Messages

Sorry, I'm too stupid to figure out how to quote you properly here.

But yes, I had a tailnet network that was active on my test device, the phone, and also opnsense. However, on opnsense, I allowed it to"advertise subnet routes" so I basically could use opnsense as a springboard to reach all LAN devices from WAN. I do believe this was the issue, because if I understand Tailscale correctly, it uses the tailnet to connect if the other routes are blocked (like in my case with blocks to 192.168.0.0/16). Also, all pings from the phone - although it was on the correct network - always emanated from the opnsense IP (192.168.1.1) to the ping destination IP. This bugged me for many days since I was pinging from the phone on the 192.168.50.x-network.

With this being said, I am still not 100% sure if this was the only issue, since other things have been flaky as well. For instance, I read somewhere that with an Omada switch, you are sometimes required to completely reboot it for some changes to take effect. And also, I had the IoT VLAN configured with a "DHCP Server Device" active which I have now removed to make sure opnsense is in charge for anything DHCP related. The VLAN now operates as "a pure Layer 2 switching network", according to Omada. Seriously though, there are many different settings at play, it's easy to mess something up for a beginner I suppose.

I am way over my head here, but I have learnt so much during my failed attempts.

I feel compelled to just add that with the new unifi AP, wireless isolation works. But not before disabling the tailnet completely on the test device (the phone). I feel bad making such a mistake, but I believe Tailscale has been sneaking behind my back, creating a backdoor into the LAN without me noticing. Anyway, that wraps up this horror episode, and we can all go back to living happy lives.

The story does not tell if the AP purchase was completely unnecessary. Blaming the synology AP might have been unfair. But I'd rather leave this all behind for now.

I wished there was some kind of rule to "allow all outgoing to WAN". At least I know the FW rules do kick in, just not the way I expect.

You can create Allow Rules with the statement inverted : !LAN or !HOME_NETWORK will make sure to Allow Traffic to what ever ISN'T that specific network :)

You could also check if there is a preconfigured Alias for something like this and if not, then you could create one Alias that contains all your local networks except the Guest Network and then use !<name of your Alias> in one single Allow Rule to only allow traffic to WAN and block the rest.



About the Synology :

I am not very impressed by it's webGUI options either after reading the Manual to be honest...
Maybe it's time to start thinking about a real dedicated Accesspoint instead of it ?!

Yes agreed. Ordered a Ubiquiti Unify AP which should be easier for my labbing at home. Thanks a lot for trying to help. And who knows, maybe you'll see a new thread with the name "VLAN with Unify AP" in the near future :)

Gosh.... One week attempting to create a simple VLAN... and counting.

I have started from scratch. This time, I disabled the built in VLAN 1/PVID 1 wireless network as well as the built in guest network on the synology AP. I have created two new networks, set their VLAN to 10 (guest - for isolation, 192.168.10.x) and 20 (trusted, fully open, 192.168.20.x). The 192.168.1.x network will not be used wirelessly at all for better clarity. I think Seimus suggested this?

I have created rules according to what you said @nero355. And yet, I can ping and connect to resources freely from guest to any network... If I remove the final "allow all" rule, I do block ping - as well as everything else. Instead of allowing "all", I wished there was some kind of rule to "allow all outgoing to WAN". At least I know the FW rules do kick in, just not the way I expect.

Instead of using the built in "LAN Net" in opnsense, I have instead blocked guest net -> 192.168.1.0/24 and guest net -> 192.168.20.0/24 for clarity.

The settings the synology manual suggests are nowhere to be found. I'm suspecting they are only available when it's in the standard router mode. In its current AP mode, it's a very simple interface for creating new networks, basically just a name and what VLAN to use. The only thing related to VLAN is the attached image, but I can't change anything there so I guess it's just informative.

In switch, all VLAN 1 ports are set to untagged, and for VLAN 10 and 20, the ports 1 and 3 (AP <-> switch <-> opnsense) are set to tagged.

I will not give up since others have managed to segment using this AP. Just a little briefing of my struggles. Starting to feel like a lost cause here.

I need a break. Next attempt will be to ditch VLAN 1 completely, but I don't see how that logically can help with my isolation problem.

By the way, I have Tailscale active with subnet access on opnsense as well, if that matters. Disabling it didn't change anything though.

To be honest : I don't know if ANY Wireless Accesspoint works like that ?!

OpenWRT can do that.

But rather than using a Native, I would TAG the traffic into dedicated VLAN and not use VLAN 1 as a PROD carrier.

