Cannot get Wifi/DHCP on VLAN
-
Hi,
I need to setup a guest network with no access to the internal network.
My setup is:
Internal network: 192.168.1.0/24, gw:192.168.1.1
VLAN 102: (Unifi Network) 192.168.4.1, gw: 192.168.4.1
(switch is VLAN aware)On the Unifi Controller I turned on Network Isolation for the Wifi, and set the gw to 192.168.4.1/24.
On Netgate: created a new interface OP4, static ip: 192.168.4.1
Created a DHCP and enabled it on OPT2, 192.168.4.2->.10
DNS: 1.1.1.1Created a Firewall rule on OPT2, allow everything on IPv4 (until I get the connectivity working).
I can connect to the SSID, however I get a "no internet connection" from IOS. Checking the connection I have a 169.254.26.137 IP address, which usually means DHCP failed to get an IP.
(Cellular is turned off) However using Net Analyzer app I can ping 192.168.4.1 and 1.1.1.1 but cannot resolve any IPs.
Any thoughts on what could be going on?
-
Update:
(Cellular is turned off) However using Net Analyzer app I can ping 192.168.4.1 and 1.1.1.1 but cannot resolve any IPs.I tried this on a RedHat 8 laptop and could not ping anything, so I'm assuming it's a funky iOS thing that lets me ping around. -
@aram535 said in Cannot get Wifi/DHCP on VLAN:
I need to setup a guest network with no access to the internal network.
Hi,
I see you have been left "hanging" for a long time
,so I can help you with this:-
https://www.youtube.com/watch?v=LNAAfja_ZOY
-
https://community.ui.com/questions/Guest-wifi-with-VLAN-isolation-using-Unifi-AP-and-pfSense-without-a-switch/b2a73a6b-a508-49f2-bd95-d6423dd0f7d9
These are not problematic settings, but if someone guides you and you learn this way, all the knowledge will be yours....
-
-
-
@aram535 said in Cannot get Wifi/DHCP on VLAN:
On Netgate: created a new interface OP4, static ip: 192.168.4.1
Created a DHCP and enabled it on OPT2, 192.168.4.2->.10
DNS: 1.1.1.1
Created a Firewall rule on OPT2, allow everything on IPv4 (until I get the connectivity working).It would appear that you've configured services and created rules on the wrong interface (OPT2 vs OPT4). Or am I missing something?
I would also re-verify the VLAN you have assigned to your SSID.
(switch is VLAN aware)
This statement raises suspicion for me. What model switch are you using? You really should be using a managed switch that supports VLAN tagging. Also, the switchports connected to your AP's should be trunked (or tagged with the appropriate VLANs)... has this been done?
-
@marvosa said in Cannot get Wifi/DHCP on VLAN:
What model switch are you using?
To the best of my knowledge this is not relevant info, because all switches should work like this:
https://en.wikipedia.org/wiki/Virtual_LAN -
@jknott What is the "Private" and "Prefix" destinations you have defined?
-
It would appear that you've configured services and created rules on the wrong interface (OPT2 vs OPT4). Or am I missing something?
I would also re-verify the VLAN you have assigned to your SSID.My apologies, that's a typo, it's just OPT2 (new guest vlan/net)
(switch is VLAN aware)
This statement raises suspicion for me. What model switch are you using? You really should be using a managed switch that supports VLAN tagging. Also, the switchports connected to your AP's should be trunked (or tagged with the appropriate VLANs)... has this been done?
T1600G-28TS 3.0, it is VLAN aware, the port is auto-tagged as VLAN 1 which is everything I believe. The Ubiquity network that is the guest network on that AP is also tagged, and the network 192.168.4.0/24 (OPT2 Static-IP: 192.168.4.1).
-
@aram535 said in Cannot get Wifi/DHCP on VLAN:
auto-tagged as VLAN 1 which is everything I believe
No.. That is not what it means..
You need to correctly configure you switch..
-
They are described in the rule comments. However, "Private" is an alias for all RFC1918 addresses on IPv4 and all Unique Local Addresses on IPv6. "Prefix" refers to my entire /56 prefix on IPv6. So, anything in those two ranges is rejected.
