@ErwinvL Assuming the APs are on ports 2 & 3 and the router is on port 17, are the switch PVID of those three ports set to 1?  They should be, to be consistent with VLAN1 being the untagged network.  Also since the Native Network (PVID) for the switch ports to the APs should be VLAN1 (because it is the untagged VLAN), you should have all SSIDs set to have VLAN active.

I think there is a VLAN limit in the APs, but I think it's like 32.

Side note, you probably don't need to transmit an EAP MGMT SSID unless you are using an Omada controller and Omada mesh.

  @ErwinvL 

Maybe it's the switch or the router VLAN settings not match?

Try set up a port on the switch to "Guest" VLAN untag(with PVID 7), and connect PC to this port and test if it can receive correct IP.

JoeSea wrote

  @ErwinvL Assuming the APs are on ports 2 & 3 and the router is on port 17, are the switch PVID of those three ports set to 1?  They should be, to be consistent with VLAN1 being the untagged network.  Also since the Native Network (PVID) for the switch ports to the APs should be VLAN1 (because it is the untagged VLAN), you should have all SSIDs set to have VLAN active.

 

I think there is a VLAN limit in the APs, but I think it's like 32.

 

Side note, you probably don't need to transmit an EAP MGMT SSID unless you are using an Omada controller and Omada mesh.

  @JoeSea 

You are correct. On the switch all ports have the PVID set to 1 so that doesn't seem to be the problem. If I look on the lowest level I can with tcpdump on the router itself I do see vlans 5, 30 packets coming in correctly tagged and these are also come from the EAPs. The other vlans 2, 3, 7 are not. That is what I find weird. The below shows the setup on the AP's. I don't even see dhcp requests coming in from the AP's when I connect a client do I have a feeling these are dropped somewhere in the switch. As the diagnostics capabilities on the switch itself are terrible (ie almost non-existing) there is nothing I can see on that side.

Somnus wrote

  @ErwinvL 

 

Maybe it's the switch or the router VLAN settings not match?

Try set up a port on the switch to "Guest" VLAN untag(with PVID 7), and connect PC to this port and test if it can receive correct IP.

 

 

  @Somnus 

Nah, they so match for sure. The guest vlan is a bit more challenging as it is linked to a radius server and that connection also doesn't work. I really wished that TP-link would've built some better troubleshooting methods in the switch, as this is simply some black box where you just have to hope Ethernet frames make it out the other side. If they don't, you're pretty much in limbo.

  @ErwinvL For trouble shooting, you could try to direct connect one of the APs to the router box, and see if the VLANs carry through that simple config.  You could also try setting an open port on the switch to one of the problem VLANs to be an access port (ex. Port 16, PVID 2, Untagged 2, Tagged None), and connect up a computer to see if you get an IP.  I'm leaning toward thinking the VLAN settings on the computer running Proxmox are not quite right.  Since the switch and AP both are passing VLANs, so it doesn't seem like it would pass some, and not others.  Also check the specs on the computer's hardware NIC, hypervisior can do VLANs but the NIC may not be that capable (along with driver settings).

You can also set up the switch for basic port mirroring, for some packet sniffing, to/from the AP.

  @ErwinvL 

ErwinvL wrote

Somnus wrote

  @ErwinvL 

 

Maybe it's the switch or the router VLAN settings not match?

Try set up a port on the switch to "Guest" VLAN untag(with PVID 7), and connect PC to this port and test if it can receive correct IP.

 

 

  @Somnus 

Nah, they so match for sure. The guest vlan is a bit more challenging as it is linked to a radius server and that connection also doesn't work. I really wished that TP-link would've built some better troubleshooting methods in the switch, as this is simply some black box where you just have to hope Ethernet frames make it out the other side. If they don't, you're pretty much in limbo.

Yehh that's why I always offer a "whole system" to my customers. Whole Unifi, or whole tplink Omada.

When you do the VLANs it is not "one device", but need to check the whole network settings. At this time the UniFi Controller or Omada Controller is very helpful.

JoeSea wrote

  @ErwinvL For trouble shooting, you could try to direct connect one of the APs to the router box, and see if the VLANs carry through that simple config.  You could also try setting an open port on the switch to one of the problem VLANs to be an access port (ex. Port 16, PVID 2, Untagged 2, Tagged None), and connect up a computer to see if you get an IP.  I'm leaning toward thinking the VLAN settings on the computer running Proxmox are not quite right.  Since the switch and AP both are passing VLANs, so it doesn't seem like it would pass some, and not others.  Also check the specs on the computer's hardware NIC, hypervisior can do VLANs but the NIC may not be that capable (along with driver settings).

 

You can also set up the switch for basic port mirroring, for some packet sniffing, to/from the AP.

  @JoeSea 

Issue is solved. I found out by starting to diagnose dhcp request, and I saw that these did arrive at the physical proxmox interface with the correct vlan tag. What was a surprise for me was that these did not propagate onto the proxmox bridge, so there must have been something wrong there. The other VM's and containers use the same bridge and therefore were able to obtain a correct IP address as the OpnSense router is also connected to that same bridge. This threw me off guard. I decided to reboot the Proxmox server after which things started running again. There is nothing in the logs that show anything wrong so I'm still a bit baffled on how this could happen.

The reason I therefore first suspected the EAP's and the switch was that I monitored the bridge on the Proxmox server and saw nothing. As you can see this sometimes leads to false conclusions.

Anyway, your help and suggestions are much appreciated. I hope this also helps others.

Regards

Erwin

  @ErwinvL Good to hear you found the issue and that a simple server reboot has fixed it.  That's some great packet sniffing.