Need help setting up guest VLAN with AP on Cisco SG300 switch
First of all, I'm a networking beginner. I am not the type that likes to ask for help, and prefer to read and research and "learn by doing". I know how to set up home and office networks using consumer devices, but beyond that I am now finding myself proper stuck. I have been struggling with this for many weeks now, and I am very frustrated and near to giving up and just going back to using my Asus router again, and retiring the pfSense box to be a tv media player instead. I really don't know the proper terminology, which makes it problematic to search for information. I've read and re-read tons of guide and tutorials, I've tested a lot of different setups, and nothing works. So I've resorted to trial and error, and now it works… somewhat. I hope someone has the time to help me out with this, or even recommend an alternative working setup.
What I want to do:
- my home office LAN doesn't need do be on a separate VLAN. All devices are trusted, and need to be able to communicate with each other.
- one wireless AP for personal use, needs to be able to communicate with all LAN devices
- another wireless AP for guests, with internet access only. Block all guest access to LAN devices, and block all LAN access to guests.
I have two access points at my disposal:
- Asus RT-AC66U (Asuswrt-Merlin, in AP mode, guest mode doesn't work, doesn't support VLANs). I want to use this for personal use, with access to the LAN.
- D-Link DAP-1353 (this supports multi-SSID and VLANs). As this has VLAN support, I want to just use the primary SSID, for guests.
- Shuttle DS67U with two LAN ports
- Cisco SG300-10 (I have two of these, but the stuff I want done is all connected to the same switch)
What I have tried, and managed to get working (sort of):
- Switch port1 = pfSense LAN (192.168.1.1)
- Switch port2 = Asus RT-AC66U in AP mode (192.168.1.249)
- Switch port3 = DAP-1353 (192.168.1.248). DHCP disabled. Primary SSID set to VLAN 40.
DAP-1353 (guest AP) config:
Cisco SG300 config:
pfSense DHCP for LAN giving out 192.168.1.x addresses.
pfSense DHCP for VL40_GUEST giving out 192.168.40.x addresses.
Results (what I can observe):
- my personal Asus AP works fine and dandy, and I have full access to internet and my LAN. All ok there.
- this setup gives guest clients (addresses 192.168.40.x) access to the internet, and apparently no access to my LAN (at least I cannot ping any LAN devices).
- my LAN devices cannot ping guest clients either, so I am assuming the guest network is properly segregated.
- Problem 1: I am unable to reach the DAP-1353 web interface (192.168.1.248) for configuration/monitoring/statistics. I need access to the interface so I can see if guests are connected, plus I want to retrieve SNMP data from the device.
- Problem 2: some guest devices are getting very slow download speeds. They are getting 0.5Mbit/s DL and 40Mbit/s UL. I am unsure if this is a problem in my pfSense/switch config, and don't really know how to troubleshoot. There is no wireless congestion, and noise is no issue, as the Asus AP has excellent 2.4GHz performance.
So what I need help with:
- How can I get access to the DAP-1353 (guest AP) web interface and SNMP from my LAN?
- do the pfSense firewall rules make any sense? Should I do it any differently?
As a quick final note, I have tested the setup shown below as well, but this allows guest clients access to my LAN. I don't understand why, though.
your sending 40 untagged.. I would need to be tagged if your setting up vlan on pfsense and want pfsense to see that traffic as vlan 40.
If I set the switch port 3 to General and VLAN 40 tagged, no clients can use the guest AP. I don't know what's happening, but they refuse to connect. I enter the passphrase, but it's not successful. Ive tried on Android (no error, just tries to connect and gives up after a couple of seconds) and Windows 7 ("Unable to connect" after a couple of seconds). It's not like it's waiting and then failing to receiving an IP address from the DHCP. It fails a long time before it even has a chance to wait for a DHCP response, it seems.
But, my assumption is that I would want to have VLAN1 untagged on port1 and port3, and VLAN40 tagged on port1 and port3, right? The switch refuses to let me do that, though. It just falls back to setting VLAN1 as excluded on port3. No error, nothing. When I hit apply, and the page refreshes, it's back to "Excluded".
That's why my current configuration has to have port3 as VLAN40 untagged. Or else the client's can't connect. And I don't understand why :(
EDIT: if I try to set port 3 as Trunk, with VLAN1 untagged, and VLAN40 tagged, the guest clients receive an address from the LAN DHCP instead (192.168.1.x), and end up on my LAN (with full access to all devices there). Which is not what I want.
