Port tagging on APU2?

orangehand

That is already set up - Guest SSID with a VLAN tag of 20. A device connected to that SSID gets an IP from the right DHCP pool, but the traffic doesn't get out of the LAN, hence it's useless!

bingo600

@orangehand said in Port tagging on APU2?:

That is already set up - Guest SSID with a VLAN tag of 20. A device connected to that SSID gets an IP from the right DHCP pool, but the traffic doesn't get out of the LAN, hence it's useless!

I suppose you mean WAN ??

Can you ping the pfSense Guest interface from a Wifi client ?
Can you ping 8.8.8.8

JKnott

@orangehand said in Port tagging on APU2?:

That is already set up - Guest SSID with a VLAN tag of 20. A device connected to that SSID gets an IP from the right DHCP pool, but the traffic doesn't get out of the LAN, hence it's useless!

Here's what I have for my rules:

These work well. They block the guest from accessing anything on my network, other than pinging the VLAN3 interface.

orangehand

@bingo600 Yes, I meant out from the LAN to the WAN

bingo600

@orangehand

We are talking about the WiFi clients , that cant access the internet ??
Or did you mean LAN ?

orangehand

@JKnott I'm pretty sure it isn't rules that is the issue. Yours are simply rather more elegant versions of mine! I still cannot get onto the Internet from the guest vlan

bingo600

@orangehand
And you're sure it's not an DNS issue ?

can you ping : dns.google.com
does it resolve ?

Can you ping : 8.8.4.4

orangehand

@bingo600 Yes, Wifi clients. (sorry for delay - it's not letting me post more than once every 2 mins)

orangehand

@bingo600 DNS from DHCP is 1.1.1.1 and 9.9.9.9 and I cannot ping 8.8.8.8 from the Guest SSID, but can from the untagged SSID

bingo600

@orangehand

Can you ping the wifi def-gw (the pfSense Guest interface) from a wifi device ?

If you disable the "bloc access to lan" rule on your wifi nterface , can you ping lan devices ?

bingo600

@orangehand said in Port tagging on APU2?:

@bingo600 Yes, Wifi clients. (sorry for delay - it's not letting me post more than once every 2 mins)

Just gave you 3 likes ... Think your (now) 5 , makes that limit go away

JKnott

@orangehand said in Port tagging on APU2?:

@bingo600 DNS from DHCP is 1.1.1.1 and 9.9.9.9 and I cannot ping 8.8.8.8 from the Guest SSID, but can from the untagged SSID

Take things one step at a time. Can you ping your VLAN interface by IP address, not host name? The WAN port? The ISP's gateway? If those work then your routing is set up correctly. If you then try something like google.com, and it works, then your DNS is OK. This is how you troubleshoot a problem. Otherwise, we have to guess and make suggestions.

bingo600

I suppose JKnott is taking over here
He's repeating most of what i suggested

JKnott

@bingo600

No, just making sure he's not missing anything.

bingo600

@orangehand

Since you don't get the pfSense box as DNS servers on your WiFi clients , you must have changed the default DHCP Server settings.

You haven't changed the DHCP Server Gateway option , have you ?

orangehand

@bingo600 No -

And to follow your checklist, I can ping the VLAN gateway when on the VLAN SSID. I cannot get any further than that.

bingo600

Did you try to remove/disable the LAN block rule on the Guest Vlan ?
Can you then ping the Lan IF , and/or a Lan device ?

Something is fishy ....
Smells of missing or wrong def-gw.

But if you havent touched Anything besides what you have posted in the dhcp screenshot. PfSense should hand out the interface address as def-gw.

And that you can ping.

Hey ...

That screenshot is not DHCP Server , that's the IF
You haven't set any upstream gw on the if ... have you
Dooh missed it was set to none

orangehand

@bingo600 I removed the custom DNS addresses from the DHCP server and that made no difference. What I am wondering is why the SG-1100 has a switch submenu in Interfaces to enable port tagging, and this APU2 does not. Might that be the crux of this?

bingo600

@orangehand said in Port tagging on APU2?:

@bingo600 I removed the custom DNS addresses from the DHCP server and that made no difference.

I expected that , as your DNS servers are on the INET , and INET can't be reached.

What I am wondering is why the SG-1100 has a switch submenu in Interfaces to enable port tagging, and this APU2 does not. Might that be the crux of this?

Nope .. I'm running a Unifi on a pfSense wo. switch menu , and JKnott does the same (see further up).

Your tagging is working , since you get a Guest Ip address (in Vlan 20)

Post a picture of your DHCP Server settings for Guest

You don't have any group or floating rules , do you ?

orangehand

@bingo600 Anything not shown is default