kiekar wrote

Hello,

I recently bought a TL-SG105E switch for my home/business setup to segregate my wifi network to a secure, guest and eventually an IoT network using VLANs.

My current setup is as follows. One cable from pfSense igb2 port to port one on the switch then port 2 from switch to a cisco wap125 AP.

I have both VLAN interfaces setup on pfSense VL10_wifi (192.168.10.0/24) and VL20_guest (192.168.20.0/24)

Switch is setup as:

VLAN ID 10 has port 1 tagged and port 2 untagged. PVID has port 1 set to id 10 and port 2 set to id 10

VLAN ID 20 has port 1 tagged and port 2 untagged. Note. PVID has nothing set?

On VLAN 10 I have no issues to access the internet. All devices receive an IP address from the DHCP server on the pfSense box. For VLAN 20 I’m unable to access the internet however the device does get an IP address.

So is my switch setup correctly or do I need to look at my AP setup? Any help would be much appreciated.

 

Thanks,

Hi kiekar

If you AP support VLAN and send the tagged data, you need to set port 2 as tagged. 

Hello Anderson,

Thanks for your reply. I switched the configuration on VLAN 20 to port 1 and 2 as tagged but unfortuneately I'm still unable to access the internet. My AP does support VLANs. I will have a look there.

Thanks,

kiekar wrote

Hello Anderson,

 

Thanks for your reply. I switched the configuration on VLAN 20 to port 1 and 2 as tagged but unfortuneately I'm still unable to access the internet. My AP does support VLANs. I will have a look there.

 

Thanks,

Hi Kiekar

I think that your topology is as follows.

Router-----(port 1)TL-SG108E(port 2)-----AP

If your router and AP both support VLAN, then port 1 and port 2 should be tagged. 

You said that your have two subnet for VLAN10 and VLAN20. I think maybe your router has two DHCP servers to assign the IP address of two subnet. 

Please note that the gateway of the clients should be the router and your router should support multi-nets NAT(let the data from different subnets can pass NAT).

When your wireless clients get the IP address, please try to ping the router. If they can ping the router, then TL-SG108E hasn't problem. You should focus on the router.

Anderson wrote

kiekar wrote

Hello Anderson,

 

Thanks for your reply. I switched the configuration on VLAN 20 to port 1 and 2 as tagged but unfortuneately I'm still unable to access the internet. My AP does support VLANs. I will have a look there.

 

Thanks,

 

Hi Kiekar

 

I think that your topology is as follows.

Router-----(port 1)TL-SG108E(port 2)-----AP

 

If your router and AP both support VLAN, then port 1 and port 2 should be tagged. 

You said that your have two subnet for VLAN10 and VLAN20. I think maybe your router has two DHCP servers to assign the IP address of two subnet. 

Please note that the gateway of the clients should be the router and your router should support multi-nets NAT(let the data from different subnets can pass NAT).

When your wireless clients get the IP address, please try to ping the router. If they can ping the router, then TL-SG108E hasn't problem. You should focus on the router.

Hi Anderson and thank you for all your help so far.

Yes the toplogy is correct but I decided to remove the AP from the equation to try and pin point the issue.

Yes I do have two DHCP servers setup for each of the VLAN interfaces.

Yes I do have outbound NAT setup for for both interfaces.

As I mentioned, I removed the AP off port 2 and connected my PC to port two. Just to be sure my setup on the switch is as follows. 

I then manually set the ip on the pc to 192.168.10.200, 255.255.255.0, gateway to 192.168.10.1 and DNS to 192.168.10.1 for vlan 10 where I was able to access the internet.

I then changed the ip address on the pc to 192.168.20.200, 255.255.255.0, gateway to 192.168.20.1 and DNS to 192.168.20.1 but as before i was not able to access the internet. 

Pinging both gateway interfaces from the pc to 192.168.10.1 and 192.168.20.1 resulted in no packet losses using clinet ip 192.168.10.200 but for client ip 192.168.20.200 100% packet loss for gateways 192.168.10.1 and 192.168.20.1

I played with the PVID for port 2 by changing the id to 20 instead of 10. This resulted in accessing the internet for vlan 20 but vlan 10 did not work.

Is this still a switch configuration issue?

kiekar wrote

I may have solved my issue. It seems that one of my rules on the vlan_10 interface was causing the problem. I'm using a vpn service and as soon i closed the service i was able to access the internet from vlan_20. Will test further and reply back if further issues come up.

Hi Kiekar

If your AP is able to send the tagged data, I think you should set the port 2 as tagged for VLAN 10 and VLAN 20. I saw that port 2 is untagged for VLAN 20 in your picture.

If your AP cannot send the tagged data, then its data can only belong to one VLAN. And it will belong to the VLAN of PVID.