You sure your AP is even tagging the traffic correctly?
If your vlan is 40 and tagged and your clients are getting IP on lan from dhcp, then they are not on vlan 40..
Oh man, I've had the same thought myself, though. It was sort of hurting my brain here, being sure that I've got the correct config, but still not working as expected.
Any ideas on how would I go about figuring out that? Are there any tools to test a port on a switch (or AP) in that particular manner? Could I use a regular NIC on a Windows machine that supports VLAN?
Sorry no exp with that AP… But its pretty hard to F up this config..
client --- SSID -- AP -- trunk tag 40 -- switch -- trunk tag 40 -- vlan 40 pfsense
If your client is getting IP from the native untagged network on that interface pfsense vlan 40 sits on, then its not being tagged would seem obvious..
You can do a simple tcpdump on the physical interface on pfsense do you see the tags when you use -e, see attached example see the vlans 200, 600 traffic
at least now I know I need to investigate what's going on in the AP end, as opposed to looking at the pfsense/switch config.
cheers, thanks for your time anyway :)
There was some thread a while back where the persons AP would not allow you to remove vlan 1 or always sent something untagged.. It was something really stupid that pretty much made the thing useless for any sort of different networks, even though they said it supported vlans, etc..
Let me see if can dig up that thread - maybe its the same AP as your dealing with..
Is that you are looking for, johnpoz?
Irios, you did not provided your full VLAN configuration on AP side, but I think you need at least check PVID Setting for dap-1353, it should be set manually (look at http://ftp.dlink.ru/pub/Wireless/DAP-1353/Description/DAP-1353_B1_Manual_3.00.pdf PVID setting) and the traffic must be tagged on Cisco.
Wow that was a good thread and some what related sure… But no that not the one I was talking about.. The one I was talking about was some specific brand of AP that didn't tag traffic or always had traffic in vlan 1 or something.. It was a crap AP that really could not do vlans at all even though stated they could..
I had posted info right out of their manual in the thread that stated the problem with the vlans he was having...
The thread you linked to was same sort of problem - tagged vs untagged.. Arrrggh I can not seem to find that thread now... But you need to validate that traffic is being tagged, or no pfsense not going to see it on the vlan interface.. It would see it on the naked/native interface network.
Hi there, w0w and johnpoz
Unfortunately the linked PDF is for the wrong model (B1 with 3.xx firmware). I have the A1 model, which can only run 2.xx firmware.
I've done a hard reset (factory defaults) of the DAP-1353, re-applied the firmware again, reconfigured it a little different, and gave it another shot.
This time I've set up the DAP-1353 with two VLANs:
- primary SSID as VLAN 1 (just a dummy VLAN, to see what happens really)
- added a secondary SSID as VLAN 40 (the guest network)
- port1 trunk, PVID 1.
- port3 trunk, PVID 1.
It seems like the Primary SSID might be ignoring it's VLAN value if you don't actually have a secondary SSID enabled (bug? flaw? feature? who knows).
The guest devices are now receiving proper guest IP addresses 192.168.40.x, and cannot ping LAN devices. But… LAN devices can still ping guests hm (I guess this is a firewall rule I need to set up?).
If I run speedtest.net (Ookla) on my laptops (on wireless guest network), it works fine. I get decent DL and UL speeds.
But all Android devices (tested 3 phones) cannot upload (at all) using the Ookla Speedtest app (or any other speedtest app). Seems like they are not able to send traffic. Browsing the web seems to works fine, though. So some data might trickle through, hmmm.
"tcpdump -i em0 -e" on pfSense shows this when running Ookla Speedtest (while downloading) on an Android device:
I wished I could show the a similar tcpdump when Speedtes is uploading, but there's really nothing going on, except a few VLAN 40 packets here and there.
Can the tcpdump only show stuff related to a particular android device? Would make it easier to troubleshoot, as the screen is flooded with regular non-related network traffic.
Yes tcpdump can be filter down to specific machine.. But since you see your tags now, you could just use the gui to capture and not have to use tcpdump at prompt - only reason to use prompt is the gui does not have way to show the layer 2 info that the -e does…
For troubleshooting, I've plugged a windows computer directly into the switch port3 (guest) and set the NIC drivers to VLAN40. This confirms that pfSense/switch is setup correctly, so I don't have to worry about that end at least.
