Cannot get Wifi/DHCP on VLAN

JKnott · Jun 20, 2021, 2:36 PM

Here are my rules for my guest WiFi:

marvosa · Jun 20, 2021, 4:33 PM

@aram535 said in Cannot get Wifi/DHCP on VLAN:

On Netgate: created a new interface OP4, static ip: 192.168.4.1
Created a DHCP and enabled it on OPT2, 192.168.4.2->.10
DNS: 1.1.1.1
Created a Firewall rule on OPT2, allow everything on IPv4 (until I get the connectivity working).

It would appear that you've configured services and created rules on the wrong interface (OPT2 vs OPT4). Or am I missing something?

I would also re-verify the VLAN you have assigned to your SSID.

(switch is VLAN aware)

This statement raises suspicion for me. What model switch are you using? You really should be using a managed switch that supports VLAN tagging. Also, the switchports connected to your AP's should be trunked (or tagged with the appropriate VLANs)... has this been done?

DaddyGo · Jun 20, 2021, 4:41 PM

@marvosa said in Cannot get Wifi/DHCP on VLAN:

What model switch are you using?

To the best of my knowledge this is not relevant info, because all switches should work like this:
https://en.wikipedia.org/wiki/Virtual_LAN

aram535 · Jun 21, 2021, 10:06 AM

@jknott What is the "Private" and "Prefix" destinations you have defined?

aram535 · Jun 21, 2021, 10:14 AM

It would appear that you've configured services and created rules on the wrong interface (OPT2 vs OPT4). Or am I missing something?
I would also re-verify the VLAN you have assigned to your SSID.

My apologies, that's a typo, it's just OPT2 (new guest vlan/net)

(switch is VLAN aware)

This statement raises suspicion for me. What model switch are you using? You really should be using a managed switch that supports VLAN tagging. Also, the switchports connected to your AP's should be trunked (or tagged with the appropriate VLANs)... has this been done?

T1600G-28TS 3.0, it is VLAN aware, the port is auto-tagged as VLAN 1 which is everything I believe. The Ubiquity network that is the guest network on that AP is also tagged, and the network 192.168.4.0/24 (OPT2 Static-IP: 192.168.4.1).

johnpoz · Jun 21, 2021, 2:25 PM

@aram535 said in Cannot get Wifi/DHCP on VLAN:

auto-tagged as VLAN 1 which is everything I believe

No.. That is not what it means..

You need to correctly configure you switch..

JKnott · Jun 21, 2021, 10:54 AM

@aram535

They are described in the rule comments. However, "Private" is an alias for all RFC1918 addresses on IPv4 and all Unique Local Addresses on IPv6. "Prefix" refers to my entire /56 prefix on IPv6. So, anything in those two ranges is rejected.

aram535 · Jun 21, 2021, 2:25 PM

@johnpoz said in Cannot get Wifi/DHCP on VLAN:

No.. That is not what it means..
You need to correctly configure you switch..

Adding VLAN 102 to the port on the switch did not change anything.

aram535 · Jun 24, 2021, 12:32 PM

Just to sum the final results.

For VLANs to work on an AP, the AP must be attached to a UniFi switch, USG, or UDM (or Pro). From the sound of it, it needs to be a Unifi layer 3 device too, a switch that is VLAN aware is not enough.

johnpoz · Jun 24, 2021, 3:44 PM

@aram535 said in Cannot get Wifi/DHCP on VLAN:

the AP must be attached to a UniFi switch, USG, or UDM (or Pro)

NO - not true at all... While you do need a vlan capable switch, and it has to be correctly configured for your vlans. It sure and the hell does not need to be unifi anything.

basic setup steps
Pfsense has lan interface
Create vlan on lan interface, tag it lets say 102 (setup network for vlan 102, enable dhcpd on vlan 102, etc.)
switch - create vlan 102, default vlan would normally be 1 (untagged native vlan)

(pfsense) lan port -- vlan1 U, vlan 102 Tagged -- port X (switch) port Y -- vlan 1 U, vlan 102 T -- AP

There you go.. Done.

wifi
SSIDX = untagged
SSIDY = vlan ID 102

client
Connect to ssidY be on vlan 102
Connect to ssidX be on lan network.

JKnott · Jun 24, 2021, 1:11 PM

@aram535

Mine works fine with a VLAN through a Cisco switch.

aram535 · Jun 24, 2021, 3:20 PM

@jknott I removed my switch from the solution completely and plugged the UniFi AP directly into OPT1. It still didn't work, could not get an IP address from the DHCP server on the NetGate.