Regards,
S.

Could you please elaborate a bit for a beginner? I am very close to put this synology AP in the trashcan, and fire up my old Asus AC86U instead with some flashed firmware, maybe Merlin.

@nero355

Ok so you like a challenge, I take it. To be fair, it is very likely the error is on me somewhere since I'm VERY new to networking. Let me tell my story from the start here, lay out the facts:

The Synology AP has two built in networks, the "standard" primary network - this is the one I'm using for wireless access to my LAN and it used to be the network for everything when the RT6600AX was my main router/FW. It also has a default "guest" network, which has a lot more settings than the manually created networks. The AP is connected to the switch, and I have configured this port in the switch with both VLAN 1 (untagged) and 10 (tagged). Massive manual here if you have too much spare time: https://www.manua.ls/synology/rt6600ax/manual

1. On the AP: I create a new network - name it and set VLAN 10. I enable the wireless radio, set an SSID. I use WPA2 security for testing.
2. On the switch: I confirm both the VLAN 1 and 10 are active on the connection from AP -> switch -> opnsense.
3. In opnsense: I create a new "guesttag10" interface, assign it VLAN 10 in VLAN settings, named opt2 in opnsense. I set its IP range to the 192.168.10.x addresses, assign it to parent re0 (LAN).
4. Firewall rules: Well I add a picture for that.
5. For testing: I connect to this 192.168.10.x network from phone, confirm DNS/gateway is correct. Try pinging 192.168.1.x-addresses in Termux, and those pings go through. (To my great annoyance should be added)

The network does work using that IP range, I can surf on the phone, but it isn't isolated one bit from the main LAN. It blatantly ignores my block guest -> LAN net.

I'm not good at troubleshooting, but I activated logging for all FW rules for guest interface, and the live log spits out a lot of blocked requests. Looks quite alright in fact, blocking to FW and 192.168.1.x. But I can still ping and connect to services on 192.168.1.x. According the the opnsense log, my phone pings arrive from the LAN interface and are allowed through the "let out anything from firewall host itself" rule.  But they should come from the guest network on the phone, right? My brain is exploding.

After a few more hours of testing, I'm pretty sure everything inside opnsense is correctly configured. However, the VLAN 10 network still has full access to my primary LAN, since I can ping anything from the phone on this network, so my tests have failed. Anyway, thanks for trying to help me out here.


The RT6600AX as AP doesn't have much settings, just a name and a VLAN, and of course an SSID for the network. And some "advanced settings" as seen in the picture, probably not relevant to my problems.

With the help of AI, I have created a guest VLAN

Next time skip the Machine Learning Chatbot and just read the OPNsense Documentation : https://docs.opnsense.org/manual/how-tos/guestnet.html

I think my Guest VLAN was done in 5 to 10 minutes by just following the steps in the document ;)

You can skip the Guest Portal stuff ofcourse!

I will try it out! I have followed so many guides already, why not one more? Can I just confirm, you made it work with the RT6600AX as AP? From what I can tell in many places, people in general have problems with the VLAN tagging for this AP. And maybe I should add, I only want VLAN for wireless devices, anything wired goes to my main LAN. So I guess I need to tag the VLAN 10 and have VLAN 1 untagged from the AP through the switch to opnsense, according to my logic (so I can use the "standard" LAN wirelessly as well)?

Hey everybody! First post here. So, first of all, I'm pretty new to networking in general, but I fell in love with opnsense and want to learn more. So I quickly converted my old router, the RT6600AX, into an AP and happily started to create a VLAN network tagged 10. I'm using a TP-Link SG2210P switch, and have made sure to set the port from the AP to the switch, and also the one from switch to opnsense, into "tagged".

With the help of AI, I have created a guest VLAN, tagged 10, the same as on the AP and switch, however no matter how I try, I don't seem to be able to create an isolated VLAN in spite of correct rules (I believe). When connecting to the guest network on 192.168.10.x, I can still ping devices on 192.168.1.x although my first rule is to block traffic to 192.168.0.0/16 "in" from the guest interface. Grok suggested floating rules in "out" direction, but I tried that as well.

When checking the opnsense live log, I notice the ping is present from the phone, but coming from the standard LAN interface in spite of all my struggles. Grok's theory is that the synology AP simply doesn't send the tag correctly so it all ends up on the same network in opnsense anyway.

I'm not sure if anyone understands what I'm writing here. I guess I'm interested in knowing if anyone else has had any luck with the synology AP for isolated VLAN, or if it rather belongs in the trash can?