I had another go at tcdump and put it into notepad++ to filter away unrelated entries, but I'm still not sure what I'm looking at. There's definitively some outgoing traffic in VLAN40 from my Android devices, but it's just very little of it. Some of it is directed at the server used for bandwidth testing, but not much traffic at all. It seems like the AP is "throttling"/discarding/dropping traffic, resulting in a very slow (none) upload speed. As mentioned, web surfing works fine.
I'm starting to think there be an issue with the radio firmware on the DAP-1353, making it unsuitable/incompatible with these Android devices. Let's just face it: it's perhaps just a shit AP. It's old. And was inexpensive at them time.
I'm not going to spend a single second troubleshooting this anymore without an alternative AP that can do VLAN, though. I've probably spent over 100 hours so far, and I'm getting really fed up. I'm just gonna order another AP. My WAP121 should arrive tomorrow. If this AP behaves differently (better), at least I know it's the DAP-1353 at fault. I'll post the outcome in this thread for future reference in case someone else has the same issue with the DAP-1353.
Thanks for the halp so far. It's very much appreciated :)
Not the AP I would of ordered.. It's only 2.4 and only has 10/100 interface… Why would not have gone with a unifi UAP-AC-Lite, its dual, gig comes with your poe injector all for $80... Looks like about the same price as that 121 at amazon with the addition of the poe injector..
That for sure I can promise you works with vlans, shoot you can even setup dynamic assigned vlans with radius server that is part of pfsense. They are working on MAB, but still seems to be a work in progress.
Thanks for the feedback. I'll probably go for a UniFi for the main AP here if I decide to get rid of my Asus RT-AC66U at some point (might donate it to someone in the family). I picked this Cisco AP because it was on sale at a local shop here, at roughly 40USD. And because I have some experience with my Cisco switches, I figured it would be good to see how some of their other products work as well.
The guest AP only needs to be 2.4GHz anyway. It's for AirBNB tenants, and throughout the years I have been providing both 2.4GHz and 5GHz, and they hardly ever use the 5GHz anyway (maybe one or two tenants have used 5GHz). Even though there are two SSIDs, they always end up using the 2.4GHz SSID. Dunno why they all go for 2.4GHz really, but it's probably because it's printed first in the how-to on the wall in the AirBNB apartment.
"Even though there are two SSIDs"
"Dunno why they all go for 2.4GHz really"
Users are stupid ;) is Why hehehehe. Just give them the one ssid and let client do 2.4 or 5 on is own or with unifi you can do band steering to get the client over to 5 ;) If you really want be nice about it post up the common one and then put say _24 and _5 on the end for anyone that has some crappy ass client that has problem with the combo ssid..
If your only going to run 1 SSID or even multiple SSID that connect to the same network you really don't even need AP that does vlans… Just let the switch do all traffic on that port on whatever vlan you want to use on pfsense.. AP only needs to be vlan capable when you want to run different SSIDs on different vlans.. If all your wifi clients are going to be on the same network doesn't matter if the AP can tag or not - you can just set the switch to tag it for you to pfsense so pfsense can put that on different network than other networks.
You could do it old school/Jury Rig, MacGyver way with AP 1 on vlan X, and AP 2 on vlan Y, etc..
DAP-1353 a1 sets PVID automatically to 1 as I understand their some old FAQ for some similar models. They suggest to use VLAN1 as management untagged VLAN, but any other you create should be tagged. Anyway I also think that it's better to buy something better than that old DLINK AP that have VLAN feature just for marketing purpose ;D it does not have to work properly in this case.
Ok, I just got my Cisco WAP121… and everything is running super smooth. When you fire up the AP the first time, you are presented with a config wizard; I simply entered VLAN 40 when it asks for the wireless VLAN. Didn't have to touch anything else. And now everything works perfectly. This makes me positive the D-Link DAP-1353 is either broken, bugged, or doesn't comply to the networking standards.
At least the time spent on this "project" wasn't entirely wasted. I've honed my VLAN'ing skills, and learned a couple of new tricks :)
AP only needs to be vlan capable when you want to run different SSIDs on different vlans
I figured I'd need VLAN to separate the web interface from the guests, so I'd be able to config/snmp without having to access their network directly. Could this be done differently, even without VLANs?