[solved] VLAN Through a TL-SG108

  • LAN network is

    LAN is on a PIA VPN account.

    A VLAN has been created and labeled as GUEST WIFI and tagged as 30.

    A static IP has been assigned as

    DHCP has been turned on for this interface.

    The DHCP range has been set to -

    A firewall rule for GUEST WIFI has been set for IPv4 any-any-any

    The switch is a TP-Link TL-SG108.  http://www.tp-link.com/us/products/details/cat-42_TL-SG108.html

    The AP is a UniFi AP-AC-Lite.

    The "Use VLAN" option is checked and "30" is entered.

    The client can associate with the AP and automatically receive an IP of; however no traffic is passing from the client to pfSense.

    A ping test from pfSense to the client is successful.

    The client can access the network, pfSense control panel, NAS, etc.

    The client cannot access the internet.

    All services are running.

    I am using DNS Resolver and DNS Query Forwarding is checked.

    Is this a NAT issue or DNS?

    Any help is appreciated getting clients on the VLAN30 out to the internet.

  • LAYER 8 Global Moderator

    That switch is dumb, it does not understand vlans.

    If your going to run vlans through a switch it should understand what vlans are and need to be setup on the switch or you could run into problems.  Be it the switch leaves the tagging on the traffic or not.  jknott might tell you that modern switches do not strip the tags.  This does not mean its correct to do so.  The switch can not isolate the traffic if it does not understand the tags.

    The cheaper line of tplink switches, the the 108E is suppose to support vlans - but it does not allow you to remove vlan 1 from each port..

    I would suggest you get a switch that allows proper use - say the dsg-1100 from dlink, its only 35$ on amazon.

  • @johnpoz:

    That switch is dumb, it does not understand vlans.

    …and that was the very thing I was hoping to avoid but I figured was another possible issue. A new switch is six weeks out with the risk that they steal it out of a USPS package. Building networks in the third-world is always interesting.

    Thanks johnpoz for the quick answer!

  • LAYER 8 Global Moderator

    You could connect your AP direct to pfsense port..  Does your pfsense box have more than 1 interface that you can use on the lan side?

    How do you have it connected?

    So your pfsense lan port native network is 192.168.4?, and this vlan 30 you is on this physical interface of psfense?

    so you have

    pfsense lan port (em0 lets call it)  then vlan 30 sits on this em0?

    pfsense lan - switch –- AP

    Where management IP of the AP Is on the 192.168.4..

    And your created a SSID that you added the vlan ID 30 too?  Are you using the controller software from unifi running on the 192.168.4 network off the switch.. Or are you trying to setup the AP with just the smart phone app?

  • @johnpoz:

    You could connect your AP direct to pfsense port..  Does your pfsense box have more than 1 interface that you can use on the lan side?

    Only 1 physical interface. re1


    pfsense lan - switch –- AP

    Just like that. LAN port - dumb switch –- AP

    pfSense is
    Unifi AP Management IP is

    I created my SSID "VLAN30 test" and checked "use VLAN" and entered 30.

    I am running UniFi Controller software on a PC, not a phone. Controller software is latest available as of 29/10, Version 5.5.24.

    I think I answered all your questions. Oh, and screens too.

    Does any magic happen on the UniFi "Networks" page?

    ![VLAN30 test.jpg](/public/imported_attachments/1/VLAN30 test.jpg)
    ![VLAN30 test.jpg_thumb](/public/imported_attachments/1/VLAN30 test.jpg_thumb)
    ![Device on LAN.jpg](/public/imported_attachments/1/Device on LAN.jpg)
    ![Device on LAN.jpg_thumb](/public/imported_attachments/1/Device on LAN.jpg_thumb)
    ![Interface Assignments.jpg](/public/imported_attachments/1/Interface Assignments.jpg)
    ![Interface Assignments.jpg_thumb](/public/imported_attachments/1/Interface Assignments.jpg_thumb)

  • Banned

    So how do the firewall rules on your GUESTWIFI interface look, and how is outbound NAT configured?

  • GUESTWIFI rules are wide open for testing. I will tighten them down later.

    NAT is an attempt to copy what I set up for the PIA VPN connection and I suspect could be a problem.

    The WAN and OpenVPN entries in the Manual Outbound NAT section are confirmed working settings for the PIA VPN connection. I added the four additional GUESTWIFI entries in attempt to discover any setting that would send traffic out.

