9

I'm trying to setup a guest wireless network in an environment that has been humming along nicely for quite some time. The wireless runs on Ubiquiti UniFi APs.

I hope this is clear. If its not, feel free to ask questions.... I have a feeling this could be confusing.

The Cisco switch in question is a SG 200 series, and the firewall is pfSense. Ubiquiti UniFi APs are configured with 2 SSIDs ("NNH" and "NNH Guest")

Before I describe more of the typography, here's the situation:

  • Employees receive DHCP just fine from the proper DHCP server
  • Computers connected physically to VLAN 200 receive DHCP just fine from pfSense (which is that VLAN's DHCP correct DHCP server).
  • Wireless clients on NNH receive DHCP fine
  • Wireless clients on "NNH Guest" do NOT get a DHCP address, and can't connect

More Details

pfSense is running as the firewall and the DHCP server for the Guest network only (the employee / primary network has a Synology NAS as the DHCP server).

The network has these two subnets

  • 10.1.10.0/24 = Employees
  • 10.1.200.0/24 = Guests (tagged VLAN 200)

pfSense is configured as follows:

  • 3 Interfaces (WAN on interface bce0, LAN on bce1, OPT1 on VLAN 200)
  • VLAN 200 is setup to run on top of LAN

enter image description here

There is a computer lab which is physically connected to VLAN 200. The port on the Cisco switch that connects to the lab (which has its own switch) is setup as an Access Port on VLAN 200 (untagged).

All PCs in the computer lab (physically connected) get their correct DHCP address from pfSense (10.1.200.0/24).

I've configured the ports on the Cisco switch that connect directly to the Ubiquiti UniFi APs to be in "General" mode, in a VLAN membership of 200 tagged: enter image description here

Additionally, the switch's Trunk port that is connected to pfSense is a member of VLAN 200:

enter image description here

Ubiquiti UniFi APs are configured as follows:

  • 2 SSIDs
  • "NNH Guest" is setup to "use VLAN 200"

To Summarize...

Wireless clients connecting to "NNH Guest" aren't receiving a DHCP address (10.1.200.0/24) when "NNH Guest" is configured on the Ubiquiti UniFi APs to use VLAN 200.

When I take VLAN 200 out of the equation (remove VLAN 200 from the SSID in the Ubiquiti settings), clients are able to connect to the Guest network, but they get an IP address from the Employee subnet, which is obviously what I'm trying to avoid.

How can I fix this?

David W
  • 3,405
  • 5
  • 34
  • 61
  • "When I take VLAN 200 out of the equation"...do you mean removing it on the SSID or on the Cisco switch or both? – TheCleaner Dec 30 '14 at 16:32
  • When I remove VLAN 200 from the Ubiquiti settings / SSID. NOT when I remove it from the Cisco Switch. – David W Dec 30 '14 at 16:35
  • So the switch is still sending the untagged packets ok, just not the tagged ones. Do you have another port on the switch acting as a trunk port that's a member of VLAN 200 and connected up to the pfsense firewall that I'm missing from your post? If not, you'd need one to send that tagged packet up from the switch port to the pfsense firewall, otherwise the tagging would get dropped. – TheCleaner Dec 30 '14 at 16:58
  • Oh, actually, I do have a Trunk port that's a member of that VLAN. I'll update the question. – David W Dec 30 '14 at 17:44
  • I had *exactly* the same problem, only with a Netgear "Smart" Switch instead of a Cisco Switch. The problem is almost certainly the VLAN / Trunk settings on the switch itself. – Moshe Katz Jan 01 '15 at 20:32

1 Answers1

1

My initial assumption would be that the AP does not have access to VLAN 200.

To verify: connect a computer to GE16 in place of the AP. Run WireShark. Look for broadcast traffic on VLAN 200. Alternately, use Hyper-V virtual switch to add a virtual NIC on VLAN 200 and ping hosts (usa a static IP for testing). Here is an article on how that may be done: https://blogs.msdn.microsoft.com/virtual_pc_guy/2015/02/09/adding-a-second-and-third-management-os-adapter-to-a-virtual-switch/

If the port has access to VLAN 200 look at the AP config. If not, look at the switchport configuration.

This answer is likely no longer relevant to the OP but may help others.

TS79
  • 76
  • 4