vLan for IoT stuff(s) - no DHCP

SkippyTheMagnificent

I'm most likely doing something wrong... I have an SG-3100 I just had to rebuild due to a corrupted pfSense upgrade that forced me to re-install the entire 3100 OS, so I figured I'd go ahead and bite the proverbial bullet and add an IoT vlan while I was re-creating everything to get my network back up.

I'm using the default "untagged" network for local computers and such plus a tagged vlan for work-from-home equipment that's working just fine. While setting up a new IoT VLAN, I'm not getting any DHCP assigned addresses on any devices connected to that VLAN.

Here's what I have:
IoT VLAN is set up on two Netgear WAX Access points (one WAX610 and a larger WAX630) via 2 different SSIDs. The default SSID is untagged, the new SSID is tagged with VLAN 10. Since both APs are PoE through a managed Unifi switch and serving both tagged and untagged traffic each, I left the Unifi switch to "ALL" (instead of binding a port to a specific internal Unifi defined network). Untagged traffic is passing through the Unifi switch just fine. But, as mentioned, the TAGGED traffic isn't getting a DHCP issued IP address, so I'm not even sure it's getting through the switch to pfSense to get an IP.

My work vlan, as mentioned is doing something similar, only it's port is tagged with appropriate another tagged trunk port set up in a 2nd managed switch and does work just fine; so... I did what I thought was right and basically duplicated that effort in pfSense thinking it should work similarly... NOPE!

Here's a screenshot of how my vlans are defined in pfSense:

• vlan 20 is connected to a switch on physical port 3 on the back of the netgate. Reiterating: This one works as expected.

• vlan 10 is the IoT vlan that is connected to a separate (also managed) switch on physical port 1 on the back of the netgate. and DOESN'T work; but only for tagged traffic; untagged traffic works fine.

The only real difference is the AP's are both using the same managed Unifi switch on 2 different Unifi ports and connected to Netgate port 1, vs. vlan 20 on a smaller netgear managed switch using port tagging instead (802.1q).

Here are the interface assignments:

As are Interface VLANs:

DHCP is set accordingly and identically on both vlans in pfSense with the only difference being the IP range (I didn't think you'd want me to paste 3 addiditional printscreens of the same data w/ different IP ranges).

Firewall rules are basic at this point, but only differ slightly between the working (workvlan):
...and the not working (iotvlan):
(aside from a rule allowing LAN traffic to hit IoT devices and IoT devices only access to my HomeAssistant instance on LAN)

All I get on any of the IoT devices is a log message:
Event: Disconnected ssid="iotssid" bssid="<obfuscated>" reason="4-Way Handshake Timeout"

I'm at a loss as to where to look... any suggestions from all of you more experienced with this than I am?

SkippyTheMagnificent

@SkippyTheMagnificent

My apologies... disregard this entire thread... I'm such a dumbass!!! I had a typo in my PSK that was preventing anything from associating with the APs!