How to make use of VLANs

kcallis

I am using a Netgate APU with both the LAN and OPT1 interface connected to a Netgear GS108E. Also connected to the switch is connected a TL-Link WA901ND Access Point which I setup with 4 separate SSID and VLAN tagging. For the most part, I use only wireless at the house so I thought I would setup my wireless AP using the layout found at https://nguvu.org/pfsense/pfsense-baseline-setup/, but seemed to be setup with a wired deployment. Reading https://nguvu.org/pfsense/pfsense-router-on-a-stick-with-netgear-gs108/ only added more confusion to the issue.

Under my pfsense configuration, I created 4 VLAN interfaces using the re0 as parent. I have setup DHCP servers for all of the interfaces, and started working for rules, etc. On the TL-Link AP, I have setup 4 SSID and tagged each with a VLAN tag. I have setup under the GS108 I have setup VLANs 1, 20, 50, 100 on port 2 where the AP is connected, with VLAN 1 untagged, and 20, 50, 100 tagged. So do I need to setup port 1 on the switch to also be setup like port 2 (with VLANs 1, 20, 50 and 100) since I have port 1 connected to the OPT1 port or should I just connect the AP to OPT1? But if I plug the AP into the OPT1, would I be able to use the other ports to access the VLANs that I created?

JKnott

You have to set up a trunk port on the switch to connect to the AP and also pfSense. This will allow it to carry all VLANs. You then configure pfSense with VLANs. However, I have that same AP and it doesn't handle VLANs/SSIDs well. TP-Link doesn't seem to understand the concept of VLANs and how they're supposed to be logically separate. As I result, traffic from the native LAN will be mixed in with the VLAN. After much frustration, I gave up on the idea of VLANs & multiple SSIDs on it.

BTW, I had a lot of discussion with first level support about this issue and that person insisted it was normal. It was only the person at 2nd level support who understood the problem, but there was no fix forthcoming.

johnpoz

there is bunch of discussion in another thread heard about the tplink switches and a hack to remove the vlan 1 nonsense.

But I would suggest you get a different switch the dsg1100 from dlink is same price point and handles vlans correctly.

I have lack of confidence that the tp-link AP handles vlans correctly either. I would suggest another AP, the unifi line handles vlans correctly. And very reasonable priced.

JKnott

Another possibility is the D-Link DAP-2660. While I haven't used this AP, I trust D-Link, more than I do TP-Link, to handle VLANs properly.
http://ca.dlink.com/products/access-points/wireless-ac1200-simultaneous-dual-band-poe-access-point/

kcallis

Thanks for the suggestions… I have just did a factory reset and for the time I will just use the TL-Link as a simple AP until I move over to something else.

kcallis

@johnpoz:

there is bunch of discussion in another thread heard about the tplink switches and a hack to remove the vlan 1 nonsense.

But I would suggest you get a different switch the dsg1100 from dlink is same price point and handles vlans correctly.

I have lack of confidence that the tp-link AP handles vlans correctly either. I would suggest another AP, the unifi line handles vlans correctly. And very reasonable priced.

The issue is not with the switch (which is a Netgear GS108E) which working fine, it seems to be an issue with the TL-Link AP and it's poor understanding of VLANS.

JKnott

The issue is not with the switch (which is a Netgear GS108E) which working fine, it seems to be an issue with the TL-Link AP and it's poor understanding of VLANS.

While your issue may be about the AP, the overall point is that TP-Link should be avoided when VLANs are going to be used. As I mentioned, they don't seem to understand them. Regardless, when you get an AP that properly supports VLANs, you will still have to configure the switch with trunk ports for both pfSense and the AP.

kcallis

@JKnott:

You have to set up a trunk port on the switch to connect to the AP and also pfSense. This will allow it to carry all VLANs. You then configure pfSense with VLANs. However, I have that same AP and it doesn't handle VLANs/SSIDs well. TP-Link doesn't seem to understand the concept of VLANs and how they're supposed to be logically separate. As I result, traffic from the native LAN will be mixed in with the VLAN. After much frustration, I gave up on the idea of VLANs & multiple SSIDs on it.

BTW, I had a lot of discussion with first level support about this issue and that person insisted it was normal. It was only the person at 2nd level support who understood the problem, but there was no fix forthcoming.

What I was able to do was to more or less replicated port 1 that is the trunk back to the OPT1 and did the same on port 2 with the TL-Link AP connected. At first, everything was moving along well, VLAN 15 (My wireless access to the net) gave out an address and the same is true with VLAN 50 (which are my streaming devices). I was able to see the SSIDs so it looked like a win. I have been banging around with the firewall rules because not a single rule seems to be working. For instance, I am able to get a receive an address and I am able to ping each of the gateway of each interface, but as for as pinging other devices, it is a no go. I am also not able to route through the WAN, so no internet for me right now.

johnpoz

Lets see your rules..

kcallis

@johnpoz:

Lets see your rules..

I have attached what I am working with…

guest_rules.PNG_thumb

wan_rules.PNG_thumb

Derelict

You are passing all traffic from the Guest network. If your Layer 2 is good, you have good DHCP, good DNS, and have good outbound NAT it should be working.

kcallis

Thanks for all of the pointers from everyone. I decided to forgo the VLAN multi SSID feature of the TL-Link AP and move it over to the LAN. I do have a Ubiquiti NanoStation loco M2 that I thought that I would swap with the TL-Link, but until I can understand the VLAN process, I will save that for another time.