Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NG-2100 Trunks VLAN blocked

    Scheduled Pinned Locked Moved
    Firewalling
    1
    2
    108
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Froginou14
      last edited by

      Hello,

      I have some issue with a Netgate 2100 and VLAN on same interface.

      The configuration is as follow
      On the Switch VLAN (802.1q enabled) I have two VLAN :
      VLAN tag 1 with Members 1,2,3,4,5
      VLAN tag 2 with members 2t, 5t
      PVID is 1 for all ports

      On Interface Assignment -> VLANS
      int mvneta1(lan) VLAN TAG 2 created

      The interface is assigned with a IPv4 IP (192.168.150.0/24) and enabled
      DHCP is enabled for this interface

      The interface is connected to an L2 Switch, and an WLAN AP is connected to the same switch as well.
      Two SSID, one untagged, the other one with VLAN Tag 2
      L2 Switch configured with Untagged 1 and extra vlan 2 tagged for the AP port and NG-2100 ports

      Firewall Rules allow all traffic for both default LAN interface and VLAN 2 interface

      Static route filtering option enabled on System > Advanced > Firewall

      Now the issue :
      Clients connecting to SSID with VLAN 2 get a DHCP lease, I can ping said clients from the SG-2100 without any issue, however, when clients tries to go on internet, it just failed, and i can see on syslogs Firewall than trafic is blocked on LAN interface, with destination of 192.168.150.0/24.

      I'll share some screenshots :
      Interface assignment
      Capture d'écran 2024-05-15 170707.png
      Syslogs Firewall
      Capture d'écran 2024-05-15 170525.png
      Switch VLAN Table
      Capture d'écran 2024-05-15 170405.png

      I can't find why the trafic is blocked when going from internet by LAN interface
      Any help welcome, i can provide more information if needed

      1 Reply Last reply Reply Quote 0
      • F
        Froginou14
        last edited by Froginou14

        Ok, so i got it sorted.

        TL;DR : A captive portal was enable and behave strangely on the SSID it was enabled on, wasn't showing when connecting, and cause the NG-2100 to drop packets.

        I first tried with a new NG-2100 in a lab, same configuration, and everything worked perfectly, so I suspected an issue with the LAN in production.
        I tried multiple thing, got some packet captures, and saw that UDP was working fine, everything in local was working fine, and TCP SYN packets were going out, but SA were block going back
        I tried to make an untagged port on the L2 switch with VLAN tag 2U to try without WLAN, and everything worked fine.

        I then tried to switch the VLAN on the SSID that was not working to go from 2T as 1U and figured out that there was a captive portal enabled on this SSID, probably from an old config that wasn't causing issue with old router. For whatever reason, the captive portal wasn't showing on this SSID when VLAN tagging was enabled, but was acting weird with TCP requests I guess.

        Removed captive portal, everything worked fine.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post