I can't access AP with VLANs



  • Hi,

    I have this setup:

    Pfsense port 3 (192.168.3.1) -> AP (192.168.3.2) -> VLAN 10 (Wifi - 192.168.4.1/24), VLAN 20 (Wifi Guests - 192.168.5.1/24).

    Everything is working well, but I can't access to the AP portal (setup wireless, accounts, etc) when I'm connected to vlan10 or vlan20. What I have to do?

    Thanks.



  • so pfsense is not involved with the vlans ? your AP is managing the vlans ?

    ==> check your AP manual on how to allow administrative access on the vlans



  • I did this:
    AP:
    1. Static ip: 192.168.3.2
    2. Gateway: 192.168.3.1
    3. DHCP disabled
    4. VLAN 10 assign to SSID "Wifi". VLAN 20 assign to SSID "Wifi Guests".

    Pfsense:
    1. Interface AP (port in pfsense): 192.168.3.1/24. DHCP disabled
    2. Interfaces > Vlans: Add vlans 10 and 20 linked with Interface AP
    3. Assign interfaces "vlan10 to Wifi" and "vlan20 to Wifi guest". Dhcp enabled (192.168.4.1/24 - wifi, 192.168.5.1/24 wifi guest).
    4. Firewall: The same rule for 3 interfaces AP, Wifi and Wifi guest -> proto: ipv4; source: interface (ap, wifi, wifi guest) net; destination, port, gateway: *

    I connect to "Wifi" network, and I get the IP 192.138.4.2 and I have internet. But I want to access to the AP portal (192.168.3.2).

    Thanks!


  • Netgate

    Can pfSense ping 192.168.3.2?

    From what I can tell, either the AP only allows access to the config page from 192.168.3.0/24 or the switchport isn't properly dealing with tagged and untagged traffic mixed.



  • This is my setup:

    Modem is in bridge mode.
    PfSense has 4 interfaces: igb0 to 3.
    Interfaces:

    • WAN: PPPOE0(igb0)

    • LAN: igb1. Address: 192.168.2.1/24. DHCP Enabled.

    • AP: igb2. Address: 192.168.3.1/24. DHCP Disabled. Acces Point: 192.168.3.2.

    • AP_WiFi: VLAN 10 on igb2 (Wifi). Address: 192.168.4.1/24. DHCP Enabled.

    • AP_Guests: VLAN 20 on igb2 (Wifi_Guests). Address: 192.168.5.1/24. DHCP Enabled.

    • DMZ: igb3. Address: 192.168.6.1/24.  DHCP Enabled.

    Problem: If I'm not in subnet 192.168.3.1/24 I can't accest to the AP portal (192.168.3.2). What can I do?.

    I can't ping from 192.168.2.2 (my laptop) to 192.168.3.2 (ap portal) and I don't know why… I'm checking firewall rules.

    What do you think about the design? Is it correct?.



  • do the wireless SSID's work ? Can the wireless clients connect to lan devices ? are your firewall rules correct ?

    if all above = YES

    ==> did you fill in the gateway ip (192.168.3.1) into the AP webgui/configuration ?



  • @heper:

    so pfsense is not involved with the vlans ? your AP is managing the vlans ?

    ==> check your AP manual on how to allow administrative access on the vlans

    Does the AP support vlans?


  • Netgate

    I do not like mixing tagged and untagged traffic on a port.

    However I know Ubiquiti's can be easier to manage if you just leave the management interface untagged.  You have not mentioned what AP you are using, I don't think.

    It all looks right.  You should probably post up your firewall rules for AP and Wifi.

    If those are correct, I would look at the AP administration config to see if the AP itself is limiting access to the admin pages from other networks.



  • OK, I'm sorry guys…

    I did everything again and I found this option: "Allow remote access - Remote access allows you to manage the AP from the Internet or from a different LAN. To enable remote access, the gateway device needs to be properly configured, such as opening a port for the corresponding IP address of the AP."

    I didn't check that option the first time. Now It's running well ;)

    Thanks! At least, I checked my design with you. I hope this will be useful for other users. Now I have to focus on rules ;)