OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: speedfreak on August 08, 2021, 03:01:16 pm
-
Hello
I opnsense installed on a box with an intel 4 NIC. I have multiple access points connected directly to ports of this NIC. I want to create VLANs which are available to all access points connected to these 4 NICs ports. I do this so I can create WiFi networks for guests and for IoT, available on every access point.
So far i have created 4 VLAN interfaces each with their own assignment and then bridged them together (I had to do this in order to make DHCP work, i first tried making a vlan directly on the LAN bridge (which bridges the NICs 4 ports), but DHCP didn't work that way). On my access points (OpenWRT), I configured the right WiFi networks. My devices can connect and get an IP in the right DHCP range, so this is working. However, none of these devices can connect to the internet (or ping the router). My bridged VLAN has a pass all rule in the firewall, so I don't know why it's not working.
I found this post of someone having the exact same issue, but no solution is provided: https://forum.opnsense.org/index.php?topic=7359.0
What am I doing wrong? I also don't understand why I don't find more information about this as this seems like something a lot of people would do.
-
What do your FW live view show?
When you are on one of the vlans, what is the ipconfigs for that computer? I.E. If on IOT, what is the DHCP server configured for and what is listed on the clients IP config info; Is everything matching? Each vlan should have a different IP for the FW.
Also if you want more help, you need to give more info on your setup.
-
Some more info:
- i have all 4 ports of my intel NIC bridged as "LAN". LAN has a DHCP server running and gives leases under 192.168.2.x
- for LAN, there is no vlan configured
- for every port of the NIC, i have also configured a VLAN with VLAN tag 20.
- these 4 vlans, are bridged as "VLAN20"
- for VLAN20, there is a dhcp server running giving leases in 192.168.20.x
in my access points (connected directly to the Intel NIC, no switch in between), there is a wifi network without vlan tag. Devices connected to this, get an IP in 192.168.2.x range and can connect properly. There is also a wifi network with vlan tag 20 on the same APs which broadcasts my IoT network. Devices connected to this, get an ip in the 192.168.20.x range. For example, an ipconfig on a client on this network gives me:
IP: 192.168.20.101
Subnet: 255.255.255.0
gateway: 192.168.20.1 (DHCP server of VLAN20).
When i go to "leases" under the DHCPv4 service in Opnsense, i see the device with IP 192.168.20.101 listed under interface VLAN20.
in the firewall i have a pass all rule for VLAN20 net.
So the problem is that the devices on the VLAN20 net cannot connect to the internet, nor ping a device on my network (even the default gateway is not accessible).
-
So, based on your information, I'd be shocked if anything works. there's a lot of concepts you are trying to implement and are not done here properly.
I would recommend, drawing this up on a peiece of paper, then working your ways with VLAN and IP. none of this is done right.
Also, I am not sure if you understand VLAN tagging... Just because a device is one vlan does not mean the interface is tagging.
-
i want to make multiple VLANS available on all ports of my 4 port NIC, so my access points can each broadcast multiple SSIDs (each on their own VLAN). Form what I've read, the easy way would be to add a switch in between my Opnsense box and my APs, but I don't have a switch and have enough ports with the 4 port NIC. The setup I'm describing is what I've come up with from reading other kinda (but not really) related topics.
I very willing to just start over, so could you maybe point me in the right direction on how to do this properly?
-
there are 100s of possible ways to set this up, however, I am not sure if all your devices would be able to andle what you are attempting to do...
can your AP support multiple SSID, multiple DHCP, and dot1q?
-
thanks for the quick reply
it's a combination of OpenWRT APs and TP link EAP 245, so they can both do multiple SSID, multiple DHCP and vlan tagging
currently, these are configured as (dumb) access point (so they don't have an own DHCP server running)
-
As a dumb AP, what can they support?
you need to plan on setting up multiple DHCP networks on the OPNsense.
you need to plan on setting up multiple VLANs on the interfaces (i.e. tagging/dot1q)
you need to plan on setting up dot1q on the AP's.
At this point you need to have an IP addy for the APs from the VLANs and need to be able to ping those from both directions.
then,
you need to plan on setting up your AP's with SSID and VLANS and test.
-
I agree with lilsense, try to draw out what you are trying to accomplish. This will help more than you know. Second when reviewing the technical specifications of your hardware, focus on capabilities / compatibilities . The largest issue I have found in my experience is when purchasing hardware the assumption it will work, but when actually trying to configure it, it only supports partial.
A Basic example. You have a Gigabit network, but your computer only handles 10/100. The fastest transmission would be 100 using that computer.
You actually do not have 4 vlans, rather only 1. When counting vlans, you count the actual #'s you created, not the ports assigned to that vlan.
Also, are you using crossover cables? That may be an issue depending on your hardware (unlikely, but something to verify).