Cannot get Wifi/DHCP on VLAN

aram535

Just to sum the final results.

For VLANs to work on an AP, the AP must be attached to a UniFi switch, USG, or UDM (or Pro). From the sound of it, it needs to be a Unifi layer 3 device too, a switch that is VLAN aware is not enough.

johnpoz

@aram535 said in Cannot get Wifi/DHCP on VLAN:

the AP must be attached to a UniFi switch, USG, or UDM (or Pro)

NO - not true at all... While you do need a vlan capable switch, and it has to be correctly configured for your vlans. It sure and the hell does not need to be unifi anything.

basic setup steps
Pfsense has lan interface
Create vlan on lan interface, tag it lets say 102 (setup network for vlan 102, enable dhcpd on vlan 102, etc.)
switch - create vlan 102, default vlan would normally be 1 (untagged native vlan)

(pfsense) lan port -- vlan1 U, vlan 102 Tagged -- port X (switch) port Y -- vlan 1 U, vlan 102 T -- AP

There you go.. Done.

wifi
SSIDX = untagged
SSIDY = vlan ID 102

client
Connect to ssidY be on vlan 102
Connect to ssidX be on lan network.

JKnott

@aram535

Mine works fine with a VLAN through a Cisco switch.

aram535

@jknott I removed my switch from the solution completely and plugged the UniFi AP directly into OPT1. It still didn't work, could not get an IP address from the DHCP server on the NetGate.

I then disabled the DHCP server on the NetGate and added it to the Unifi's AP directly (or controller really) and still can't get an IP address so that's a fully internal UniFi issue it seems, maybe the AP-Lite is the issue.

aram535

@johnpoz I'm just repeating what the support tech posted in the chat, I agree that it doesn't make any sense.

marvosa

@aram535
Your immediate issue is infrastructure related. First, you need a switch that supports tagged VLANs. I'm not sure who mentioned it, but no... it does not have to be UniFI... it can be any brand that supports tagged VLANs (e.g. Cisco, UniFi, HP, etc)... just stay AWAY from TP-Link! LoL!

Second, everything needs to be configured correctly from end to end... much like @johnpoz described

@DaddyGo:

To the best of my knowledge this is not relevant info, because all switches should work like this:

https://en.wikipedia.org/wiki/Virtual_LAN

The functionality of the switch being used is completely relevant. You may want to do some more research on switching and VLANs.

JKnott

@aram535

I use the DHCP server on pfsense. When you're using VLANs, you have to ensure the VLAN IDs match in every device. For example, my guest WiFi is on VLAN3. I have my AP, pfsense and the switch ports connected to pfsense and my AP configured for VLAN 3. The VLAN interface, in pfsense, also has a DHCP server configured.

JKnott

@marvosa said in Cannot get Wifi/DHCP on VLAN:

First, you need a switch that supports tagged VLANs.

Actually, no. An unmanaged switch will pass VLAN tags, but managed is recommended.

Gertjan

@aram535 said in Cannot get Wifi/DHCP on VLAN:

I removed my switch from the solution completely and plugged the UniFi AP directly into OPT1. It still didn't work, could not get an IP address from the DHCP server on the NetGate.

Because (one of) your SSID's was still tagging ?
You should also 'reset' the AP, or redo the SSID without any 'VLAN' options.
If it still doesn't work, waste-buckeyt the AP.

This :
@aram535 said in Cannot get Wifi/DHCP on VLAN:

Created a Firewall rule on OPT2, allow everything on IPv4 (until I get the connectivity working).

is the good approach.
But this :

DNS: 1.1.1.1

is a bad one.

First, you set up a working network without ever entering any DNS related information.
pfSense, out of the box, handles DNS perfectly well without info from your, your ISP, some Youtube video or whatever other source, it always works without any needed initial DNS settings (addresses).
Then, when you're good, and you really have a lot of free time to lose, you start fiddling with "DNS" ;)

marvosa

@jknott said in Cannot get Wifi/DHCP on VLAN:

@marvosa said in Cannot get Wifi/DHCP on VLAN:

First, you need a switch that supports tagged VLANs.

Actually, no. An unmanaged switch will pass VLAN tags, but managed is recommended.

Are there some scenarios when deploying some backyard boogie hardware may allow some frames to get to where they need to be... I guess anything's possible... but it's not where I would start.

