Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netgate 4200 : Multiple VLANs Coming from Multiple APs

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    6 Posts 3 Posters 354 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      camiragate
      last edited by camiragate

      Hi, all-

      I have 3 APs (Juniper Mist AP45) that carry the same (4) VLANs - separate VLAN for each SSID. We'll call them VLAN1, 2 3 and 4

      Each AP is plugged into the same Netgear MS108EUP (cheap/cheerful L3 w PoE)

      The Netgear MS108EUP Port 1 is my uplink and goes to Port 2 (igc2) of the Netgate 4200

      The Netgate 4200 ports are as follows:
      Port 1(igc3) : WAN
      Port 2(igc2) : Netgear MS108EUP
      Port 3(igc1) : Netgear GS752TPV2 (L3 switch)
      Port 4(igc0) : NAS

      I'm looking to provide each VLAN full access to Port1-WAN and ultimately to the same VLAN on the other Netgate 4200 ports. Assume that each Netgate 4200 port should carry every VLAN.

      Grok has had me setting up bridges. One bridge for the physical interafaces (igc0-igc2) and then a separate bridge for each VLAN, again, covering all interfaces. E.g. VLAN2BRIDGE is VLAN2Port2+VLAN2Port3+VLAN2Port4

      After configuring the VLANs on the switches, VLAN1/Untagged works fine. The other VLANs 2-4 will pickup DHCP (UDP broadcast) info but there is no return traffic, i.e. I cannot ping from the Netgate 4200 to the device and I certainly can't ping from the device to the gateway or the internet. ARP table on teh Netgate 4200 sees the device. No return path. FW rules are confirmed to allow any-to-any (for testing).

      I suspect Grok has gone sideways on me and all of these bridges are causing L2 routing issues.

      Any guidance warmly appreciated.

      keyserK 1 Reply Last reply Reply Quote 0
      • M Offline
        Mission-Ghost
        last edited by Mission-Ghost

        I have a 4200 connected to a tp-link switch, but previously to a Netgear gs308ep, and two wans and never used bridging. My network has four access points and two more switches connected to the core switch linked to the 4200 in router-on-a-stick topology. We have a couple of dozen endpoints total, wired and wireless.

        I created my six vlans and assigned them to the parent interface LAN on igc1 and pfsense routes traffic to allow or restrict traffic between them and the two wans (Starlink and T-Mobile Home Internet configured in failover) using rules. It works very well for me.

        I find AI is often wrong but never in doubt. It’s been useful to me for pathways to explore but seldom correct on a step by step basis.

        C 1 Reply Last reply Reply Quote 0
        • keyserK Offline
          keyser Rebel Alliance @camiragate
          last edited by keyser

          @camiragate The Netgate 4200 ports are all individual NICs that are intended to be used as different pfSense network interfaces - that is: Not intended to carry the same VLAN. The only pfSense boxes that are designed to have the same VLAN present on multiple ports are the ones with built in switches (Netgate 2100).

          And that’s the point: Switches makes one/more VLAN available on several ports, Firewall/routers are not switches and only make them available on one port because switching is an intirely different game than routing.

          The tricky part is pfSense has a “builtin” software feature that makes a software (NOT hardware) switch out of multiple ports. It called a bridge. In my opinion they should remove that feature across physical ports as it is very very finicky and limited in both performance and features that actually works. Stay away from using software bridging in pfSense!

          Proper network design dictates how these situations should be handled, and to follow that you should:

          • Carry all VLANs across ONE link to a VLAN capable switch.
          • Connect everything to that switch in the appropriate vlan(s) - both your NAS, AP’s and so on.
          • If one NICs bandwidth is a concern, then create a LAGG (Link aggregation) which logically bundles two or more physical links into ONE. I would advise creating the LAGG as a LACP bond as I’m sure your Netgear switches also supports LACP bonding of multiple ports.

          Note: You should only create a LAGG it if you really think its necessary in terms of added bandwidth or link faulttolerance. In your case I highly doubt it’s worth the trouble.

          EDIT: The troubles you are seeing regarding Internet access and DHCP not working is VERY likely because of issues with the software bridge.
          Once you create the setup like I explained (no bridges), each VLAN will work as intended with DHCP from pfSense, and if your firewall rules allow it: Routing between VLANs and also provide internet access through WAN.

          Love the no fuss of using the official appliances :-)

          C 1 Reply Last reply Reply Quote 1
          • C Offline
            camiragate @Mission-Ghost
            last edited by

            @Mission-Ghost Appreciated. That makes sense. Looks like Grok "sold me a bridge" Hahaha.

            1 Reply Last reply Reply Quote 0
            • C Offline
              camiragate @keyser
              last edited by

              @keyser I get it now. Appreciate the detail. Will re-config this weekend.

              1 Reply Last reply Reply Quote 1
              • C Offline
                camiragate
                last edited by

                Quick update that the advice above worked great.

                Stripped out those bridges and re-architected all APs and switches across one link. 5 total VLANs.

                Unexpected benefit was what seemed like at least a 20% bump in overall performance from the 4200.

                Note: Also took the opp to upgrade the 4200 w a SSD so that it's now a "Max"- maybe that helped w perf, too.

                1 Reply Last reply Reply Quote 2
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.