VLAN AP Assignment

Hi Joe,

you do not need to configure the AP to use a VLAN because you are connecting it as a ordinary network device. The assumption being you have connected the AP to a untagged port in the VLAN 22 group.

Ian

The AP I am using allows for this... wondering if that's the issue?

Hi Joe,

my apologies, I thought you were using a Sophos AP.

To make that work you would need to have the port it is connects to as tagged for each VLAN.

Ian

No reason to apologize!

So I have the port on the switch set to be Tagged for VLAN22 but for some reason the XG isn't dishing out an IP so the device ends up with a 169.54.... IP.  I'm just trying to figure out if the problem exists on the XG and if so, where.

No reason to apologize!

So I have the port on the switch set to be Tagged for VLAN22 but for some reason the XG isn't dishing out an IP so the device ends up with a 169.54.... IP.  I'm just trying to figure out if the problem exists on the XG and if so, where.

Is the XG end also tagged, but what is the actual management interface on the AP set as? Does the XG actually see the AP?

Ian

On the AP, the mgmt VLAN is set to 1, the SSID is set to VLAN22.

On the XG:

The XG does see the AP bc if I look in the DHCP lease list, it's there.

Joe,

you need to change port 1 physical IP address from the 10.0.0.x/24 to something like 10.10.0.0/24.

Ian

OK - gimme a sec to do that.

Dumb question then, to access the XG interface, what do I need to configure to still access the XG from the 10.0.0.0/24 net?

Hi Joe,

you should be able to access the XG GUI from any of your networks, through untagged ports on your switch and they can be on VLAN 1 which is the default XG VLAN.

Ian

So I just changed Port 1 to 10.10.0.0/24 leaving the VLANs on 10.0.0.0./24 and 10.0.11.00/24.  As soon as I did that, all of the devices on my network lose connection to the internet and they fail to get a valid IP on the VLAN from DHCP.

Basically it means your devices were picking up IP addresses from your port 1 DHCP server not their VLAN servers. Your firewall rules are only allowing port 1 out. You need a firewall rule for each of your VLANs

When using VLANs you do not normally want traffic of the physical port leaving the internal network.

Ian

rfcat_vk said:

Basically it means your devices were picking up IP addresses from your port 1 DHCP server not their VLAN servers. Your firewall rules are only allowing port 1 out. You need a firewall rule for each of your VLANs

When using VLANs you do not normally want traffic of the physical port leaving the internal network.

Ian

 

So you're saying if I get port1 on the 10.10.0.0/24 subnet, then all I need is a new firewall rule?  Can you tell me what rule I need?  I thought the default rule would allow traffic from the VLAN out but I guess I was wrong!  Not looking for you to code it for me - am trying to understand the logic behind this, beyond solving the issue.

Not sure what you mean by traffic of physical port leaving the internal network though.

Hi Joe,

From what you have said you want to manage the traffic on each VLAN so you need a rue for each VLAN network, now you also want traffic to use the physical port 1 so you would have a rule

source LAN -> port 1 network address range - Destination WAN -> any -> services of choice - Allow -> log then you setup proxy or not.

Then you create rules for each VLAN similar to network port 1.

Assumes you have added the VLANs to the LAN type?

You will need a NAT (MASQ) for each firewall rule (assuming you are using v17.5.x)

Ian

Starting to make more sense...

But wouldn't this default rule already take care of all of that, give that it's LAN/Any?

If not... you are saying something like this?


And for MASQ, you mean, something like this: