TP-Link T1600G-28PS with TP-Link EAP225 WAP and 3 SSIDs each using their own VLAN - 1 works 2 don't

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TP-Link T1600G-28PS with TP-Link EAP225 WAP and 3 SSIDs each using their own VLAN - 1 works 2 don't

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TP-Link T1600G-28PS with TP-Link EAP225 WAP and 3 SSIDs each using their own VLAN - 1 works 2 don't
TP-Link T1600G-28PS with TP-Link EAP225 WAP and 3 SSIDs each using their own VLAN - 1 works 2 don't
2019-05-18 22:01:00 - last edited 2019-05-18 22:22:10
Hardware Version: V1
Firmware Version: V. 1.0.1 Build 20160411 Rel.34676(s)

Equipment:

TP-Link T1600G-28PS Switch

Version 1

Firmware V. 1.0.1 Build 20160411 Rel.34676(s)

IP 10.10.0.40

 

TP-Link EAP225 WAP

Version 3.1

Firmware EAP225(US)_V3_2.5.0 Build 20190404

IP 10.10.0.50

 

pfSense Router/Firewall

Version 2.4.4 running on bare metal

IP 10.10.0.1

This is wired to port 1 on the switch

 

What I am trying to acheive:
 

  1. 1 WAP with 3 SSIDs
    • SSID for family access (seperate VLAN) 2.4GHz only
    • SSID for Guests (seperate VLAN) 2.4GHz only
    • SSID for IoT devices (seperate VLAN) 2.4GHz only
  2. Family needs to be able to access entire LAN
  3. Guests will have their own printer to access on their own VLAN

 

Since I only have 1 EAP225 WAP, I have it plugged into port 6 of the T1600G-28PS Switch.

 

Currently I can access the internet wirelessly using 2 of the SSIDs on the WAP (existing one which has been setup for some time, and the new one I created for IoT). I am baffled as to why I cannot access the Internet on VLAN 30 or 40, but no problem on 50 .

 

My plan was to setup the VLANs as follows:

 

  • SSID of Family to use VLAN 30
    • IP 10.10.30.1
      • DHCP Range: 10.10.30.100 - 10.10.30.200
    • VLAN Config:
      • Port 6 is untagged
      • Port 1 is tagged
         
  • SSID of Guest to use VLAN 40
    • IP 10.10.40.1
      • DHCP Range: 10.10.40.100 - 10.10.40.200
    • VLAN Config:
      • Port 6 is untagged
      • Port 1 is tagged
         
  • SSID of IoT to use VLAN 50
    • IP 10.10.50.1
      • DHCP Range: 10.10.50.100 - 10.10.50.200
    • VLAN Config:
      • Port 6 is untagged
      • Port 1 is tagged

 

 

 

I then went into the web portal for the WAP and added a new SSID of Family and told it to use VLAN 30. I went into the switch and also created VLAN 30 and set port 6 as UNTAGGED and set port 1 as TAGGED. I also went into pfSense and setup the firewall to allow any protocol. At that point I didn't setup any blocks in the firewall. VLAN 30 was wide open on the LAN. When I connected my laptop to use the Family SSID, I was assigned an IP from 10.10.30.0/24 subnet of 10.10.30.100 however I couldn't ping google.com or visit any websites.

 

 

 

 

 

 

 

I then went through the same process for the Guest network as I did above in the screenshots by going into the web portal for the WAP and added a new SSID of Guest and told it to use VLAN 40. I went into the switch and also created VLAN 40 and set port 6 as UNTAGGED and set port 1 as TAGGED. I also went into pfSense and setup the firewall to allow any protocol. At that point I didn't setup any blocks in the firewall. VLAN 40 was wide open on the LAN. When I connected my laptop to use the Guest SSID, I was assigned an IP from 10.10.40.0/24 subnet of 10.10.40.100 however I couldn't ping google.com or visit any websites.

 

Lastly I then went into the web portal for the WAP and added a new SSID of IoT and told it to use VLAN 50. I went into the switch and also created VLAN 50 and set port 6 as UNTAGGED and set port 1 as TAGGED. I also went into pfSense and setup the firewall to allow any protocol. At that point I didn't setup any blocks in the firewall. VLAN 50 was wide open on the LAN. When I connected my laptop to use the Guest SSID, I was assigned an IP from 10.10.50.0/24 subnet of 10.10.50.100 AND THIS TIME I COULD PING GOOGLE.COM AND WAS ABLE TO ACCESS THE INTERNET.

 

I'm completely confused as to why the IoT SSID on VLAN 50 works when the other 2 do not. All 3 are configured the same. The only difference between them is the VLAN number and the DHCP IP address range. All 3 have the same rules in pfSense where they are wide open. I can't see how pfSense is stopping it.

 

 

 

 

 

 

I also went into pfSense to confirm that I can ping google from the VLAN30_Family interface and it works just fine, but if I ping from my laptop it will not work. it just times out.

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:TP-Link T1600G-28PS with TP-Link EAP225 WAP and 3 SSIDs each using their own VLAN - 1 works 2 don't-Solution
2019-05-18 22:21:57 - last edited 2019-05-18 22:22:10

Solved

 

For anyone who stumbles upon this, it seems I did have everything in the switch and WAP configured correctly. It was a slight oversight within pfSense. I had my VLAN 30 and 40 settings for their SOURCE misconfigured.

 

If you look in my screen shots of the OP you'll see that the Source for VLAN 30_Family is VLAN30_FAMILY address and is should be VLAN30_FAMILY NET

 

I did the same thing on VLAN40_Guest except I had it set to VLAN30_FAMILY net. This wasn't even the correct VLAN. It should have been set to VLAN40_FAMILY net

 

I hope this serves as a reminder to carefully review your firewall rules!!!

 

“Failure is instructive. The person who really thinks learns quite as much from his failures as from his successes.” 
― John Dewey

Recommended Solution
  1  
  1  
#2
Options
1 Reply
Re:TP-Link T1600G-28PS with TP-Link EAP225 WAP and 3 SSIDs each using their own VLAN - 1 works 2 don't-Solution
2019-05-18 22:21:57 - last edited 2019-05-18 22:22:10

Solved

 

For anyone who stumbles upon this, it seems I did have everything in the switch and WAP configured correctly. It was a slight oversight within pfSense. I had my VLAN 30 and 40 settings for their SOURCE misconfigured.

 

If you look in my screen shots of the OP you'll see that the Source for VLAN 30_Family is VLAN30_FAMILY address and is should be VLAN30_FAMILY NET

 

I did the same thing on VLAN40_Guest except I had it set to VLAN30_FAMILY net. This wasn't even the correct VLAN. It should have been set to VLAN40_FAMILY net

 

I hope this serves as a reminder to carefully review your firewall rules!!!

 

“Failure is instructive. The person who really thinks learns quite as much from his failures as from his successes.” 
― John Dewey

Recommended Solution
  1  
  1  
#2
Options