Unify WIfi and GuestWifi with two VLANs and management interface

Basic Question is, do you see on tcpdump on Shell any communication?

So advanced Shell (SSH - 5 - 3) 

tcpdump -ni Port4 

There you should see some packets. You should see the VLAN untagged packets as well as the tagged packets (as kinda encrypted packets). 

Thanks for your help. 

I see lots of traffic, but it is hard for me to distinguish the VLAN tagged and untagged traffic, as I am not a network expert. 

What I do see is that the Wifi-WAN traffic is using the firewall rule for wifi, not the firewall rule for LAN, leaving the correct port Por4.121. So my conclusion is that the Wifi traffic is going over that port, but the management traffic is not.

Lets start with the basics.

ifconfig shows you all interfaces (plus vlan interfaces).

So you see Port4 as well as Port4.120 and Port4.121.

So you can basically use tcpdump -ni Port4.120 to see all the tagged traffic going to your interface with VLAN tag on it. 

Also possible is to sniff the traffic without those thing and instead using a little trick.

https://serverfault.com/questions/196250/tcpdump-capture-one-of-several-vlans

tcpdump -vv -i eth1 '( vlan and ( ether[14:2] & 0xfff == 1000 or ether[14:2] & 0xfff == 501 ) ) and ( ip host 10.1.1.98 or ip host 10.1.1.99 )'

Most of the time, those issues are not XG related, instead the Switch has some issues in the config of VLANs. 

Thanks!

Lots of traffic going over Port4. The VLAN's are not the problem, they work fine. The problem is the management of the AP's behind Port4. 

I understand the problem may well be at the switch, but if I ask them, they will tell me to look at the firewall, so I thought I start here to find out if you see anything strange in my configuration. 

I have configured the Port4 as  Zone Wifi, although it has a gateway address in the LAN range, as the AP's have an address in the LAN range. Maybe that is the problem?  How does trafic for 192.168.0.21 know it has to go to Port4 rather than Port1? I can change it to Zone LAN, but won't that have the same problem?

There is a firewall rule allowing all traffic from and to Wifi - LAN.

Thanks!

Lots of traffic going over Port4. The VLAN's are not the problem, they work fine. The problem is the management of the AP's behind Port4. 

I understand the problem may well be at the switch, but if I ask them, they will tell me to look at the firewall, so I thought I start here to find out if you see anything strange in my configuration. 

I have configured the Port4 as  Zone Wifi, although it has a gateway address in the LAN range, as the AP's have an address in the LAN range. Maybe that is the problem?  How does trafic for 192.168.0.21 know it has to go to Port4 rather than Port1? I can change it to Zone LAN, but won't that have the same problem?

There is a firewall rule allowing all traffic from and to Wifi - LAN.

Can you give us some screenshots of the config of your interfaces etc? 

Interfaces:

Zones

DHCP Wifi (WifiGuest is similar)

LAN DHCP Relay (not sure this is needed, I actually don't think so, the AP's have fixed IP addresses

The Unify controller is on the LAN, and needs to access the AP's for them to function. The AP's are connected to a Unify switch to power them

Port 1 of the EdgeSwitch is connected to Port 4 of the Sophos, Port 5 to the LAN Switch. Without Port5 it is not working

VLANs on the EdgeSwitch:

XG and other products cannot handle such configs. 2 Interfaces in the same network is not supposed to work. If you want to have such a config, you need a Layer 2 Bridge. But you cannot place more than 1 VLAN on a bridge. 

So this will not work at all. https://serverfault.com/questions/415304/multiple-physical-interfaces-with-ips-on-the-same-subnet

Would recommend to use another VLAN for Management and spread those VLAN via switch and not using untagged same network on 2 interfaces.

Ow, thanks.

I tried earlier with a bridge and 1 VLAN for the guest network, puting the in house Wifi without a VLAN on the bridge directly. But that did not work either. I understood that the VLAN that you add to the bridge becomes the VLAN interface of the LAN, instead of an extra interface.

Anyway, in that case i keep the current situation, where the management interface goes through Port 5 of the Edgeswitch to the general LAN switch. Thanks for your patience.