Vlan and internet access
-
Having upgraded a previously working 1.2.3 setup to 2.0.1 I've gotten completely stuck on the vlan config for a guest wi-fi setup.
Equipment is a netgear POE Wifi AP (supports multiple ssid and vlan) and a netgear POE "Smart" switch with vlan support.
Previously in 1.2.3 I was able to mix tagged/untagged traffic on a single (physical) interface, and I do understand that this is no longer an option, so I've added a nic. The problem is that I'm seeing the same issue I had before I added the nic. Can we not mix tagged/untagged at all now?
Essentially, when I connect to the guest wifi, I am getting a correct IP from the OPT1 dhcp server, however I cannot get to the internet. I've turned off the captive portal for troubleshooting, and for now the only firewall rule I have is a default "allow access to all"… identical to the default LAN rule except with the source as the OPT1 network. I'm using automatic outbound NAT, and aside from the vlan interface the config is basically stock. What am I missing here?
WAN -> re0 pppoe
LAN -> em0 192.168.50.x
OPT1 -> vlan5 on vr0 192.168.55.xAdditionally the wifi ssid that uses the default vlan is working fine.
Any help would be greatly appreciated.
-
Can we not mix tagged/untagged at all now?
Not on the same interface.
I have vlans working on my setup without issues.
-
Yeah, I knew not on the same interface, which is why I added a nic, but I wanted to clarify whether tagged on one physical interface and untagged on another would work.
-
Anyone have an opinion here?
I haven't been back to that network to fiddle with it, but I was hoping for a little more info. I think I was fairly clear that I understand that tagged/untagged on the same interface is not possible, which is why I added an interface. I'd like to know if "on the same interface" is failing to understand the limitation. Beyond that, I don't know why I'd be having this problem, so if there's any info out there I'd appreciate hearing about it.
-
Yeah, I knew not on the same interface, which is why I added a nic, but I wanted to clarify whether tagged on one physical interface and untagged on another would work.
You've always been able to do so, including tagged+untagged on the same NIC, it's never not been an option. It's generally not a recommended practice by switch vendors for security reasons primarily, but it works fine, lots of people do so.
-
Well then if that's not it, then any thoughts on why I can't get internet on the vlan? Like I said, I've got one simple rule that should allow it, and nothing else going on, I'm getting an IP on the vlan, so I'm getting through the switch to pfsense, so what am I missing?
Not trying to be a jerk or a noob, I had it working before; if I need to provide more info I'd be happy to. Many thanks for looking over my situation.
-
First guess, missing a firewall rule allowing needed traffic on that VLAN.
-
I have a near copy of the default lan rule allowing traffic out, with the change of allowing it from the opt1 subnet, that should do it, yes?
-
Have you "over configured" dhcp-server on that vlan?
what does your clients see? and what happens if you use static ip's on clients? -
I have a near copy of the default lan rule allowing traffic out, with the change of allowing it from the opt1 subnet, that should do it, yes?
Sounds like it should. Check the firewall logs to see if you're blocking anything.
