Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 26 replies
  • Answers 2 answers
  • Subscribers 35 subscribers
  • Views 125108 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Create VLAN for WiFi Access Points

ChristopherButler

Hi everyone, 

I'm trying to create a VLAN for some Ubiquiti UniFi access points and I just can't seem to get it working correctly. 

In my interface for the access points I assigned them a VLAN ID of 2, as shown here: http://screencast.com/t/s8VuPEud7

In my Cisco SG-500 switch I created a VLAN as shown here: http://screencast.com/t/wcAMNUwJ 

I set all the ports to Trunk and accept all frames as shown here: http://screencast.com/t/TO0EcTH6iY 

Since the AP that is plugged into the port of the switch will be passing frames with the default VLAN of 1, and also a VLAN of 2. I left the port untagged for the VLAN 1 as shown here http://screencast.com/t/fjVBw9gcal and then the VLAN ID 2 is tagged on the port the AP is connected to as well as the port to the machine running Sophos XG is connected to, as shown here: http://screencast.com/t/MdJhozsoI 

Here you can see those ports and the VLAN memberships: http://screencast.com/t/b9P8sWJ1m 

In Sophos I then created a new Zone for the guests as shown here: http://screencast.com/t/IRTPRWYrsG 

I then created a new VLAN interface and assigned it an ID of 2, then assigned it to the zone I created in the previous step, as shown here: http://screencast.com/t/tA77JnCRdFDt

Finally, I created a DHCP service and selected the VLAN interface that I created from the previous step, as shown here: http://screencast.com/t/IA5yZnYtwP 

I thought that's all I needed, but it doesn't appear to be working. My devices are unable to obtain an IP address when the connect to the AP. I'm sure I've missed a step or did something incorrectly. Any assistance would be greatly appreciated. 

Thanks,
Christopher



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to ChristopherButler

    I have the exact setup with the same switch and WiFi AP and have the exact same problem. I recently moved from pfSense, where this was working. When I moved to Sophos XG, I didn't change any of the switch or AP configurations, so I suspect Sophos does not like how our switch tags traffic, however odd that is.  If I go back to pfSense or Untangle, it works fine. If you made any further progress, I'd appreciate any freedback.

Children
  • 0 in reply to JeffreyArsenault

    Similar boat here. I'm a pfSense convert (or attempting to at least until I hit this) having issue with the VLAN setup functioning properly. Difference here is using Tomato Shibby firmware on an Asus RT-N66u in AP only mode.

    Currently I have my Asus connected between the rest of the network and the XG, and it is also handling WiFi with 2 different split networks for LAN/Guest access. My XG/pfSense are both running virtualized. Yes, Trunk passthrough is enabled and configured properly on ESXi. Currently this is configured and working perfectly fine with pfSense, but when I switch the connections over to the XG VM, connectivity suddenly fails miserably. Nothing is working once switched, DHCP, DNS, Internet, ICMP. I can't ping the XG interface, only other devices on my current LAN network (behind XG) if I set my IP manually. 

    Setup DHCP

    Setup DNS

    Configured VLAN 10/12 on Port 2 (LAN)

    Setup Static IPs, enabled Interface IP as Gateway

  • 0 in reply to ShawnMix

    I have the exact same problem and behavior using Sophos XG, a Unifi AP and a Netgear managed switch.

    Has anyone been able to get this configuration to work?

  • 0 in reply to Alex Poklewski

    I still haven't solved this, though I have changed hardware slightly from a TP-Link switch to a Netgear switch. I'm also going to be removing the Asus completely from the equation as I've picked up 2 Unifi UAP-AC's. I'm planning to setup and prepare this for my new house which we're moving to in the next month. Hopefully I'll get to actually start playing around and testing this out. I was out at BlackHat this year and met some of the senior guys who told me there were some issues they've seen/experienced with the VLAN functionalities in XG. Supposedly a new beta was going to solve some of those issues. So maybe look for the current beta to test out instead? 

  • 0 in reply to ShawnMix

    Thanks Shawn - I'll keep an eye out for the beta.

