Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tagged traffic on SG-2100 802.1q port

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    13 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate @smk
      last edited by

      @smk

      Firewall rules passing traffic on GuestWifiNetwork?

      Outbound NAT for GuestWifiNetwork sources?

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • S
        smk
        last edited by smk

        Hi @Derelict

        Yes, the firewall rule is permissive:
        d7352b5b-44cc-4cb9-af8d-9247f18406ba-image.png

        And Firewall NAT settings are auto:
        ebd94812-f8d9-4606-9c9f-f7d69ea0e36a-image.png

        Is that right?

        DerelictD 2 Replies Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate @smk
          last edited by

          @smk WAN net is not the internet. any is the internet.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 1
          • DerelictD
            Derelict LAYER 8 Netgate @smk
            last edited by Derelict

            @smk And those are not automatic NAT rules. Those are manual NAT rules. They will reflect the configuration at the time you set manual NAT mode, not anything that has been added since.

            10.0.1.0/24 is not listed as a source there so that is missing too.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 1
            • S
              smk
              last edited by smk

              That did it! You are awesome @Derelict . I cannot thank you enough - I spent a lot of time trying to figure this out by myself.

              Folks like @Derelict is what makes Netgate an awesome company!

              S 1 Reply Last reply Reply Quote 0
              • S
                smk @smk
                last edited by

                @Derelict: Everything works with 1 exception: clients on the AP are not able to talk to one another.

                Firewall allows traffic to the internet:
                1c659a19-95f7-4fd1-bf21-bd17bbaa4a7b-image.png

                NAT rules are setup:
                eff514f6-2c1e-45a5-abe2-219ab87cfbda-image.png

                Am I missing anything that would allow clients on the 10.0.1/24 network to talk to one another?

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @smk
                  last edited by

                  @smk said in Tagged traffic on SG-2100 802.1q port:

                  clients on the AP are not able to talk to one another

                  That would normally not go through the router, but from one device to the other. Some APs have a "guest mode" or similar option to prevent wireless clients from talking to each other (only to the Internet).

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  S 1 Reply Last reply Reply Quote 1
                  • S
                    smk @SteveITS
                    last edited by

                    Thank you @teamits

                    Guest mode was already disabled on the AP:
                    bce37f0b-5206-4bc5-8ac8-b5b034def40c-image.png
                    3c35dc0c-53d3-45f7-a9b4-a97d5392609b-image.png

                    Am I missing any configuration that would prevent members to communicate with each other?

                    DerelictD 1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate @smk
                      last edited by

                      @smk I don't know what it looks like or where it is on Ubiquiti. This is what it looks like on Ruckus Unleashed:

                      b276e792-9143-4d0c-a99f-53d37ea53a1d-image.png

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 1
                      • S
                        smk
                        last edited by

                        @Derelict & @teamits : you were both right. Sorry, my bad: it was bad Ubiquity configuration.

                        If anyone falls in the same trap, the solution is to set "Corporate" + "VLAN". Not "VLAN Only" + "VLAN":

                        98a25145-0f81-4440-85e0-ab5af871da71-image.png

                        Thank you both very much!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.