-
@johnpoz said in Cannot get Wifi/DHCP on VLAN:
No.. That is not what it means..
You need to correctly configure you switch..Adding VLAN 102 to the port on the switch did not change anything.
-
Just to sum the final results.
For VLANs to work on an AP, the AP must be attached to a UniFi switch, USG, or UDM (or Pro). From the sound of it, it needs to be a Unifi layer 3 device too, a switch that is VLAN aware is not enough.
-
@aram535 said in Cannot get Wifi/DHCP on VLAN:
the AP must be attached to a UniFi switch, USG, or UDM (or Pro)
NO - not true at all... While you do need a vlan capable switch, and it has to be correctly configured for your vlans. It sure and the hell does not need to be unifi anything.
basic setup steps
Pfsense has lan interface
Create vlan on lan interface, tag it lets say 102 (setup network for vlan 102, enable dhcpd on vlan 102, etc.)
switch - create vlan 102, default vlan would normally be 1 (untagged native vlan)(pfsense) lan port -- vlan1 U, vlan 102 Tagged -- port X (switch) port Y -- vlan 1 U, vlan 102 T -- AP
There you go.. Done.
wifi
SSIDX = untagged
SSIDY = vlan ID 102client
Connect to ssidY be on vlan 102
Connect to ssidX be on lan network. -
Mine works fine with a VLAN through a Cisco switch.
-
@jknott I removed my switch from the solution completely and plugged the UniFi AP directly into OPT1. It still didn't work, could not get an IP address from the DHCP server on the NetGate.
I then disabled the DHCP server on the NetGate and added it to the Unifi's AP directly (or controller really) and still can't get an IP address so that's a fully internal UniFi issue it seems, maybe the AP-Lite is the issue.
-
@johnpoz I'm just repeating what the support tech posted in the chat, I agree that it doesn't make any sense.
-
@aram535
Your immediate issue is infrastructure related. First, you need a switch that supports tagged VLANs. I'm not sure who mentioned it, but no... it does not have to be UniFI... it can be any brand that supports tagged VLANs (e.g. Cisco, UniFi, HP, etc)... just stay AWAY from TP-Link! LoL!Second, everything needs to be configured correctly from end to end... much like @johnpoz described
To the best of my knowledge this is not relevant info, because all switches should work like this:
https://en.wikipedia.org/wiki/Virtual_LAN
The functionality of the switch being used is completely relevant. You may want to do some more research on switching and VLANs.
-
I use the DHCP server on pfsense. When you're using VLANs, you have to ensure the VLAN IDs match in every device. For example, my guest WiFi is on VLAN3. I have my AP, pfsense and the switch ports connected to pfsense and my AP configured for VLAN 3. The VLAN interface, in pfsense, also has a DHCP server configured.
-
@marvosa said in Cannot get Wifi/DHCP on VLAN:
First, you need a switch that supports tagged VLANs.
Actually, no. An unmanaged switch will pass VLAN tags, but managed is recommended.
-
@aram535 said in Cannot get Wifi/DHCP on VLAN:
I removed my switch from the solution completely and plugged the UniFi AP directly into OPT1. It still didn't work, could not get an IP address from the DHCP server on the NetGate.
Because (one of) your SSID's was still tagging ?
You should also 'reset' the AP, or redo the SSID without any 'VLAN' options.
If it still doesn't work, waste-buckeyt the AP.This :
@aram535 said in Cannot get Wifi/DHCP on VLAN:Created a Firewall rule on OPT2, allow everything on IPv4 (until I get the connectivity working).
is the good approach.
But this :DNS: 1.1.1.1
is a bad one.
First, you set up a working network without ever entering any DNS related information.
pfSense, out of the box, handles DNS perfectly well without info from your, your ISP, some Youtube video or whatever other source, it always works without any needed initial DNS settings (addresses).
Then, when you're good, and you really have a lot of free time to lose, you start fiddling with "DNS" ;)