    In the meantime, I am thinking that maybe the problem lies in the fact that I'm trying to run my LAN port as, not sure if the terminology is correct here, but as a Physical Port + VLAN on the same "port" in the Interfaces page on XG. Maybe both network segments must be explicitly configured as VLANS?

    I think that perhaps both networks need to be assigned as VLANS; 2 and 3 as an example. I've been trying to have the main port use VLAN 1 on my switch, but the minute I enable the VLAN tagging on the switch, everything effectively stops working! I'll give this a try and update the thread if that works.

  • 0 in reply to Alex Poklewski

    Hello -

    Anyone still interested in this thread, I've found the workaround -

    The XG box does not support VLAN1; if your switch is setup to use a Default VLAN of 1, XG will not recognize it. I'm using a Netgear switch, and my VLANS are configured as 802.1Q.

    I configured 2 VLANS for my physical port; VLAN 2 for my main network, and VLAN 3 for the guest wireless network.

    On my switch, I set all ports as a PVID of 2

    My switch is connected to my AP on Port 5, and to my XG on port 8; so port 8 is set to trunk for VLAN 2, and Port 5 and Port 8 Trunk for VLAN 3.

    Both VLANs have their own unique subnets, and the Ubiquiti controller allows you to isolate subnets. Both VLANs have their own DHCP within Sophos.

    All seems to work fine now; just have an 'unused' subnet on the physical port.

    Hope this helps someone in some way.

  • 0 in reply to Alex Poklewski

    Hi All,

    I am using XG with 3 VLAN at home and I am not experiencing this issue. I have a Cisco Switch configured with 3 VLAN (1, 100, 200). The Cisco Port connected to XG is configured as show:

    interface FastEthernet0/11
     description XG_LAN
     switchport trunk allowed vlan 1,100,200
     switchport mode trunk
     duplex full
     speed 100
     spanning-tree portfast

    On XG I have 3 zones and 3 interfaces on one physical port.

    See the screenshot:

    Then I have all the needed policy rules configured. On the VLAN 100,200 I have VMs running on an ESXi.

    Hope this help!

  • 0 in reply to lferrara

    Also:

    XG does support only VLAN 1 on the physical port and you cannot change it. Hope they will remove this limitation. If you need another VLAN on the physical port, you have to create VLAN.

  • 0 in reply to lferrara

     - that's an interesting point. Perhaps I wasn't setting this up in the "expected" fashion and this is why I was no longer able to communicate on that port. I was leaving it on a virtual nic that was in a port group with NO VLAN. So once I flipped the VLAN setups on and switched the connections to the appropriate VLAN's, I couldn't communicate on the non-VLAN virtual NIC I had connected. I did notice I could reach the IP from the VLAN side though it seemed. That would also explain why I'm in need of an IP on the physical port when I'm only planning to use VLAN's as it is expecting that I'm going to have management on VLAN1 - in my case that is not true as I'm not using mgmt VLAN since all other traffic is running either on the VLAN it should, or is managed through the virtual setup, aka the only place I NEED the mgmt VLAN is inside the virtual infrastructure. 

    I think this might put me in the right direction to better configure and set this up as planned originally. I just need to account for a mgmt VLAN network that I might not actually be using, and once I do, I can hopefully get connected. 

  • +1 in reply to ShawnMix

    ShawnMix,

    the VLAN 1 is something needed on XG at the moment. In fact when you configure the physical port, it requires an IP address and VLAN ID cannot be changed. Hope to see improvements into v17. I have a customer that does not use VLAN 1 at all and leaving an interface with IP on VLAN 1 is not secure (must be disabled in some environment).

    Let's see!

  • 0 in reply to lferrara

    Hi lferrara,

     

    if I understood you right then Port 1 (LAN - Physical) is VLAN1 by default.

    Can I also use it tagged by default (config my switch port to VLAN1 tagged and

    everything keeps working as before - while other ports of switch are VLAN1 untagged)?

     

    Thanks for your help in advance,

     

    Markus

     

    PS.: This way I could config my switch-port connect to firewall to tagged and add the other vlans later :-P