Access point with VLAN - no LAN connection
-
Hello.
I have VLAN capable AP (TL-WA1201) on which I have main vlan 1 and additional 10 and 20.
It is connected to VLAN capable switch (TL-SG1016DE) on port 3.
pfsense box is connected to the same switch on port 1.
With switch configured like this:
Devices connected to vlan'ed (20) ssid are getting IP from proper range (192.168.20.0) - so far so good.The problem is, that those devices can't connect to DNS server which sits on vlan 1 (192.168.0.10, switch port 8).
In fact, I can't connect to any ip from LAN (192.168.0.0).pfsense config for vlan20:
System log seems to say, that pfsense is allowing traffic to LAN:
What could be the problem here? Did I miss something obvious?
-
First off, it sounds like you're using TP-Link gear. Some TP-Link models don't do VLANs properly. That aside, can you ping between VLANs? If not, you will have to add a rule that allows you do get to 1 VLAN from another.
-
As JKnott mentioned, there are numerous posts about TP-Link gear not functioning as expected with regards to VLANs. First order of business for me would be moving away from that TP-Link switch.
Either way, moving forward I would leave the parent adapter unassigned, remove VLAN 1 from the tagged list on your switch, and use VLANs for all your subnets.
-
Hello.
Thank you guys for answers.
I think I've isolated the issue.
When connected to vlaned ssid, I'm loosing a lot of packages in general, both to WAN and LAN.
When I open monitoring page on switch console, I can see lots of RxBadPkt:
@marvosa thanks for suggestion. For me to understand. Your idea is to use vlan-id > 1 for all ssid and effectively use VLANs instead of LAN in pfsense. Is that right?
-
@sirkorro
The short answer is yes. Assign your SSID's... and all your subnets for that matter... to VLANs > 1. VLAN 1 is the default native VLAN and is used for untagged traffic. If you use VLAN 1 at all, it should be for management purposes only.However, best practice is not to use VLAN 1, which is why it was suggested to leave the parent adapter unassigned.
Regarding the incrementing RxBadPkt and packet loss issue, outside of failing hardware or a cabling issue, I genuinely believe moving off that TP-Link will resolve most (if not all) of your problems. Not only has it been discussed in these forums, but a quick search shows various posts on the TP-Link forums also when it comes to VLANs.
If you go forward with the existing switch, your only resolution may be hoping TP-Link addresses their VLAN issues with an upcoming firmware update.
-
Thank you @marvosa
I'm on the market for Cisco SG200-X.High RxBadPkt is only happening with VLAN enabled, so it is not a hardware issue.
I've read somewhere that this is how TP-Link reports tagged traffic, but in my case I'm really loosing packets so I don't know.
Thanks anyways. -
@sirkorro I don't necessarily disagree. There's a chance the hardware isn't technically failing, however, their implementation of VLANs appears to be suspect as best.
After reading some of the comments, apparently, TP-Link has been telling people the RxBadPkt's stat is a statistical mechanism of chipset and not to worry. So...they're marking tagged frames as RxBadPkt's? Why would you do that??!?! Like I said... suspect... LoL!
Regardless, that kind of packet loss is unusable. I'd go get that Cisco asap.
-
@marvosa said in Access point with VLAN - no LAN connection:
RxBadPkt's? Why would you do that??!?! Like I said... suspect... LoL!
Good question - like every tagged packet is marked as bad - I do recall that when was testing their - whats the right word?? Oh yeah JUNK!
Do yourself a favor and use something else other than tp-link for switches and AP.. As dumb products they might be fine - but if your wanting to do vlans. They don't understand them..
