Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I can't access AP with VLANs

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 4 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kipTry
      last edited by

      Hi,

      I have this setup:

      Pfsense port 3 (192.168.3.1) -> AP (192.168.3.2) -> VLAN 10 (Wifi - 192.168.4.1/24), VLAN 20 (Wifi Guests - 192.168.5.1/24).

      Everything is working well, but I can't access to the AP portal (setup wireless, accounts, etc) when I'm connected to vlan10 or vlan20. What I have to do?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • H Offline
        heper
        last edited by

        so pfsense is not involved with the vlans ? your AP is managing the vlans ?

        ==> check your AP manual on how to allow administrative access on the vlans

        1 Reply Last reply Reply Quote 0
        • K Offline
          kipTry
          last edited by

          I did this:
          AP:
          1. Static ip: 192.168.3.2
          2. Gateway: 192.168.3.1
          3. DHCP disabled
          4. VLAN 10 assign to SSID "Wifi". VLAN 20 assign to SSID "Wifi Guests".

          Pfsense:
          1. Interface AP (port in pfsense): 192.168.3.1/24. DHCP disabled
          2. Interfaces > Vlans: Add vlans 10 and 20 linked with Interface AP
          3. Assign interfaces "vlan10 to Wifi" and "vlan20 to Wifi guest". Dhcp enabled (192.168.4.1/24 - wifi, 192.168.5.1/24 wifi guest).
          4. Firewall: The same rule for 3 interfaces AP, Wifi and Wifi guest -> proto: ipv4; source: interface (ap, wifi, wifi guest) net; destination, port, gateway: *

          I connect to "Wifi" network, and I get the IP 192.138.4.2 and I have internet. But I want to access to the AP portal (192.168.3.2).

          Thanks!

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Can pfSense ping 192.168.3.2?

            From what I can tell, either the AP only allows access to the config page from 192.168.3.0/24 or the switchport isn't properly dealing with tagged and untagged traffic mixed.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • K Offline
              kipTry
              last edited by

              This is my setup:

              Modem is in bridge mode.
              PfSense has 4 interfaces: igb0 to 3.
              Interfaces:

              • WAN: PPPOE0(igb0)

              • LAN: igb1. Address: 192.168.2.1/24. DHCP Enabled.

              • AP: igb2. Address: 192.168.3.1/24. DHCP Disabled. Acces Point: 192.168.3.2.

              • AP_WiFi: VLAN 10 on igb2 (Wifi). Address: 192.168.4.1/24. DHCP Enabled.

              • AP_Guests: VLAN 20 on igb2 (Wifi_Guests). Address: 192.168.5.1/24. DHCP Enabled.

              • DMZ: igb3. Address: 192.168.6.1/24.  DHCP Enabled.

              Problem: If I'm not in subnet 192.168.3.1/24 I can't accest to the AP portal (192.168.3.2). What can I do?.

              I can't ping from 192.168.2.2 (my laptop) to 192.168.3.2 (ap portal) and I don't know why… I'm checking firewall rules.

              What do you think about the design? Is it correct?.

              1 Reply Last reply Reply Quote 0
              • H Offline
                heper
                last edited by

                do the wireless SSID's work ? Can the wireless clients connect to lan devices ? are your firewall rules correct ?

                if all above = YES

                ==> did you fill in the gateway ip (192.168.3.1) into the AP webgui/configuration ?

                1 Reply Last reply Reply Quote 0
                • F Offline
                  firewalluser
                  last edited by

                  @heper:

                  so pfsense is not involved with the vlans ? your AP is managing the vlans ?

                  ==> check your AP manual on how to allow administrative access on the vlans

                  Does the AP support vlans?

                  Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                  Asch Conformity, mainly the blind leading the blind.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    I do not like mixing tagged and untagged traffic on a port.

                    However I know Ubiquiti's can be easier to manage if you just leave the management interface untagged.  You have not mentioned what AP you are using, I don't think.

                    It all looks right.  You should probably post up your firewall rules for AP and Wifi.

                    If those are correct, I would look at the AP administration config to see if the AP itself is limiting access to the admin pages from other networks.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • K Offline
                      kipTry
                      last edited by

                      OK, I'm sorry guys…

                      I did everything again and I found this option: "Allow remote access - Remote access allows you to manage the AP from the Internet or from a different LAN. To enable remote access, the gateway device needs to be properly configured, such as opening a port for the corresponding IP address of the AP."

                      I didn't check that option the first time. Now It's running well ;)

                      Thanks! At least, I checked my design with you. I hope this will be useful for other users. Now I have to focus on rules ;)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.