I then disabled the DHCP server on the NetGate and added it to the Unifi's AP directly (or controller really) and still can't get an IP address so that's a fully internal UniFi issue it seems, maybe the AP-Lite is the issue.

aram535 · Jun 24, 2021, 3:44 PM

@johnpoz I'm just repeating what the support tech posted in the chat, I agree that it doesn't make any sense.

marvosa · Jun 24, 2021, 4:00 PM

@aram535
Your immediate issue is infrastructure related. First, you need a switch that supports tagged VLANs. I'm not sure who mentioned it, but no... it does not have to be UniFI... it can be any brand that supports tagged VLANs (e.g. Cisco, UniFi, HP, etc)... just stay AWAY from TP-Link! LoL!

Second, everything needs to be configured correctly from end to end... much like @johnpoz described

@DaddyGo:

To the best of my knowledge this is not relevant info, because all switches should work like this:

https://en.wikipedia.org/wiki/Virtual_LAN

The functionality of the switch being used is completely relevant. You may want to do some more research on switching and VLANs.

JKnott · Jun 24, 2021, 4:01 PM

@aram535

I use the DHCP server on pfsense. When you're using VLANs, you have to ensure the VLAN IDs match in every device. For example, my guest WiFi is on VLAN3. I have my AP, pfsense and the switch ports connected to pfsense and my AP configured for VLAN 3. The VLAN interface, in pfsense, also has a DHCP server configured.

JKnott · Jun 24, 2021, 4:02 PM

@marvosa said in Cannot get Wifi/DHCP on VLAN:

First, you need a switch that supports tagged VLANs.

Actually, no. An unmanaged switch will pass VLAN tags, but managed is recommended.

Gertjan · Jun 24, 2021, 4:04 PM

@aram535 said in Cannot get Wifi/DHCP on VLAN:

I removed my switch from the solution completely and plugged the UniFi AP directly into OPT1. It still didn't work, could not get an IP address from the DHCP server on the NetGate.

Because (one of) your SSID's was still tagging ?
You should also 'reset' the AP, or redo the SSID without any 'VLAN' options.
If it still doesn't work, waste-buckeyt the AP.

This :
@aram535 said in Cannot get Wifi/DHCP on VLAN:

Created a Firewall rule on OPT2, allow everything on IPv4 (until I get the connectivity working).

is the good approach.
But this :

DNS: 1.1.1.1

is a bad one.

First, you set up a working network without ever entering any DNS related information.
pfSense, out of the box, handles DNS perfectly well without info from your, your ISP, some Youtube video or whatever other source, it always works without any needed initial DNS settings (addresses).
Then, when you're good, and you really have a lot of free time to lose, you start fiddling with "DNS" ;)

marvosa · Jun 24, 2021, 4:40 PM

@jknott said in Cannot get Wifi/DHCP on VLAN:

@marvosa said in Cannot get Wifi/DHCP on VLAN:

First, you need a switch that supports tagged VLANs.

Actually, no. An unmanaged switch will pass VLAN tags, but managed is recommended.

Are there some scenarios when deploying some backyard boogie hardware may allow some frames to get to where they need to be... I guess anything's possible... but it's not where I would start.

I would also ask this... on a typical unmanaged switch, all of the ports are in the same broadcast domain (i.e. VLAN 1 untagged), so if you have multiple VLANs (e.g. 5) configured on PFsense, and the LAN interface is then plugged into an unmanaged switch, and then you have multiple endpoint devices (e.g. 5) plugged into that unmanaged switch... all which are configured on different subnets and supposed to be on different VLANs... how is the switch going to know which broadcast domain to send the frames to when you can't change the PVID on the ports?

JKnott · Jun 24, 2021, 5:14 PM

@marvosa

All VLANs that are present will be passed to all switch ports and devices connected to the network have to be able to connect to the desired VLAN. For example, I could configure an interface with a VLAN and then configure that VLAN for IP address etc., but not the native LAN. While computers can generally do that, many other devices can't. It's not recommended, but it is possible.

When planning a network, you should know what devices can do, so you're not surprised.

marvosa · Jun 24, 2021, 8:06 PM

@jknott said in Cannot get Wifi/DHCP on VLAN:

All VLANs that are present will be passed to all switch ports

That's not entirely accurate. It depends on the switch. Some unmanaged switches drop the tagged frames while others strip the tag. Some pass the frame unchanged, yes, but you'll just create a troubleshooting nightmare for yourself trying to use an unmanaged switch as a workaround for best practices.