I would also ask this... on a typical unmanaged switch, all of the ports are in the same broadcast domain (i.e. VLAN 1 untagged), so if you have multiple VLANs (e.g. 5) configured on PFsense, and the LAN interface is then plugged into an unmanaged switch, and then you have multiple endpoint devices (e.g. 5) plugged into that unmanaged switch... all which are configured on different subnets and supposed to be on different VLANs... how is the switch going to know which broadcast domain to send the frames to when you can't change the PVID on the ports?

JKnott

@marvosa

All VLANs that are present will be passed to all switch ports and devices connected to the network have to be able to connect to the desired VLAN. For example, I could configure an interface with a VLAN and then configure that VLAN for IP address etc., but not the native LAN. While computers can generally do that, many other devices can't. It's not recommended, but it is possible.

When planning a network, you should know what devices can do, so you're not surprised.

marvosa

@jknott said in Cannot get Wifi/DHCP on VLAN:

All VLANs that are present will be passed to all switch ports

That's not entirely accurate. It depends on the switch. Some unmanaged switches drop the tagged frames while others strip the tag. Some pass the frame unchanged, yes, but you'll just create a troubleshooting nightmare for yourself trying to use an unmanaged switch as a workaround for best practices.

johnpoz

Don't get him started ;)

I don't have a clue to why he insists on bringing it up every single time vlans are mentioned... How you can call yourself a networking professional and even hint or even mention that someone should use a dumb switch when doing vlans.

If your going to do vlans - your switch needs to understand them - PERIOD!! if you want to leverage dumb switches down stream where all the traffic is untagged that is fine.. But you shouldn't be passing tags across something that doesn't understand them.. Be it going to strip them or not.. Clearly it doesn't understand them and broadcast traffic is going to go places it shouldn't..

JKnott

@johnpoz

I don't advocate for using an unmanaged switch, I just get annoyed when someone claims it won't work. In order for a dumb switch to interfere with VLAN frames, it would have to read the Ethertype/Length value and decide it doesn't want to pass it, a bit much to ask of a dumb switch, especially when switches are supposed to pass all values in that field. The only significant difference between VLAN frames and any other is the Ethertype. Only managed switches, configured for VLANs, should be even looking at that field. Every other switch, managed or not, should just pass it otherwise. Look at the history of Ethernet. Back in the days of coax networks there was nothing that would block VLANs, same with hubs. Switches are supposed to be similarly transparent. Managed switches, configured for VLANs, are the only exception to that.

If I were to do an archaeological dig in my junk closet, I'd likely find a 10 Mb hub with a coax connection. I'd be very surprised if it wouldn't pass VLAN frames, bearing in mind any MTU issues.

BTW, in reading some of the posts on this board, it's obvious some people don't understand what VLANs are and how they work.

johnpoz

@jknott said in Cannot get Wifi/DHCP on VLAN:

it's obvious some people don't understand what VLANs are and how they work.

Concur ;) Which is why it would just be simpler and easier to just say WON'T WORK... No need to go into the technical aspects of a frame, etc.

Vlans dumb switch BAD! Smart/Managed switch GOOD ;)

JKnott

@johnpoz said in Cannot get Wifi/DHCP on VLAN:

No need to go into the technical aspects of a frame, etc.

Here you go. This is the Ethernet Blue Book, which describes the original DIX, pre 802.3 Ethernet.

aram535

So a final post to say this was solved.

The "final" solution was to remove the AP from controller, add it back in, upgrade to 5.4.37 (just released) and it started to work.

I'm making this generic, forthis and other forums I had posted in so please don't take it personally:

• A Unifi switch is required, no it isn't I have a AP plugged into a managed TP-link switch, from there to the OPT port of Netgate SG-1100.
• A USG is required, no it isn't (Guest Network works without it) [ WEP 2/3, not using a client portal ].
• CloudKey is required, no it isn't.
• VLAN must be tagged on every port that the data travels through, doesn't seem like. (Maybe if you're offloading to another switch?)
• You cannot use the DHCP server on the AP, you have to offload to another DHCP server on the same VLAN.

johnpoz

@aram535 said in Cannot get Wifi/DHCP on VLAN:

DHCP server on the AP

There is no dhcp server on AP.. You can run dhcp on the controller - but dhcp doesn't run on actual AP.

VLAN must be tagged on every port that the data travels through, doesn't seem like. (Maybe if you're offloading to another switch?)

