Hi,
Objective
To configure a multi-SSID setup where:
Default SSID operates on native VLAN 1 (untagged) for management
Guest SSID operates on VLAN 3 (tagged) for client isolation
OPNsense firewall handles routing/DHCP for both VLANs
Diagram: https://ibb.co/ymD8wd8p
Devices:
Switch: TL-SG108E
AP: TL-WA1201
Firewall: OPNsense (25.1.9)
Symptoms:
Clients on Guest SSID (VLAN 3) fail to obtain IP address (stuck "obtaining IP")
Manual IP assignment (192.168.3.20) cannot ping gateway (192.168.3.1)
VLAN 1 clients can ping 192.168.3.1, but not the other way around
Default SSID (VLAN 1) works normally
No VLAN 3 traffic detected in packet captures
Troubleshooting Performed
1. Switch Configuration
VLAN ID VLAN Name Tagged Ports Untagged Ports
1 Default None 1-8
3 Guest 1, 8 None
PVID: All ports set to 1
VLAN setup from opnsense: https://ibb.co/p6KG55kn
Firewall rule: https://ibb.co/wXgpyNn
DHCP from opnsense: https://ibb.co/LzbcGpXy
Please assist.
I am not familiar with your switch but looking at the configuration, I think vlan 1 should include ports 1 and 8 with tagged traffic. The devices on port 1 and 8 speak vlan and therefore their traffic is being tagged. Since you've set port 8 in your switch as untagged for vlan 1 and the PVID of port 8 is 1, the traffic from port 8 is likely being tagged as vlan 1 even though some of it is vlan 3.
Mixing tagged and untagged traffic on the trunk to OPNsense is not recommended. See here https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html (https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html)
Consider creating another VLAN for management. You will need to configure your switches and AP to use this VLAN.
I would expect to see the interface for VLAN3 look something like: "vlan01.3"
Also, are you configuring the VLAN on the AP? The doco says you can.
Can you share a screenshot of the INTERFACES: DEVICES: VLAN page, please.