Two VLANs set up alike, one does not get Internet

DominikHoffmann

I would appreciate anyone who could go through my configuration with me to help me figure out, where I am having a problem.

I have two VLANs (ID 39 for guests and ID 41 for employees’ personal devices). Both groups of users connect through Wi-Fi. For some reason I don’t comprehend, the Wi-Fi network with ID 41 works, but the one with ID 39 does not. When connected to VLAN ID 39, the host does not get assigned an IP through DHCP.

The Wi-Fi access points are configured through a Ubiquiti Cloud Key Gen 2 Plus. The WiFi pane looks like this:

The Networks pane looks like this:

Traffic coming from devices connecting to the APs on SSID “#####Guests” and “############ Personal Devices” are tagged with VLAN ID 39 and 41, respectively.

The network switch has tagged traffic on Ports 1, 23, 40 and 48 with those VLAN IDs. The APs are plugged into Port 23 and 48, and Port 1 is connected to LAN Port 2 of a Netgate 2100.

On the Netgate the interface assignments are

The VLAN tags of the interfaces are configured like this:

The port VLAN tagging is identical between the two, as well:

This is the configuration of the two interfaces:

DHCP for the two interfaces is very similar, as well:

Users have to go through a captive portal to be connected. Both captive portals at this point are using the same HTML code.

The other captive portal tabs are configured exactly the same between the two of them.

The firewall rules are the same, too:

Both sets of rules share these aliases:

I am obviously missing something. I am completely stumped.

viragomann

@DominikHoffmann said in Two VLANs set up alike, one does not get Internet:

When connected to VLAN ID 39, the host does not get assigned an IP through DHCP.

So does it work, if you state a static IP and gateway?

If yes, sniff the DHCP traffic, while connecting a device to the wifi.

Did you try different devices?

RodSlinger

I'm getting an odd situation almost exactly the same. Setup two VLANs and they work perfectly. Created a third with the same setting profiles and no internet on it.

The client does get an IP on the third VLAN and I can browse the gateway. I just can't get traffic through it. Logs aren't showing anything being blocked. It will not ping an IP beyond the gateway. Haven't pulled out Wireshark yet to see if this is a rejection or no response yet.

viragomann

@RodSlinger
Has pfSense created an outbound NAT rule for the new subnet, in case it's in automatic or hybrid mode? If it's in manual you have to add the rule by yourself of course.

RodSlinger

@RodSlinger said in Two VLANs set up alike, one does not get Internet:

I'm getting an odd situation almost exactly the same. Setup two VLANs and they work perfectly. Created a third with the same setting profiles and no internet on it.

The client does get an IP on the third VLAN and I can browse the gateway. I just can't get traffic through it. Logs aren't showing anything being blocked. It will not ping an IP beyond the gateway. Haven't pulled out Wireshark yet to see if this is a rejection or no response yet.

Disregard my issue. While similar, not really related. A reboot of pfSense fixed me. Just not sure what the hangup was. Created first VLAN and it was fine. Second one wouldn't pass traffic. After reboot the second one came right up and worked normally.

DominikHoffmann

@viragomann: So, I was mistaken. Hosts on the guest network do get IP addresses. DHCP is not the problem. Still, I cannot ping 192.168.39.1. It’s so weird!

Access points are Ubiquiti managed by a CloudKey Gen 2 Plus. It has DHCP guarding enabled, and the registered DHCP server is configured correctly. In that it is no different from the other VLANs using those access points.

Still feels like I am grasping at straws.

marvosa

@DominikHoffmann The fact that there are no hits on any of the firewall rules on the GUESTWIFILAN interface suggests either switching or the traffic is being dropped off on the wrong VLAN.

DominikHoffmann

@marvosa: Yes, you have a point. My problem is that it looks like I have checked everywhere that could be occurring and have found nothing. Obviously I am missing something.

I ran another test. I set my Ethernet-to-USB-C adapter to untag VLAN-ID 39 and plugged it directly into the Netgate-2100’s configured LAN port. Same behavior. I have the screenshots to demonstrate it:

The DHCP server assigns an IP and provides all the necessary information about the subnet:

And, yet, I cannot ping the router address of 192.168.39.1:

This clearly eliminates the smart switch and the Ubiquiti Wi-Fi controller as possible culprits. It’s all in the 2100. I will look into this further.

marvosa

@DominikHoffmann Can you post what's shown on Interfaces -> Switch -> Ports?

patient0

@DominikHoffmann on a unrelated note: in an early screenshot, in the alias 'InternalNetworks', two networks - 192.168.40.x and 192.168.41.x - have a subnet mask of /32.

Is that still the case and is that what you want?

And I'm pretty sure your "Interface / Switch / VLANs" is not setup as it should.

All ports are still part of the VLAN group 0/VLAN tag 1. But one port should only be in one VLAN group untagged, check Netgate doc: Configuring the Switch Ports.

DominikHoffmann

@marvosa said in Two VLANs set up alike, one does not get Internet:

@DominikHoffmann Can you post what's shown on Interfaces -> Switch -> Ports?

@patient0 said in Two VLANs set up alike, one does not get Internet:

@DominikHoffmann
And I'm pretty sure your "Interface / Switch / VLANs" is not setup as it should.

I am showing the corresponding configuration screens:

@patient0 said in Two VLANs set up alike, one does not get Internet:

on a unrelated note: in an early screenshot, in the alias 'InternalNetworks', two networks - 192.168.40.x and 192.168.41.x - have a subnet mask of /32.

I have corrected that:

It made no difference.

DominikHoffmann

This post is deleted!

patient0

@DominikHoffmann I'm afraid you have not setup the VLANs correctly on the 2100. They can't be all in Port VID 1. Have a look at the documentation I linked.

The example is for port 4, VLAN 4084 and shows what you have to set. E.g. set Port VID to 4084 in Interfaces / Switch / Ports, remove port 4 from VLAN group 0. That is exactly how you have to do for all the ports since you created VLANs for each switch port.

On the 2100 port 1 to 4 are on a hardware switch and the way you separate them into single ports is by assign them to VLANs.

marvosa

@DominikHoffmann, it looks like multiple things may need to be addressed.

• As @patient0 mentioned, it appears the VLAN table on Interfaces -> Switch -> VLANs needs to be adjusted. You'll want to remove members 1-4 from group 0, e.g similar to this.:
  

• It looks like the switchports on the Netgate are misconfigured. From the vids and articles I've seen, your Interfaces -> Switch -> Ports section should look something like this:
  

• Another discrepancy I noticed, unless done by design for your use case, is on the Interfaces -> VLANs section. VLAN 4084 was created on the WAN interface instead of the LAN:
  

• This is unrelated to the main issue, but regarding your "InternalNetworks" alias, I would modify the line items for Guest, IOT, and OpenVPN to reflect the actual network addresses. It's possible that what's listed may be accomplishing the same thing, depending on how the alias interprets it, but ideally, you'd want to list the network address if the intent is to block the network. I.e.:
  192.168.39.0/24 - Guest Wi-Fi LAN
  192.168.40.0/24 - IoT Wi-Fi LAN
  192.168.41.0/24 - OpenVPN network

• I also have a curious streamlining question for your firewall rules... at a glance, it would appear blocking management ports on the first line is redundant:
  
  If we're already blocking all traffic to the firewall here:
  
  You likely have your reasons, just curious about your thoughts.