first VLAN setup - need help

stimpe

Hello pfsense gurus. I'm creating my first VLAN and I am having difficulty getting it to work.

Goal: to have a guest wifi connect to VLAN3
Problem: client connected to guest wifi is not receiving DHCP address

My network:
WAN > pfsense > cisco SG350-10p managed switch > cisco WAP571 Access Point > guest client laptop

Steps I've taken:

1. in pfsense, created VLAN 3

2. in pfsense, assigned VLAN3 to interface OPT1

3. in pfsense, assigned static ip 192.168.3.1 to OPT1

4. in pfsense, enabled DHCP server on OPT1 interface, with a range

5. in SG350, set port 1 (from pfsense baremetal) to Trunk (for VLAN's)

6. in SG350, set port 7 (to WAP571 AP) to Access

7. in SG350, created VLAN3, VLAN Interface State & Link is reporting Enabled

8. in WAP571, created VLAN3 with Tagged

9. in WAP571, created guest SSID on VLAN3

Reddit thread (with configuration photos)
https://www.reddit.com/r/Cisco/comments/184uuva/first_vlan_setup_need_help/
someone there seems to think its a problem with STP (spanning tree protocol), I've never had to deal with STP or VLAN's so I'm really lost here

I'm confused on whether I set up the VLAN correctly because I've had to create a VLAN3 in pfsense, I had to create VLAN3 in the switch, then I created VLAN3 in my AP. Is this right?
I've spent hours trying to figure this out and I feel like its something minor I'm doing wrong but I'm not seeing what.

viragomann

@stimpe said in first VLAN setup - need help:

Goal: to have a guest wifi connect to VLAN3
Problem: client connected to guest wifi is not receiving DHCP address

My network:
WAN > pfsense > cisco SG350-10p managed switch > cisco WAP571 Access Point > guest client laptop

I assume, the AP also provides other SSIDs alongside of the guest-wifi?

in SG350, set port 1 (from pfsense baremetal) to Trunk (for VLAN's)

in SG350, set port 7 (to WAP571 AP) to Access

Not clear, what "access" means here, but you need both port to be tagged for VLAN3.

stimpe

@viragomann

@viragomann said in first VLAN setup - need help:

@stimpe said in first VLAN setup - need help:

Goal: to have a guest wifi connect to VLAN3
Problem: client connected to guest wifi is not receiving DHCP address

My network:
WAN > pfsense > cisco SG350-10p managed switch > cisco WAP571 Access Point > guest client laptop

I assume, the AP also provides other SSIDs alongside of the guest-wifi?

in SG350, set port 1 (from pfsense baremetal) to Trunk (for VLAN's)

in SG350, set port 7 (to WAP571 AP) to Access

Not clear, what "access" means here, but you need both port to be tagged for VLAN3.

Access/Trunk VLAN Membership Table in SG350 managed switch:
https://ibb.co/KNHWtbp

Yes, the AP provides 3 SSID's: 1-(main users), 2-IoT devices, 3-Guest Wifi

viragomann

@stimpe
Looks well to me so far, but I don't know this switch.
However, for clear segmentation I'd recommend to run all SSIDs on the AP over VLANs.

To verify if the switch is configured properly, connect a VLAN capable computer to port 7 instead of the AP, configure its interface for VLAN3 and set an IP outside of the DHCP range.
On pfSense add a rule to OPT1 to allow access and try to ping its interface IP then from the computer.

stimpe

@viragomann said in first VLAN setup - need help:

@stimpe
Looks well to me so far, but I don't know this switch.
However, for clear segmentation I'd recommend to run all SSIDs on the AP over VLANs.

To verify if the switch is configured properly, connect a VLAN capable computer to port 7 instead of the AP, configure its interface for VLAN3 and set an IP outside of the DHCP range.
On pfSense add a rule to OPT1 to allow access and try to ping its interface IP then from the computer.

Thanks for your input. I will definitely try swapping the AP for a computer on port 7 to see if VLAN3 works there.