagged and which ones are not.. From what you posted I would assume vlan 1 is untagged on all 5 ports.. This is common vlan 1 is almost never tagged. But then it looks like you could have on say port 1, vlan 1 20 and 30 all untagged... Same with port 2.. this would never work.

here is a basic vlan capable switch

login-to-view

NightlyShark

@viragomann PVID means that the OUTGOING packets (going from the switch port to the cable) with a tag # of PVID get UNTAGGED. The "member of" field denotes which ports get which packets, ie what you want, since all devices concerned (AP, switch, PfSense) do not need untagged packets. So, PVID of 1 (netgear doesn't have cisco's trunk mode), 20 IOT 1 2, 30 Trusted 1 2. Untagged VLANS for both ports should be only "1". In my netgear switch, I have also removed the "1" VLAN, to prevent VLAN hopping.

viragomann

@NightlyShark said in Trouble Setting up 2 Vlans on one AP:

PVID means that the OUTGOING packets (going from the switch port to the cable) with a tag # of PVID get UNTAGGED.

Are you talking about TP-Link? So maybe this behaves somewhat different.
But on all decent switches I'm knowing, PVID instructs the switch to tag incoming packets.
For outgoing packets there is a separate setting to either hand out the packets tagged or untagged.

NightlyShark

@viragomann No, forget it, you are right... PVID is what tag gets slapped on the incoming untagged frames (from cable to switch port). Doesn't change anything, though, lucky me...

A Former User

@shclark3

Skip the last step "And here is the last screenshot from ports." Leave the ports in the default setting and give it a try.

coxhaus

@johnpoz
Don't forget all untagged packets end up on the default VLAN. If your default VLAN is 10 then all untagged traffic will end up on VLAN 10.

And to the original poster use 1 VLAN per SSID.

johnpoz

@coxhaus said in Trouble Setting up 2 Vlans on one AP:

Don't forget all untagged packets end up on the default VLAN. If your default VLAN is 10 then all untagged traffic will end up on VLAN 10.

huh?? Not sure what your talking about. The traffic will end up on the vlan you set the pvid to..

Gblenn

@shclark3 The 2100 and other models with the built in switch are new to me and seem a bit more complicated than "vanilla pfsense". But I wonder, do you really need to use 802.1q mode? As far as I understand it, you already have full VLAN capability in Port VLAN mode (default). All you need is the first section under Interfaces > VLAN and then assign them to your LAN port the way you have done it already.
What you may want to check is that you have configured each interface correctly with their individual subnets and that each DHCP server is correctly configured for the different VLANs...

Also, it may be good to know that your EAP650 is Omada compatible so you can manage that and any other Omada devices from one central UI (Omada SW Controller) which you can install on a Raspberry Pi, a PC or a VM if you want.
Going forward, if you want evolve your network and use VLAN's, I'd consider replacing the Netgear switch with an Omada switch which will simplify things greatly.

shclark3

@Gblenn I think I'm going to return the net gear. and do just that today.
I had to remove it from the equation and the AP is now just on a POE injector connected to the PF SENSE. The thing is It's still not working the way I would like it to. I have both vlans operational. However I lose the ability to access the AP. I cannot send untagged traffic to it. Whenever I add vlan1 back I am then unable to connect anything to the AP's I can configure the AP again.. but the ability to use the AP is gone. I have to then remove vlan1 and then it works again. I thought you could have one untagged member but it just doesn't seem to work that way.

Also very difficult to troubleshoot when working from home. then you have a wifi hungry wife and kids.. and well they don't like you messing with their internet.

johnpoz

@shclark3 You can for sure have 1 untagged network on an interface..

My AP management IP is like that.. they don't have a gui on them.. Because they are managed by the controler. Also on this untagged vlan.. In my setup this is vlan2 on my switch, and my APs also handle multiple ssids via tagged vlans.. But to them this untagged vlan is vlan 1 (their default).. Since this is untagged doesn't matter.. My switches manages this vlan via vlan 2 to them.

