Need help to configure VLAN on my second AP

bthoven · Aug 12, 2019, 4:14 AM

I have Intel 4-port gigabit on my T620 Plus pfSense box. I just want to do VLAN for the first time by creating a second SSID for guest on my second AP. But can't obtain IP from pfSense.

My set up:
Port 1: WAN
Port 2: LAN (connect to my TPLink Archer C9 working as AP, no problem here)
Port 3: Openwrt AP, the main wifi SSID works fine, and I try to add another SSID for guest without success, i.e., can't obtain IP from pfSense DHCP. I followed steps in this link https://frdmtoplay.com/configuring-a-vlan-per-ssid-with-openwrt-and-pfsense/

Anyone who has done the same on Openwrt AP wih pfSense?

Thank you.

marvosa · Aug 12, 2019, 6:40 AM

The first question for you is what AP are you running OpenWRT on and does it support VLANs? If not, then you have your answer as to why your setup is not working.

In the article you posted, that TL-WA801ND supports VLANs natively, so the OpenWRT works. If your AP doesn't support VLANs natively, then running custom firmware isn't going to magically enable a feature that doesn't exist.

Once you've validated that you have an AP that supports VLANs, I would start with double-checking that you have an any/any rule on each VLAN in PFsense as well as verifying you have a DHCP scope enabled on each VLAN on PFsense.

bthoven · Aug 12, 2019, 7:43 AM

Thanks. It is Asus RT-N18U which has vlan Support builtin based on port assignment. Is that OK?

I had DHCP enabled on pfSense for the vlan (DNS resolver too).

JKnott · Aug 13, 2019, 4:25 AM

@bthoven said in Need help to configure VLAN on my second AP:

Is that OK?

No. You need to use VLAN tags. Otherwise, there's no way to separate the traffic between devices. Port based VLANs do not extend to other devices.

Here's some info:
Virtual LAN

bthoven · Aug 13, 2019, 4:27 AM

@JKnott Thanks. My bad that I didn't check whether my AP supports tagged VLAN. My question, maybe a dumb one, is, with such limitation, can I have DHCP on on the AP itself (not using DHCP and DNS on pfSense)? I don't need stronger security of pfSense because only IOT devices and guests will be on this AP, with separate subnets.

JKnott · Aug 13, 2019, 10:45 AM

@bthoven said in Need help to configure VLAN on my second AP:

can I have DHCP on on the AP itself

Only if it supports it. However, there's still the issue of separating the traffic. If the port based LAN can be used with multiple SSIDs, then perhaps you can work around it with a managed switch that separates the tagged VLANs and passes them separately to the AP. Are you sure that AP doesn't support VLAN tags?

bthoven · Aug 13, 2019, 11:15 AM

I think it supports vlan tagging. Here is the vlan setting. Not sure it is correct.
With this setting, I plug cable from port 2 of the AP to pfSense (PfSense has VLAN 10 defined with dhcp and dns resolver association, Firewall rules defined too). My AP wireless associated with VLAN ID 10 can obtain correct subnet ip from pfSense, but no internet access. My AP main wireless (associated with VLAN ID 1??) has no problem accessing internet.

JKnott · Aug 13, 2019, 1:13 PM

That looks more like a router than an AP. Does it support multiple SSIDs? If so, you'd configure a port to support tagged VLAN and then assign the SSIDs to the appropriate VLAN or native LAN. Some routers support guest WiFi, which allows access to the Internet, but I'm not sure that's what you want.

bthoven · Aug 15, 2019, 11:10 AM

Thanks. I got it working now.