Hello,
I have the following topology: OPNsense -(cable)-> Fritz!Box as WiFi AP -(WiFi)-> Fritz!Box Repeater -(cable)-> Unifi AP -(WiFi)-> Clients
The Unifi AP spans 3 WiFi networks:
1) Standard
2) Guest (VLAN 110)
3) IoT (VLAN 120)
In OPNsense, I created the VLANs, the interfaces and enabled DHCPv4 on the interfaces. I also added firewall rules.
If I connect to the standard WiFi (no VLAN), all is fine.
If I connect to either the Guest or the IoT network, I see at the OPNsense a DHCPDISCOVER and a DHCPOFFER from the respective VLAN in the logging; so I conclude that VLAN tagging is fine and the traffic comes (at least) to the OPNsense.
However I do not see a DHCPREQUEST nor a DHCPACK by the client on the VLAN. What I DO see is a ping from the client with the non-DHCP-given address (169.X.X.X) which is blocked and logged by my "block all" rule at the end of the firewall rule set. What I expect is a 10.0.110.X or a 10.0.120.X client IP address provided via DHCP based on the respective WiFi net / VLAN (110 or 120).
Any ideas what I am doing wrong?
P.S. Fritz!Box is planned to be replaced but this is my current test setup.
BTW: if I give a manual address and DNS on the client, all works on the VLAN interfaces. It's really just DHCP.
I also rebooted - same behavior before and after.
No idea? Anyone? I am desperate ...
I switched to KEA, same behavior.
Could you elaborate more on your network setup, please?
From your description we have:
opnsense <-> fritz (wifi) -> repeater (connected to ???) -> unifi ap (wifi, connected to fritz?) -> clients
And then I wonder how you create vlans in you fritz box. On the other hand, maybe your unifi is directly connected to the opnsense. Then the behaviour could come from the fact that a switch in between has an invalid untagged/tagged configuration for your setup. But again, you never mentioned a switch, so I guess there is none.
QuoteCould you elaborate more on your network setup, please?
Of course.
I have a Fritz!Box acting as a cable modem (10.0.0.1). The WAN interface of the OPNsense connects to it physically (10.0.0.2).
Then the OPNsense has a physical LAN interface (10.0.1.1) to another Fritz!Box (10.0.1.2), that I am using as an intermediate WiFi AP. Part of this WiFi network (DHCP 10.0.1.100 - 10.0.1.200) is Fritz!Repeater, to whose physical port the UniFi AP is connected to.
I also have a Proxmox host running beneath others the Unifi Controller (10.0.3.X) that I use to configure the Hotspot.
QuoteAnd then I wonder how you create vlans in you fritz box.
Not at all, but it seems to work since if I give a manual IP, I see all the right rules applied to the Guest VLAN and I have perfect access as intended. All traffic comes to the OPNsense on the VLAN interface.
QuoteOn the other hand, maybe your unifi is directly connected to the opnsense.
No, this is not the case, see above.
has an invalid untagged/tagged configuration for your setup. But again, you never mentioned a switch, so I guess there is none.[/quote]
No, there is no dedicated switch, but the Fritz!Box acting as AP could be considered one.
What is strange to me is that only DHCP does not work. If something with the
QuoteThen the behaviour could come from the fact that a switch in between VLAN configuration / tagged / untagged would be wrong, I would expect nothing at all to work.
It's still searching for needles in a haystack. Your information reveales a bit but not really all.
The WLAN AP fritz box is connected to OPNsense how? Via fritz boxes LAN or WAN port? If WAN: DHCP cannot be provided by OPNsense just as is. You'd need some kind of forwarding.
Your unifi could also provide DHCP but within one logical segment (all clients using fritzbox, frotzrepeater and unifi as OSI2 access) you don't want that.
I think your dhcp allocation is incorrect and hence stuff gets filtered. I am also still confused by the term VLAN because all I read was physical connections of devices not capable of VLANs (except unifi). And now there's also a unifi controller on some proxmox somewhere?
Can't you draw a complete picture of your routers, network segments, their network addresses and an indicator where DHCP services are enabled?
So forget about the AVM / Fritz! components. I connected the AP directly to the LAN of the OPNsense and all worked as expected.
To be honest, I have no clue what happened inside the Fritz! hardware and honestly I do not care, since I assume, that there is not enough settings to play with to make it work. However, it seems I did everything correct besides mixing different vendors. I seems like the AVM hardware did all the routing correct but maybe filtered out DHCP traffic on VLANs (other ICMP / UDP / TCP) went through.
Whatever, I close that chapter for me now. Thank you anyway for trying to help.
Removing a misconfigured firewall from a route is always like breaking chains. I never understood what your fritz box was good for. You tried to misuse it as a switch, which it isn't.
I do not get your first sentence. However, I "misused" it as a WiFi AP and extended its range by a repeater.
Fritzbox is a gateway as I understand it. The more proper way would be to turn off the fritzbox wifi get a seperate AP and link it off the opnsense box and not the fritzbox. Configure the VLANS in Opnsense and Unifi and you're good to go.
Fritzbox as a "lan client" as they call it makes a perfectly fine AP. Plus if needed it can do your SIP telephony, build a mesh with other AVM products, smart home ...
@jimjohn's only "mistake" if one wants to call it that was to use the builtin switch. Which also works - but is just dumb and unmanaged. And passing tagged frames across an unmangaged switch is always a gamble with any product.
Quote from: Patrick M. Hausen on May 16, 2024, 07:44:04 PM
Fritzbox as a "lan client" as they call it makes a perfectly fine AP. Plus if needed it can do your SIP telephony, build a mesh with other AVM products, smart home ...
@jimjohn's only "mistake" if one wants to call it that was to use the builtin switch. Which also works - but is just dumb and unmanaged. And passing tagged frames across an unmangaged switch is always a gamble with any product.
A gateway box that doesn't support vlans? Thats....lame.
QuoteFritzbox as a "lan client" as they call it makes a perfectly fine AP
Unfortunately, we will never know whether OP really connected to LAN1 or to some other LAN port and in which mode the "internet access" was configured.