Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    VLAN support with TP-Link AX1800 Wi-Fi 6 Router

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 5.1k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      erichium
      last edited by

      I was hoping to use separate my home network traffic using VLANs. I have the following hardware:

      • pfSense 2100
      • TP-Link AX1800 Wi-Fi 6 Router
      • modem from ISP

      I have spent a few hours at this point trying to get this configured, but I could use some help either configuring it or determining if what I want to do is even possible.

      Can I set up VLAN support in pfSense such that the wifi traffic from the TP-Link router goes through one VLAN and the hard-wired traffic from the TP-Link router goes through another VLAN? I've seen that the router has support for IPTV/VLAN, but I think I'm coming to the conclusion that, that's not really supporting VLAN for pfSense.

      One follow-up question, is it possible to direct traffic from the TP-Link router to a VLAN if the router is configured in AP mode? I could not figure out how to do it if it is possible.

      johnpozJ B 2 Replies Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @erichium
        last edited by johnpoz

        @erichium unless that router supports 3rd party firmware it is highly unlikely that it supports vlan tags so no its not going to work how you want. I don't believe any of the AX models from tplink do though??

        You can for sure just use it as an AP and put it on whatever network want connected to pfsense.

        Any wifi router can be used as just an AP.. just turn off its dhcp server and connect one of its lan ports to the network you want it on.

        If you want to run vlans on your wifi - get an actual real AP..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.11.1 | Lab VMs 2.8.1, 25.11.1

        E 1 Reply Last reply Reply Quote 1
        • E Offline
          erichium @johnpoz
          last edited by

          @johnpoz Thanks. I guess I just needed confirmation.

          It should still be possible to direct all traffic on a specific pfSense port to a VLAN though, right?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator @erichium
            last edited by johnpoz

            @erichium sure.. do you have a vlan capable switch your going to plug it into?

            If your going to plug it into a port on the 2100, it wouldn't really be a "vlan" ie a tagged network.. you would just put that port on the 2100 on a different network.. And there wouldn't be any tagging, it would just be a native network outside of pfsense.

            Yes in the 2100 switch it would be a vlan, but outside pfsense there wouldn't be any tagging.

            https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html#configuring-the-switch-ports

            If your going to plug it into a vlan capable switch, the the port connected to the AP would be not tagged on vlan X in your switch.. Then on the uplink to the pfsense if on the same wire as other networks, then this vlan for your wifi would be tagged.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.11.1 | Lab VMs 2.8.1, 25.11.1

            1 Reply Last reply Reply Quote 1
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              Yes you can certainly separate the ports by VLANs on the 2100. So you can have all traffic from the TP-Link on one interface and all other traffic on a different interface. You just can't separate wired and wireless traffic from the TP-Link or wireless traffic on different SSIDs unless it specifically supports that.

              1 Reply Last reply Reply Quote 1
              • B Offline
                bobpaul @erichium
                last edited by

                Ultimately this is more of a TP-Link question than a pfSense question, but...

                @erichium

                Can I set up VLAN support in pfSense such that the wifi traffic from the TP-Link router goes through one VLAN and the hard-wired traffic from the TP-Link router goes through another VLAN? I've seen that the router has support for IPTV/VLAN, but I think I'm coming to the conclusion that, that's not really supporting VLAN for pfSense.

                IPTV/VLAN should solve this for you.

                On the AX1800, the IPTV/VLAN feature lets you configure up to 3 VLAN tags on the AX1800's WAN port. You can then choose which LAN ports are on which VLAN.

                Limitations

                • You can't name the VLANs. On the tp-link the VLANs are named "Internet", "IPTV", and "VOIP", but they can be for whatever you want.
                • Only the WAN port on the tp-link supports vlan tags. LAN ports have untagged traffic, but you can choose which network each LAN port is connect to.
                • All WiFi traffic goes to the "Internet" vlan on the WAN port, regardless of SSID.

                Steps on the AX1800

                1. Advanced -> Network -> IPTV/VLAN
                2. Enable "IPTV/Vlan"
                3. Mode: Custom
                4. Enable "802.1Q Tag for internet". Set the VLAN ID to some number (ex: 2)
                5. Enable "VOIP VLAN". Set the VLAN ID to some number (ex: 3)
                6. Disable "IPTV VLAN".
                7. Set all 4 LAN ports to VoIP. The WiFi is always on the "Internet"
                8. Save.

                Connecting things
                Connect WAN port of the tp-link to one of the LAN ports on the pf2100. Configure pfsense based on the vlan tags. (ex: vlan id2 = wifi, vlan id3 = wired). the AX1800 supports multiple SSIDs, but they're all be on the same vlan (ex 2). If you have NAT and DHCP enabled on the tp-link, then wifi (and any ethernet ports configured for "internet") will get DHCP from the tp-link and the TP link will perform NAT translation on traffic going to/from WAN port on the vlan id you set (ex 2). You'lll need to set up pfsense to provide DHCP for the other VLANs. If you disable NAT and DHCP on the TP-Link then you can let the pfsense handle DHCP for the tplink's "internet" VLAN as well.

                I think the TP-Link configuration interface is only available on the "Internet" vlan.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.