No it doesn't and has never had to.. Where a vlan has to be tagged is when your going to carry multiple vlans over the same wire.

As to your AP firmware.. There is newer firmware than that - I am running 5.63.0.12975, unifi does a really horrible job on what firmware lines are what, etc. etc. bet stable, beta, alpha, etc. etc.

aram535

@johnpoz said in Cannot get Wifi/DHCP on VLAN:

@aram535 said in Cannot get Wifi/DHCP on VLAN:

DHCP server on the AP

There is no dhcp server on AP.. You can run dhcp on the controller - but dhcp doesn't run on actual AP.

This is probably incomplete information. Now the DHCP server itself may or may not run on the AP (I do see the dhcpd binary on there but that's anecdotal, the reason I'm saying it's probably wrong or incomplete is that the VLAN that I'm using cannot reach the controller, so there is no way for a client to get an address. Now it's possible that the AP does just a relay to the controller, but I think that would break all sorts of assumptions about why have VLANs in the first place.

VLAN must be tagged on every port that the data travels through, doesn't seem like. (Maybe if you're offloading to another switch?)

No it doesn't and has never had to.. Where a vlan has to be tagged is when your going to carry multiple vlans over the same wire.

You're miss-reading the post - we agree on the statement. The post is saying these "incorrect facts" are what I found because of posts here and other forums and that it was incorrect information.

As to your AP firmware.. There is newer firmware than that - I am running 5.63.0.12975, unifi does a really horrible job on what firmware lines are what, etc. etc. bet stable, beta, alpha, etc. etc.

The version is very dependent on the type of AP, they don't seem to use a unified code. I have verified the release versions and what they sent me to see about my issue (or maybe it's out (and just not in the general release) and they're just testing it themselves on a beta channel or something.

johnpoz

The version of their code is pretty universal... The latest I am running runs on..

UAP-AC-Lite/LR/Pro/M/M-PRO/IW | md5sum | sha256sum
UAP-HD/SHD/XG/BaseStationXG | md5sum | sha256sum
UAP-nanoHD/IW-HD/FlexHD/BeaconHD | md5sum | sha256sum
U6-Lite | md5sum | sha256sum
U6-LR | md5sum | sha256sum
U6-Pro | md5sum | sha256sum
U-LTE/U-LTE-Pro | md5sum | sha256sum
US-8/16/24/48/###W | md5sum | sha256sum
US-L2-POE | md5sum | sha256sum
US-16-XG | md5sum | sha256sum
US-XG-6POE/USW-Pro/USW-Pro-POE/USW-Enterprise-24-PoE | md5sum | sha256sum
USW-Pro-Aggregation/USW-Enterprise-48-PoE/USW-EnterpriseXG-24 | md5sum | sha256sum
USW-Aggregation | md5sum | sha256sum
USW-Flex-XG | md5sum | sha256sum
USW-Industrial/USC-8 | md5sum | sha256sum
USW-Flex/USP-RPS | md5sum | sha256sum
USP-PDU-Pro | md5sum | sha256sum
USW-16/24/48-POE/USW-24-48/USW-Lite-8/16-POE/USW-Mission-Critical | md5sum | sha256sum
USW-Multi | md5sum | sha256sum

That have some newer versions that just run on the new U6 AP, but its really still the same code but they released newer versions just for them., like I said they are pretty bad at release numbers.

. Now it's possible that the AP does just a relay to the controller,

Huh... Dude I think you really have some misconceptions about a lot stuff.. And I have no idea what AP your looking at but there is no dhcpd binary..

There are some config - because the AP can get its own IP via dhcp client

Hallway-BZ.5.63.0# find / -name dhcp
/etc/hotplug.d/dhcp
/etc/config/dhcp
Hallway-BZ.5.63.0# find / -name dhcpd
Hallway-BZ.5.63.0# 

You can run the dhcpd on the same hardware you run your controller if you want.. Stuff like their USG or the UDM could provide..

The AP bridge all data from the wifi to the wire, be it dhcp or any other traffic..

As to the vlan tags, guess should of quote your whole statement

doesn't seem like. (Maybe if you're offloading to another switch?)

Is not a maybe.. If your going to carry more than 1 vlan over the same wire then they NEED to be tagged.. They would need to be tagged on the port going to your AP, if your going to run more than SSIDs with different vlans.. Because the traffic coming out of the AP to the wire would be tagged with the vlan that clients traffic is on based upon the SSID they joined.