Need help setting up guest VLAN with AP on Cisco SG300 switch
-
Hi there,
If I set the switch port 3 to General and VLAN 40 tagged, no clients can use the guest AP. I don't know what's happening, but they refuse to connect. I enter the passphrase, but it's not successful. Ive tried on Android (no error, just tries to connect and gives up after a couple of seconds) and Windows 7 ("Unable to connect" after a couple of seconds). It's not like it's waiting and then failing to receiving an IP address from the DHCP. It fails a long time before it even has a chance to wait for a DHCP response, it seems.
But, my assumption is that I would want to have VLAN1 untagged on port1 and port3, and VLAN40 tagged on port1 and port3, right? The switch refuses to let me do that, though. It just falls back to setting VLAN1 as excluded on port3. No error, nothing. When I hit apply, and the page refreshes, it's back to "Excluded".
That's why my current configuration has to have port3 as VLAN40 untagged. Or else the client's can't connect. And I don't understand why :(
EDIT: if I try to set port 3 as Trunk, with VLAN1 untagged, and VLAN40 tagged, the guest clients receive an address from the LAN DHCP instead (192.168.1.x), and end up on my LAN (with full access to all devices there). Which is not what I want.
-
You sure your AP is even tagging the traffic correctly?
If your vlan is 40 and tagged and your clients are getting IP on lan from dhcp, then they are not on vlan 40..
-
Oh man, I've had the same thought myself, though. It was sort of hurting my brain here, being sure that I've got the correct config, but still not working as expected.
Any ideas on how would I go about figuring out that? Are there any tools to test a port on a switch (or AP) in that particular manner? Could I use a regular NIC on a Windows machine that supports VLAN?
-
Sorry no exp with that AP… But its pretty hard to F up this config..
client --- SSID -- AP -- trunk tag 40 -- switch -- trunk tag 40 -- vlan 40 pfsense
If your client is getting IP from the native untagged network on that interface pfsense vlan 40 sits on, then its not being tagged would seem obvious..
You can do a simple tcpdump on the physical interface on pfsense do you see the tags when you use -e, see attached example see the vlans 200, 600 traffic
-
at least now I know I need to investigate what's going on in the AP end, as opposed to looking at the pfsense/switch config.
cheers, thanks for your time anyway :)
-
There was some thread a while back where the persons AP would not allow you to remove vlan 1 or always sent something untagged.. It was something really stupid that pretty much made the thing useless for any sort of different networks, even though they said it supported vlans, etc..
Let me see if can dig up that thread - maybe its the same AP as your dealing with..
-
https://forum.pfsense.org/index.php?topic=139807.0
Is that you are looking for, johnpoz? -
Irios, you did not provided your full VLAN configuration on AP side, but I think you need at least check PVID Setting for dap-1353, it should be set manually (look at http://ftp.dlink.ru/pub/Wireless/DAP-1353/Description/DAP-1353_B1_Manual_3.00.pdf PVID setting) and the traffic must be tagged on Cisco.
-
Wow that was a good thread and some what related sure… But no that not the one I was talking about.. The one I was talking about was some specific brand of AP that didn't tag traffic or always had traffic in vlan 1 or something.. It was a crap AP that really could not do vlans at all even though stated they could..
I had posted info right out of their manual in the thread that stated the problem with the vlans he was having...
The thread you linked to was same sort of problem - tagged vs untagged.. Arrrggh I can not seem to find that thread now... But you need to validate that traffic is being tagged, or no pfsense not going to see it on the vlan interface.. It would see it on the naked/native interface network.
-
Hi there, w0w and johnpoz
Unfortunately the linked PDF is for the wrong model (B1 with 3.xx firmware). I have the A1 model, which can only run 2.xx firmware.
–------------
I've done a hard reset (factory defaults) of the DAP-1353, re-applied the firmware again, reconfigured it a little different, and gave it another shot.
This time I've set up the DAP-1353 with two VLANs:
- primary SSID as VLAN 1 (just a dummy VLAN, to see what happens really)
- added a secondary SSID as VLAN 40 (the guest network)
The switch:
- port1 trunk, PVID 1.
- port3 trunk, PVID 1.
Result:
It seems like the Primary SSID might be ignoring it's VLAN value if you don't actually have a secondary SSID enabled (bug? flaw? feature? who knows).
The guest devices are now receiving proper guest IP addresses 192.168.40.x, and cannot ping LAN devices. But… LAN devices can still ping guests hm (I guess this is a firewall rule I need to set up?).
New problem:
If I run speedtest.net (Ookla) on my laptops (on wireless guest network), it works fine. I get decent DL and UL speeds.
But all Android devices (tested 3 phones) cannot upload (at all) using the Ookla Speedtest app (or any other speedtest app). Seems like they are not able to send traffic. Browsing the web seems to works fine, though. So some data might trickle through, hmmm."tcpdump -i em0 -e" on pfSense shows this when running Ookla Speedtest (while downloading) on an Android device:
I wished I could show the a similar tcpdump when Speedtes is uploading, but there's really nothing going on, except a few VLAN 40 packets here and there.
