VLAN AP Assignment

Hi Joe,

you do not need to configure the AP to use a VLAN because you are connecting it as a ordinary network device. The assumption being you have connected the AP to a untagged port in the VLAN 22 group.

Ian

The AP I am using allows for this... wondering if that's the issue?

Hi Joe,

you should be able to access the XG GUI from any of your networks, through untagged ports on your switch and they can be on VLAN 1 which is the default XG VLAN.

Ian

So I just changed Port 1 to 10.10.0.0/24 leaving the VLANs on 10.0.0.0./24 and 10.0.11.00/24.  As soon as I did that, all of the devices on my network lose connection to the internet and they fail to get a valid IP on the VLAN from DHCP.

Basically it means your devices were picking up IP addresses from your port 1 DHCP server not their VLAN servers. Your firewall rules are only allowing port 1 out. You need a firewall rule for each of your VLANs

When using VLANs you do not normally want traffic of the physical port leaving the internal network.

Ian

rfcat_vk said:

Basically it means your devices were picking up IP addresses from your port 1 DHCP server not their VLAN servers. Your firewall rules are only allowing port 1 out. You need a firewall rule for each of your VLANs

When using VLANs you do not normally want traffic of the physical port leaving the internal network.

Ian

 

So you're saying if I get port1 on the 10.10.0.0/24 subnet, then all I need is a new firewall rule?  Can you tell me what rule I need?  I thought the default rule would allow traffic from the VLAN out but I guess I was wrong!  Not looking for you to code it for me - am trying to understand the logic behind this, beyond solving the issue.

Not sure what you mean by traffic of physical port leaving the internal network though.

Hi Joe,

From what you have said you want to manage the traffic on each VLAN so you need a rue for each VLAN network, now you also want traffic to use the physical port 1 so you would have a rule

source LAN -> port 1 network address range - Destination WAN -> any -> services of choice - Allow -> log then you setup proxy or not.

Then you create rules for each VLAN similar to network port 1.

Assumes you have added the VLANs to the LAN type?

You will need a NAT (MASQ) for each firewall rule (assuming you are using v17.5.x)

Ian

Starting to make more sense...

But wouldn't this default rule already take care of all of that, give that it's LAN/Any?

If not... you are saying something like this?


And for MASQ, you mean, something like this:

Hi Joe,

you are correct the default rule should apply. In general it is a good starter rule but should not be used if you want real security.

Your firewall rule would be good but seems to defeat the splitting of devices into VLANs.

Ian

My point with that default rule is that the VLANs should already have access to the WAN, right?  If so, the my original setup should have been working in the first place.

Yes, I agree with your last point - I was just trying to get it all working and then go back and split it up.  I've gone ahead and done that already.

So I did this:

Do I need a rule for vlan11 to talk to port 1 or is that already handled?  Because I still don't get an IP for new devices.

Here's where I'm at:

I plug in a device to VLAN11 and I am getting an IP on the Port1 range (10.10.0.0/24) rather than the VLAN11 range of (10.0.0.0/24).

Thoughts?

I think I finally have it, thanks to you!

Now that it's working, I wonder if these rules can get modified or if all 4 are necessary...

I think I finally have it, thanks to you!

Now that it's working, I wonder if these rules can get modified or if all 4 are necessary...

Hi Joe,

you have setup VLANs for a reason, if the reason does not hold any more you can merge the rules into 1, but then why have the VANs?

Ian

Oh, I was referring the the rule above the 3 VLAN rules.

Hi Joe,

if they are specific devices that you wan to block, you can leave the rule there or you can implement clientless users with static addresses and not add those devices to any rule that would allow internet access.

I have many rules as I try ti refined the sites my various devices talk to, some I have realised can be consolidated because what I wanted to achieve didn't happen. I am waiting until v18 MR-1 is released though before making any changes to see if some fixes have been made that affectt my setup.

Ian