Trying to setup Guest VLAN but not working
-
Hi,
I'm hoping you guys can help me. I am trying to setup a WiFi network which has no access to any of my other LAN devices. I just want the network to only be able to get out to the internet and not even communicate with anything else.
I have followed a YouTube video on how to do this here:
https://www.youtube.com/watch?v=hhPGN4UJHAM
I have a Ubiquiti UAP Access point and PfSense installed. I also have a Managed switch which I have assigned the correct ports and VLANs to (I believe). My normal LAN network has a DHCP server running on a Windows Server 2012 OS. However, I want my Guest VLAN Network to use the DHCP on the PfSense router.
Currently I have it all setup like in the video but when connecting to the guest WiFi network or plugging into a port on the switch which is Untagged on VLAN 80, I don't receive an IP address despite the DHCP running on the right interface on PfSense. Also when setting the Static IP I don't have any internet access.
I am happy to provide any logs/screenshots you require as long as you tell me where I need to navigate to to get them.
Thanks in advance!
Edit; The switch I am using is a ZyXel GS1900-24E
-
First off, do you have DHCP running on the VLAN? Also, you say you have an untagged port on VLAN 80, which connects to the AP. this is not the way it's normally done. You use a trunk port to the AP, which would carry both main and VLAN traffic to the AP. The AP is then configured to use VLAN 80 for the guest Wifi.
-
Hi @JKnott
Thanks for getting back to me, I have DHCP setup on the GuestVLAN interface which I have included a screenshot below showing the setup for this.
All other settings are left blank. Also, on the switch I have enabled Port Trunk on Port 22 which is the AP. I have also included screenshots of this. For context I have included a list of the relevant ports.
Port 5 - Apple TV I want on the Guest VLAN
Port 22 - Ubiquiti AP
Port 2 - LAN Port on PfSense
Port 17 - Another port I want on GuestVLAN for testing
If you require any more info just let me know.
-
One thing I like to do is use port mirroring, where you can pass all traffic from 1 port to another, where you connect a computer running Wireshark. This allows you to see exactly what's happening. You should see the DHCP sequence with that. If you don't see it or some portion, that will provided clues as to where the problem is. I expect your switch should support that.
BTW, I have a Cisco switch on my LAN, which I can configure for port mirroring and have done so several times. I also have a 5 port managed switch, configured for mirroring, which I can insert into any Ethernet connection. Works well.
-
Hi @JKnott
, I sent you a private message, it may be best if we get this sorted on chat as it may be quicker. -
I generally don't use chat here. Also, it's better to keep things in the thread so others can help or learn.
-
Ok no problem, I can't see anywhere how to setup port mirroring on my switch. Although I do know that none of my devices are getting a DHCP lease and even when assigning a static IP of 192.168.0.20 I still cannot access the internet.
Therefore I do believe there is an issue with it being able to communicate to the PfSense DHCP Server.
-
Well, it's not that difficult. You enable the DHCP server on the VLAN interface. Then configure the switch to pass the VLAN through a trunk port to the AP, which must be configured for the same VLAN. Generally, you'd have one SSID for the main LAN and another for the VLAN. You can test by configuring a switch port on VLAN 80, plugging in a computer and seeing if it gets DHCP. You might also be able to configure a computer to use a VLAN and use it to check that trunk port.
I'm not familiar with your switch, so I can't advise you on it. Perhaps someone else here can. However, I have never seen a managed switch that didn't support port mirroring. Even my crappy 5 port TP-Link switch does.
-
DHCP is already enabled on the VLAN interface. I have configured port 17 on the switch to VLAN 80 on Untagged and set the VLID to 80. However, the computer does not get a DHCP when plugging into this port. What should I have port 2 set to? Port 2 is my LAN on pfSense. I thought this would be Tagged for both VLAN 80 and VLAN 1, however when doing this it knocks off my entire LAN and cannot access any other devices or the internet. I currently have it set to Tagged on VLAN 80 and Untagged on VLAN 1 and this seems to allow my VLAN 1 to work but nothing on VLAN 80
Hope that makes sense.
-
Have you checked your switch manual? Sections 9.2 & 9.3 seem to cover what you're trying to do.
-
@JKnott Yes I read through the instructions and everything I have done seems to be right. I do feel the issue lies with the PfSense setup.
-
I don't know how, if you've set up DHCP. It just works. Configuring DHCP on a VLAN is no different than on an Ethernet port. Do you have a computer you can configure for VLAN 80? If so, just plug it into the LAN side of the pfSense box and see what happens.