Gblenn

@shclark3 said in Trouble Setting up 2 Vlans on one AP:

@Gblenn I think I'm going to return the net gear. and do just that today.
I had to remove it from the equation and the AP is now just on a POE injector connected to the PF SENSE. The thing is It's still not working the way I would like it to. I have both vlans operational. However I lose the ability to access the AP. I cannot send untagged traffic to it. Whenever I add vlan1 back I am then unable to connect anything to the AP's I can configure the AP again.. but the ability to use the AP is gone. I have to then remove vlan1 and then it works again. I thought you could have one untagged member but it just doesn't seem to work that way.

Also very difficult to troubleshoot when working from home. then you have a wifi hungry wife and kids.. and well they don't like you messing with their internet.

I think you should try to simplify things further, and perhaps see if you can go back to VLAN Port mode on your 2100 (default settings)?
You really shouldn't have to mess with VLAN tag 1 at all in this case... Perhaps someone else can help you more with the specifics about setting up things under the Switch section on the 2100. Or check out this video... it's for an 1100 but it should be pretty much the same and may provide some assistance. I beleive when Lawrence refers to group 0 being the switch on a chip, that would be group 5 in your case??
Youtube Video

Gblenn

@johnpoz said in Trouble Setting up 2 Vlans on one AP:

@shclark3 You can for sure have 1 untagged network on an interface..

My AP management IP is like that.. they don't have a gui on them.. Because they are managed by the controler.

Yep, that is what you get with that TPLink EAP650 if you run the Omada Controller SW, and of course any Omada switches as well. So simple to manage compared to going into the UI of each single device.

NightlyShark

@shclark3

@shclark3 said in Trouble Setting up 2 Vlans on one AP:

@Gblenn I think I'm going to return the net gear. and do just that today.
I had to remove it from the equation and the AP is now just on a POE injector connected to the PF SENSE. The thing is It's still not working the way I would like it to. I have both vlans operational. However I lose the ability to access the AP. I cannot send untagged traffic to it. Whenever I add vlan1 back I am then unable to connect anything to the AP's I can configure the AP again.. but the ability to use the AP is gone. I have to then remove vlan1 and then it works again. I thought you could have one untagged member but it just doesn't seem to work that way.

Also very difficult to troubleshoot when working from home. then you have a wifi hungry wife and kids.. and well they don't like you messing with their internet.

You need to configure the Management VLAN. Iknow TP-Link has such a setting.

Gblenn

@NightlyShark said in Trouble Setting up 2 Vlans on one AP:

@shclark3

@shclark3 said in Trouble Setting up 2 Vlans on one AP:

@Gblenn I think I'm going to return the net gear. and do just that today.
I had to remove it from the equation and the AP is now just on a POE injector connected to the PF SENSE. The thing is It's still not working the way I would like it to. I have both vlans operational. However I lose the ability to access the AP. I cannot send untagged traffic to it. Whenever I add vlan1 back I am then unable to connect anything to the AP's I can configure the AP again.. but the ability to use the AP is gone. I have to then remove vlan1 and then it works again. I thought you could have one untagged member but it just doesn't seem to work that way.

Also very difficult to troubleshoot when working from home. then you have a wifi hungry wife and kids.. and well they don't like you messing with their internet.

You need to configure the Management VLAN. Iknow TP-Link has such a setting.

You don't need to, but you can if you want. Without any changes it should definitely be accessible as before via the IP it has picked up.

mcury

First, configure mvneta1 interface with an IP address in a MGMT network that you choose (not vlan). And use this same network in the switch and AP for management purposes.

Checking your screenshots, everything seems to be correct at the pfSense side.
Check your netgear, make sure the MGMT network is correct (untagged) and in the same network as mvneta1 in pfsense, check if this same port is configured to receive vlan20 and vlan30 tagged, and the downlink has the same configuration.

The port connecting pfSense to Netgear switch should be like this:
VLAN 1 Untagged (MGMT of the switch)
VLAN 20 Tagged
VLAN 30 Tagged

Netgear Switch to AP:
VLAN 1 Untagged (MGMT of the AP)
VLAN 20 Tagged
VLAN 30 tagged

Then, assign the wifi networks to use VLAN 20 and VLAN 30 respectively.