Can the tcpdump only show stuff related to a particular android device? Would make it easier to troubleshoot, as the screen is flooded with regular non-related network traffic.
-
Yes tcpdump can be filter down to specific machine.. But since you see your tags now, you could just use the gui to capture and not have to use tcpdump at prompt - only reason to use prompt is the gui does not have way to show the layer 2 info that the -e does…
-
For troubleshooting, I've plugged a windows computer directly into the switch port3 (guest) and set the NIC drivers to VLAN40. This confirms that pfSense/switch is setup correctly, so I don't have to worry about that end at least.
I had another go at tcdump and put it into notepad++ to filter away unrelated entries, but I'm still not sure what I'm looking at. There's definitively some outgoing traffic in VLAN40 from my Android devices, but it's just very little of it. Some of it is directed at the server used for bandwidth testing, but not much traffic at all. It seems like the AP is "throttling"/discarding/dropping traffic, resulting in a very slow (none) upload speed. As mentioned, web surfing works fine.
I'm starting to think there be an issue with the radio firmware on the DAP-1353, making it unsuitable/incompatible with these Android devices. Let's just face it: it's perhaps just a shit AP. It's old. And was inexpensive at them time.
I'm not going to spend a single second troubleshooting this anymore without an alternative AP that can do VLAN, though. I've probably spent over 100 hours so far, and I'm getting really fed up. I'm just gonna order another AP. My WAP121 should arrive tomorrow. If this AP behaves differently (better), at least I know it's the DAP-1353 at fault. I'll post the outcome in this thread for future reference in case someone else has the same issue with the DAP-1353.
Thanks for the halp so far. It's very much appreciated :)
-
Not the AP I would of ordered.. It's only 2.4 and only has 10/100 interface… Why would not have gone with a unifi UAP-AC-Lite, its dual, gig comes with your poe injector all for $80... Looks like about the same price as that 121 at amazon with the addition of the poe injector..
That for sure I can promise you works with vlans, shoot you can even setup dynamic assigned vlans with radius server that is part of pfsense. They are working on MAB, but still seems to be a work in progress.
-
Thanks for the feedback. I'll probably go for a UniFi for the main AP here if I decide to get rid of my Asus RT-AC66U at some point (might donate it to someone in the family). I picked this Cisco AP because it was on sale at a local shop here, at roughly 40USD. And because I have some experience with my Cisco switches, I figured it would be good to see how some of their other products work as well.
The guest AP only needs to be 2.4GHz anyway. It's for AirBNB tenants, and throughout the years I have been providing both 2.4GHz and 5GHz, and they hardly ever use the 5GHz anyway (maybe one or two tenants have used 5GHz). Even though there are two SSIDs, they always end up using the 2.4GHz SSID. Dunno why they all go for 2.4GHz really, but it's probably because it's printed first in the how-to on the wall in the AirBNB apartment.
-
"Even though there are two SSIDs"
"Dunno why they all go for 2.4GHz really"Users are stupid ;) is Why hehehehe. Just give them the one ssid and let client do 2.4 or 5 on is own or with unifi you can do band steering to get the client over to 5 ;) If you really want be nice about it post up the common one and then put say _24 and _5 on the end for anyone that has some crappy ass client that has problem with the combo ssid..
If your only going to run 1 SSID or even multiple SSID that connect to the same network you really don't even need AP that does vlans… Just let the switch do all traffic on that port on whatever vlan you want to use on pfsense.. AP only needs to be vlan capable when you want to run different SSIDs on different vlans.. If all your wifi clients are going to be on the same network doesn't matter if the AP can tag or not - you can just set the switch to tag it for you to pfsense so pfsense can put that on different network than other networks.
You could do it old school/Jury Rig, MacGyver way with AP 1 on vlan X, and AP 2 on vlan Y, etc..
-
DAP-1353 a1 sets PVID automatically to 1 as I understand their some old FAQ for some similar models. They suggest to use VLAN1 as management untagged VLAN, but any other you create should be tagged. Anyway I also think that it's better to buy something better than that old DLINK AP that have VLAN feature just for marketing purpose ;D it does not have to work properly in this case.
-
Ok, I just got my Cisco WAP121… and everything is running super smooth. When you fire up the AP the first time, you are presented with a config wizard; I simply entered VLAN 40 when it asks for the wireless VLAN. Didn't have to touch anything else. And now everything works perfectly. This makes me positive the D-Link DAP-1353 is either broken, bugged, or doesn't comply to the networking standards.
At least the time spent on this "project" wasn't entirely wasted. I've honed my VLAN'ing skills, and learned a couple of new tricks :)
AP only needs to be vlan capable when you want to run different SSIDs on different vlans
I figured I'd need VLAN to separate the web interface from the guests, so I'd be able to config/snmp without having to access their network directly. Could this be done differently, even without VLANs?