    Thanks for taking a look.

    ![GUESTWIFI rules.jpg](/public/imported_attachments/1/GUESTWIFI rules.jpg)
    ![GUESTWIFI rules.jpg_thumb](/public/imported_attachments/1/GUESTWIFI rules.jpg_thumb)
    ![NAT settings.jpg](/public/imported_attachments/1/NAT settings.jpg)
    ![NAT settings.jpg_thumb](/public/imported_attachments/1/NAT settings.jpg_thumb)

  • Banned

    Well the outbound NAT rules are wrong the Interface and NAT Address for the network should be WAN, and OpenVPN if the guest devices should use the VPN connection too. Currently your trying to NAT from the network to the GUESTWIFI interface, so in essence back to the network.

    Edit: Also remove the additional rules for the loopback network.

  • LAYER 8 Global Moderator

    Yeah as Grimson already pointed out your outbound nat is all messed up.

    Not sure why users don't mention that they took outbound nat out of automatic when they are having problems ;)

    Why would you have not just left it hybrid if you wanted to send some clients out a vpn connection?  And created your rules for your vpn users in a hybrid outbound nat above the automatic?

    Fix your outbound nat and you should be fine – even if not really correct or getting true vlan isolation on your dumb switch.. As jknott is so found of mentioning new dumb switches sometimes do not strip the tags and pass them along.  So while you can pass tags across them.. It still does not make it a good or supported method..  But can be done in a pinch..

    Really really - lets repeat that for clarity.. Really ;)  Suggest you get a smart switch that can actually do vlans if your wanting to pass vlan tags across a switch.  And I would not suggest the so called "smart" version of your tplink the 108e or 105e models because that company has no clue to what isolation of vlans actually means.  Since they do not allow you to remove vlan 1 from your ports.. So any untagged broadcast traffic is going to be broadcast to every single port, since even port is a member of vlan 1.  So when you get around to getting a smart switch that can do vlans - make sure it can remove vlan 1 from the ports your not going to be using in vlan 1.

  • Thank you both johnpoz and Grimson!

    Once I revised the NAT rules the client can connect to the internet and is even behind the VPN.

    I imagine that if I change the to go out the WAN interface and not the OpenVPN interface the client will kick out the WAN, exposed and all…

    I have already purchased a new switch. Three days shipping to a US address, repackage, then 4-6 weeks to here... A Christmas present.

    I will start revising the firewall rules on VLAN30 to shore things up.

    ![NAT settings updated.jpg](/public/imported_attachments/1/NAT settings updated.jpg)
    ![NAT settings updated.jpg_thumb](/public/imported_attachments/1/NAT settings updated.jpg_thumb)

  • LAYER 8 Global Moderator

    What switch did you get?  Just curious.. Why would it take 4-6 weeks to get to you?  You live like in a hut in the middle of the jungle?  An igloo 300 miles from the south pole or something? ;) Package has to go by pack mule or something through the mountains.

    Having a hard time understanding how anything could take 4-6 weeks to be shipped anywhere on the planet these days.  Its not taking a steamboat across the ocean, etc.. ;)

  • Switch: Dlink DGS-1100-08

    I did live in a rainforest before. Now I live by the coast. Same island. Yes, it takes that long for mail to get here using the USPS. Once a package leaves the US and enters the third world it is fair game. Most packages have made it untouched. One was raided and all the DVDs removed. I have sometimes have a hard time understanding how it can take that long too and I live here.

    I just looked at our last set of packages to come in. They were shipped September 5 and arrived at our local PO on October 18.

  • LAYER 8 Global Moderator

    Dude you live on some remote island somewhere?  Nice!

    So like this is you ;)  One of these dots in the middle of nowhere…

  • The DGS-1100-08 arrived about a month ago. It sat in the US for a while, then eventually got grouped with other things and sent over. So it's a late Christmas present. I'm already ordering parts for my next project that I won't see until July. (not router related though.)

    I started setting it up today and after messing with NAT and Firewall Rules the VLANS are beginning to take shape. I can finally isolate printers that ping Japan all day, a security camera system that pings China, and a VOIP box from the rest of the network.

    Thanks johnpoz and Grimson for your help. Reviewing your notes on NAT was a big help.

Log in to reply