Port tagging on APU2?

bingo600

Do they get an ip belonging to Guest Vlan , or Lan ?

If you have Lan & Guest Vlan on the same IGB1 port , how do you connect both the Lan devices and the Unifi AP ... (To the same port) ??

orangehand

Guest VLAN

bingo600

Don't you have a spare port in the APU , for the Unifi ?
How do you connect that AP

Are you using a switch also ?

Right now you are transporting on (IGB1)
LAN - Untagged
Guest - Tagged Vlan20

It should work for your wifi ...

But how do you connect LAN devices ??

orangehand

I want the untagged normal traffic AND the tagged VLAN traffic to be sent to the switches and the APs, and just the guest access via Wifi by choosing the relevant SSID (if that make sense!)

bingo600

@orangehand

If you have setup a switch correct to receive untagged (lan) and Tagged vlan20,
that would make sense.

Then you have another switch port where the unifi is connected ?

Are you running tagged vlans to the Unifi (ssids)

JKnott

@orangehand said in Port tagging on APU2?:

I just want to get a guest VLAN working. The devices get an IP via the tagged SSID on Unifi, but no traffic passes

I recently set up a Unifi AP with pfsense on an old computer. I had previously set it up for another AP, but it works the same. You add a VLAN to the pfsense interface and use the same VLAN ID at the AP. If you have a managed switch in between, you will also have to configure the same VLAN on the ports connected to pfsense and the AP.

orangehand

That is already set up - Guest SSID with a VLAN tag of 20. A device connected to that SSID gets an IP from the right DHCP pool, but the traffic doesn't get out of the LAN, hence it's useless!

bingo600

@orangehand said in Port tagging on APU2?:

That is already set up - Guest SSID with a VLAN tag of 20. A device connected to that SSID gets an IP from the right DHCP pool, but the traffic doesn't get out of the LAN, hence it's useless!

I suppose you mean WAN ??

Can you ping the pfSense Guest interface from a Wifi client ?
Can you ping 8.8.8.8

JKnott

@orangehand said in Port tagging on APU2?:

That is already set up - Guest SSID with a VLAN tag of 20. A device connected to that SSID gets an IP from the right DHCP pool, but the traffic doesn't get out of the LAN, hence it's useless!

Here's what I have for my rules:

These work well. They block the guest from accessing anything on my network, other than pinging the VLAN3 interface.

orangehand

@bingo600 Yes, I meant out from the LAN to the WAN

bingo600

@orangehand

We are talking about the WiFi clients , that cant access the internet ??
Or did you mean LAN ?

orangehand

@JKnott I'm pretty sure it isn't rules that is the issue. Yours are simply rather more elegant versions of mine! I still cannot get onto the Internet from the guest vlan

bingo600

@orangehand
And you're sure it's not an DNS issue ?

can you ping : dns.google.com
does it resolve ?

Can you ping : 8.8.4.4

orangehand

@bingo600 Yes, Wifi clients. (sorry for delay - it's not letting me post more than once every 2 mins)

orangehand

@bingo600 DNS from DHCP is 1.1.1.1 and 9.9.9.9 and I cannot ping 8.8.8.8 from the Guest SSID, but can from the untagged SSID

bingo600

@orangehand

Can you ping the wifi def-gw (the pfSense Guest interface) from a wifi device ?

If you disable the "bloc access to lan" rule on your wifi nterface , can you ping lan devices ?

bingo600

@orangehand said in Port tagging on APU2?:

@bingo600 Yes, Wifi clients. (sorry for delay - it's not letting me post more than once every 2 mins)

Just gave you 3 likes ... Think your (now) 5 , makes that limit go away

JKnott

@orangehand said in Port tagging on APU2?:

@bingo600 DNS from DHCP is 1.1.1.1 and 9.9.9.9 and I cannot ping 8.8.8.8 from the Guest SSID, but can from the untagged SSID

Take things one step at a time. Can you ping your VLAN interface by IP address, not host name? The WAN port? The ISP's gateway? If those work then your routing is set up correctly. If you then try something like google.com, and it works, then your DNS is OK. This is how you troubleshoot a problem. Otherwise, we have to guess and make suggestions.

bingo600

I suppose JKnott is taking over here
He's repeating most of what i suggested

JKnott

@bingo600

No, just making sure he's not missing anything.