Two VLANs set up alike, one does not get Internet

DominikHoffmann

I would appreciate anyone who could go through my configuration with me to help me figure out, where I am having a problem.

I have two VLANs (ID 39 for guests and ID 41 for employees’ personal devices). Both groups of users connect through Wi-Fi. For some reason I don’t comprehend, the Wi-Fi network with ID 41 works, but the one with ID 39 does not. When connected to VLAN ID 39, the host does not get assigned an IP through DHCP.

The Wi-Fi access points are configured through a Ubiquiti Cloud Key Gen 2 Plus. The WiFi pane looks like this:

Screenshot 2025-03-19 at 7.29.09 PM.png

The Networks pane looks like this:

Screenshot 2025-03-19 at 7.34.20 PM.png

Traffic coming from devices connecting to the APs on SSID “#####Guests” and “############ Personal Devices” are tagged with VLAN ID 39 and 41, respectively.

The network switch has tagged traffic on Ports 1, 23, 40 and 48 with those VLAN IDs. The APs are plugged into Port 23 and 48, and Port 1 is connected to LAN Port 2 of a Netgate 2100.

Screenshot 2025-03-19 at 7.39.56 PM.png

On the Netgate the interface assignments are

Screenshot 2025-03-19 at 7.50.08 PM.png

The VLAN tags of the interfaces are configured like this:

Screenshot 2025-03-19 at 7.51.31 PM.png

The port VLAN tagging is identical between the two, as well:

Screenshot 2025-03-19 at 7.53.20 PM.png

This is the configuration of the two interfaces:

Screenshot 2025-03-19 at 7.55.10 PM.png

Screenshot 2025-03-19 at 7.55.59 PM.png

DHCP for the two interfaces is very similar, as well:

Screenshot 2025-03-19 at 7.57.58 PM.png

Screenshot 2025-03-19 at 7.58.10 PM.png

Users have to go through a captive portal to be connected. Both captive portals at this point are using the same HTML code.

Screenshot 2025-03-19 at 8.03.29 PM.png

Screenshot 2025-03-19 at 8.03.41 PM.png

The other captive portal tabs are configured exactly the same between the two of them.

The firewall rules are the same, too:

Screenshot 2025-03-19 at 8.06.28 PM.png

Screenshot 2025-03-19 at 8.08.03 PM.png

Both sets of rules share these aliases:

Screenshot 2025-03-19 at 8.10.32 PM.png

I am obviously missing something. I am completely stumped.

viragomann

@DominikHoffmann said in Two VLANs set up alike, one does not get Internet:

When connected to VLAN ID 39, the host does not get assigned an IP through DHCP.

So does it work, if you state a static IP and gateway?

If yes, sniff the DHCP traffic, while connecting a device to the wifi.

Did you try different devices?

RodSlinger

I'm getting an odd situation almost exactly the same. Setup two VLANs and they work perfectly. Created a third with the same setting profiles and no internet on it.

The client does get an IP on the third VLAN and I can browse the gateway. I just can't get traffic through it. Logs aren't showing anything being blocked. It will not ping an IP beyond the gateway. Haven't pulled out Wireshark yet to see if this is a rejection or no response yet.

viragomann

@RodSlinger
Has pfSense created an outbound NAT rule for the new subnet, in case it's in automatic or hybrid mode? If it's in manual you have to add the rule by yourself of course.

RodSlinger

@RodSlinger said in Two VLANs set up alike, one does not get Internet:

I'm getting an odd situation almost exactly the same. Setup two VLANs and they work perfectly. Created a third with the same setting profiles and no internet on it.

The client does get an IP on the third VLAN and I can browse the gateway. I just can't get traffic through it. Logs aren't showing anything being blocked. It will not ping an IP beyond the gateway. Haven't pulled out Wireshark yet to see if this is a rejection or no response yet.

Disregard my issue. While similar, not really related. A reboot of pfSense fixed me. Just not sure what the hangup was. Created first VLAN and it was fine. Second one wouldn't pass traffic. After reboot the second one came right up and worked normally.