VLAN Wi-Fi AP not getting DHCP addresses
-
My client’s Netgate 1100 is configured for both regular untagged LAN traffic and tagged traffic on the physical LAN port. VLANs 35 and 36 are for the guest and IoT Wi-Fi network, respectively. The access point (AP) is an EnGenius EWS356-FIT, which can configure up to eight SSIDs, each with different VLAN tagging. Apart from having a PoE injector in that Ethernet segment, it is connected to the Netgate 1100 physical LAN port directly. There is an untagged SSID, as well, which allows me to connect to the LAN interface on the Netgate 1100, which is untagged.
The problem is that when connecting to the guest and IoT SSIDs, the client can’t pull an IP address via DHCP. Here are the relevant configuration screens. I must be missing something relatively trivial.
I think, the problem may be here, as I don’t fully understand the nomenclature here. Still, here are the other configurations:
And the Guest Wi-Fi interface (the IoT is configured analogously):
I don’t think the Guest Wi-Fi firewall rules are the problem. They have been copied verbatim from my own working configuration.
The AP has this configuration (remember the untagged SSID works):
-
@DominikHoffmann
Your interface assignment shows VLAN IDs 39 and 40 for the guest and IoT, but your switch config shows 35 and 36 for the same.
There is obviously something odd. -
@viragomann: That may be it! I’ll fix it and then will have my client check it out.
Back a few hours later, correcting the VLAN IDs did not fix the issue. Here is the corrected configuration:
-
@DominikHoffmann You haven't posted the switch config, could it be using the wrong tags as well?
Also, I just returned a 356-FIT AP. If you need mDNS for anything on wifi, you're gonna have problems. Was working with their tech support for over a week and they acknowledged the problem, but didn't really seem into wanting to fix it.
Couldn't deny it with all the tcpdumps I gave them showing no responses, but just kept telling me to try a different setting, that we already tried before.
Finally gave up and went with a Unifi AP. -
This post is deleted! -
@Jarhead: Are you referring to Interfaces → Switch → VLANs? That configuration screen is the first one posted. If you mean something else, what exactly. I am probably missing something, which could be the nexus of the situation.
-
@DominikHoffmann
Sorry, just reread the initial post, you wrote Netgate, I read Netgear.
All vlans are on one physical port, are you plugging the AP directly into that port?
No wired access? Just wifi?You may want to try a switch to see if you can access the vlans wired first, then try the AP. Like I said, I had issues with that model, who knows what else doesn't work on it?
-
@Jarhead: On my MacBook Pro I can define an Ethernet interface that is tagged with the same VLAN ID. That would be the easiest way to test, whether my problem arises from the use of the EWS356-FIT.
On my own network I use a constellation of four EnGenius EWS357AP APs with Ethernet backhauls. They have no problems with either mDNS (ours is a 95% Apple ecosystem household) or VLANs.
And, yes, the AP that is the subject of this thread is connected to the physical LAN port of the Netgate 1100 directly through an Ethernet backhaul, albeit with a PoE injector in between.
-
So I set up my MacBook Pro with an Ethernet interface responding to VLAN ID 35 tagged traffic and connected it to the physical LAN port of the Netgate 1100. It did get an IP address assigned via DHCP. However, it did not have access to the internet. My conclusion is that it’s not the access point but my configuration of the Netgate appliance, probably the firewall rules.
-
This post is deleted! -
@DominikHoffmann But now you're getting an address and you weren't before, so there's something else going on too, right?
Just disable all rules except the last then test.
-
@Jarhead: See my last post in a thread specifically about the firewall rules from this interface. The problem had been in the DNS rules for this interface’s firewall.