Trouble with segregating traffic internal vs guest

  • Hi everyone,

    I have been searching high and low recently, but I can't seem to figure out the solution to my issue. I would really appreciate insight from you guys!

    All devices on the LAN interface are working correctly. However, when I attempt to connect to the guest SSID, my devices (laptop and android phone) cannot obtain an IP address.


    I recently purchased the SG-2220 pfSense Security Gateway Appliance from the pfSense store. The device has since been upgraded to pfSense version 2.3.2.

    There are three interfaces:
    WAN: DHCP from ISP equipment
    WLAN_Guest: –- VLAN 100 on the parent interface (LAN interface).

    There are two DHCP scopes which are enabled:
    LAN: -
    WLAN_Guest: -

    There is one VLAN:
    VLAN Tag: 100, which is assigned to the LAN interface

    Firewall Rules:
    WLAN_Guest: Presently allows all traffic inbound and outbound, for the sake of testing. I will eventually block traffic destined for devices on the LAN interface.
    LAN: Pass any packets from WLAN_Guest net to Any destination.

    There is one managed switch:
    HP Procurve 1800-24G ( I have created LAN 100 on the switch and added the port used for the WAP as a member.
    There are two options in "VLAN Port Config": Packet Type "All" or "Tagged only". I currently have this set to "All". If I set it to "tagged only" then the WAP cannot communicate with the network at all. I have also un-checked the "VLAN Aware Enabled" checkbox, per another forum post. That did not appear to have any impact. Changing the PVID drop-down for this port also seems to disrupt all network connectivity between the WAP and the firewall.

    There is one WAP:
    Ubiquiti Unifi AP-AC PRO (UAP‑AC‑PRO) with an IP of
    Two SSID's: Let's just call them Internal and Guest. The Internal SSID is working correctly. I have configured the WAP to tag traffic on the Guest SSID with tag 100.

    The DHCP logs shows DHCPOFFER and DHCPDISCOVER entries for those devices via igb1_vlan100, but there is no DHCPACK entry like there is for the Internal network. I suspect that the switch is to blame, but I'm not certain. I believe I have the pfSense appliance configured correctly, and the WAP configuration seems pretty straightforward. My research has revealed similar frustrations from other users/administrators regarding VLANs on the Procurve. Does anyone have a suggestion for this? Please let me know if I can provide any further information. I really appreciate any feedback you can offer.

    Thank you all!

  • LAYER 8 Global Moderator

    Since your running an untagged network, ie your "lan" and tagged network.  Your switch needs to know what network is tagged and what is not "native"

    I would assume your just using default of vlan 1 on your switch for untagged traffic.  So port to your AP should be tagged for both vlan 1 or whatever your native vlan is and your vlan 100.  Connection from switch to pfsense lan interface would be set for your native vlan and tagged traffic of this 100.

    Not sure what HP calls them, in cisco these are trunked ports with a native vlan.  With netgear its just tagged and untagged traffic and you set the pvid of the port to whatever you want the native vlan to be, etc.

  • johnpoz, thank you!

    This is one of those "why didn't I think of that" situations, which I'm really excited about! I added port 3 on my switch (Switch to Firewall) to VLAN 100. I also re-checked the VLAN Aware box in VLAN Port Config. My devices are now obtaining IP Addresses on the guest network!

    I'm going to adjust the firewall rules to isolate the traffic, but I think you've gotten me out of the woods. Thank you so much again for your quick response!

  • LAYER 8 Global Moderator

    Happy I could help.. If your new to vlans or don't have experience how the different makers do things or call things then yeah it can be confusing.  Glad you got it sorted!

Log in to reply