WAP Wifi VLAN problem



  • Hi all,

    I have managed to set-up multiple vlans for my IP cameras, media streaming and other stuff sucessfully but have run into a problem with the Wifi VLAN. I have run out of ideas so I am hoping someone can advise.

    Wireless devices can connect to the Wifi network but have no interent so I am presuming a FW issues. Phones etc get allocated a correct IP address via DHCP via the VLA7_WAP interface. Devices all in the ARP table. I can access the WAPs and all seems OK there. WAPs are Netgear 720 and set to VLAN7.

    VLAN7_WAP is in an interface group so has the same FW rules as the LAN based VLANs which do have Internet access. I also added an any to any under the WAP interface tab to try get it to work.

    No floating rules.

    Any ideas please? Do my rules look OK?
    Thanks, Ian

    alt text
    alt text
    alt text


  • LAYER 8 Global Moderator

    What exactly is the point of that bottom rule on your wap interface?

    What is in the wap alias, and how would that rule ever be evaluated since you have wap net any any above it?

    Do you have some downstream networks? You didn't put a gateway on your wan interface did you?

    What does your outbound nat tab show?



  • Hi John, thanks for speedy feedback.

    What exactly is the point of that bottom rule on your wap interface?

    No point at all; just earlier rubbish not yet deleted which is why it is disabled.

    What is in the wap alias, and how would that rule ever be evaluated since you have wap net any any above it?

    wap alias is WAP. there two waps in an the group, x.x.7.40 and x.x.7.41. Should the vlan gateway be in there also?

    Do you have some downstream networks?

    not quite sure what you mean, wifi network?

    You didn't put a gateway on your wan interface did you?

    Think I did.I wouldnt get DHCP otherwise? 192.168.7.0/24
    alt text

    What does your outbound nat tab show?
    alt text


  • LAYER 8 Global Moderator

    Typo there on my point - I mean the WAP interface.. Doing so would of broken automatic nat since pfsense would of thought your wap interface was a wan.

    So can devices on your wap network - can they ping pfsense IP 192.168.7.X - prob 1 maybe..

    What is in that alias has ZERO do with anything.. Can your clients resolve stuff on the internet, ie when your client pings way www.google.com it comes back with an IP right.



  • LAN Clients are OK.
    Wifi clients cannot ping 192.168.7.1 , or .40 or .41 (waps) . Cannot ping Google as no interent over wifi . When a phone or laptop connects to the wifi an IP in correct range is returned immediately.


  • LAYER 8 Global Moderator

    Well if you can not talk to the gateway pfsense - then your NEVER going to talk to anything past pfsense, ie the internet..

    Why you have the overly complex group of interfaces I have no idea.

    Why don't you pull your wap interface out of that group and and just leave any any on your wap interface until you validate it actually works.

    Do you have any floating rules?



  • I found an error in the WAP config so whilst DHCP and NTP working UDP/TCP wasn't. I can now ping locally on on VLAN7, VLAN1 (MGT) 8.8.8.8. and the pfsense firewall .
    .
    Pulled out VLAN7 and added allow anything rule for the troubleshooting. Access between 192.168.1.7 and 192.168.1.254 appears to be broken.

    The reasoning for the interface groups is so I don't need to repeat rules across the interfaces. Keeps interface rules minimal.

    I don't have any floating rules.


  • LAYER 8 Global Moderator

    @webrat11 said in WAP Wifi VLAN problem:

    I found an error in the WAP config

    Huh?? And what kind of config was that - a captive portal or something... AP don't firewall..



  • There is a second VLAN id field hidden under the adavnced option for each Wifi network profile. Correcting that allowed me to ping across the waps to the firewall but still no internet. I need to reserach more about the Netgear WAPs tagged/untagged network option and then will retry next year.

    Thanks for the suggestions.