Cannot access internet from secondary LAN…help please!



  • Hey Guys, so I've setup a VLAN on my LAN interface to handle a separate wireless network. The first physical network I have is 192.168.88.1, the second virtual VLAN is 192.168.33.1. I've enabled the interface under interfaces and also enabled DHCP on this VLAN. The VLAN is "400". On my switch I've added the tagged VLAN of 400 on the LAN and Access Point Ports. On the access point, I've setup a secondary SSID, mapped to VLAN 400. The good news is that I'm successfully pulling an IP from 192.168.33.1 (VLAN 400), but for some reason I'm not able to access the internet. I'm tried switching NAT to manual and configuring one for 192.168.88.0, and 192.168.33.0 networks…this has been unsuccessful. I've also created a rule for the secondary LAN to access everything (*). I'm sure there is something really simple that I'm missing, but what can it be?

    Thank you in advance!



  • The last time I tries to have a physical and VLAN it didn't work until both were VLANs. Could be just me though. I have only done one VLAN test deployment.
    If you have NAT (I am guess both to WAN address) and firewall rules setup for both networks, then you should not have a problem getting out.



  • Thanks for the reply podilarius. Yes, I'm using NAT for this configuration. Obviously this is working 99% as the IPs and such are getting dished out so we know the access point, switch and router are on the same page…just can't get out to the internet...ie google.com...

    Any other ideas guys?



  • Figured out my issue! Everything is working correctly now. Thanks!

    The only issue I need to resolve now is the fact that people on 192.168.33.1 can access the 192.168.88.1 network…big no no...what's the best way to allow the traffic straight out to the internet? I tried specifying the WAN Subnet but them I'm again not able to browse the internet...probably because DNS or something is blocked? Thoughts on the best way to do this?



  • On the OPT inferface (192.168.33.0/24) put a block rule to 192.168.88.0/24 network. This must go above the allow any rule. If you want to have fun. Create an alias for each network. Then create a rule in each one that allow not (192.168.88.0/24) to the internet. Then everything but that address will be allowed to pass.


Log in to reply