VLAN Configuration works on managed switch, but not on Access Point

Started by GWarrior5595, January 06, 2025, 04:14:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 06, 2025, 04:14:40 PM Last Edit: January 06, 2025, 04:18:00 PM by GWarrior5595
Hello,

I have been setting up my new OPNSense setup and I have been running into issues with my Access Point not being able to pass in the DHCP server down to the SSIDs. I have been following multiple guides and the VLAN set up seems standard within OPNSense so I don't think I am missing any settings there... I am able to get the expected IP addresses on my MikroTik switch but when I connect my Unifi Access Point, I am not able to get an ip address for any of my other SSIDs other than the one assigned to the default (1).

I have the check box ticked for "Enable DHCP server on the UNTRUSTED/GUEST interface" and separate IP ranges for each network... I can verify these settings work through the physical ports on my MikroTik

Here's my setup:

ATT Gateway (IP Passthrough) -> MikroTik managed switch -> Unifi Access Point


Should be simple, right? But the access point has been frustrating me. I even bought a new one and I am still running into this issue...


Here's my MikroTik /export:

Code Select
/interface bridge
add admin-mac=xxxxxxxxx auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=20
add bridge=bridge comment=defconf interface=ether5
/interface bridge vlan
add bridge=bridge comment=UNTRUSTED tagged=ether1,ether2,bridge vlan-ids=20
add bridge=bridge comment=GUEST tagged=ether1,ether2,bridge vlan-ids=10
/ip dhcp-client
add interface=bridge
/ip route
add distance=1 gateway=192.168.2.1 #OPNSense IP
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
I have attached screenshots of my Access Point settings for VLAN as well.

Is there anything else that needs to be set on the MikroTik or on OPNSense itself? I am able to attach to the correct VLANs physically on my MikroTik... Just not through the Access Point...
January 06, 2025, 04:22:25 PM #1
My Mmikrotik switch is running switch OS so I can't comment on the config, but if I read it correctly, you are mixing tagged and untagged traffic on the same interfaces, right? If such mixed traffic arrives at OPN then it could be the problem. freeBSD is not a happy camper with that traffic.
January 06, 2025, 04:34:57 PM #2
I wish I could use SwitchOS, I spent a lot of time trying to get the Router OS settings working but I have a CRS304-4XG which doesn't support SwitchOS yet... I am going to try and play around with the MikroTik settings some more, which is really frustrating as it is being a newbie to this whole world
January 06, 2025, 04:58:15 PM #3
So I tried following the MikroTik guide doing the Router on a Stick configuration: https://forum.mikrotik.com/viewtopic.php?t=143620#p706997

but I run into the same issues plus once I set the port that's connected to OPNSense to `admit-only-vlan-tagged`, I completely lose connection to the internet. Even on the physical ports and on the wifi for the default that currently works.. I tried asking for help on the MikroTik forum but they have not been as helpful as here
January 06, 2025, 05:29:54 PM #4
So I just plugged the AP into the feed that normally feeds MikroTik and all my SSIDs are working now. Seems the issue is on MikroTik switch specifically. Guessing it may have to do with that vlan untagged stuff then... Been stuck on this for a few days now. Going to try and mess around with it more. If anyone has anymore suggestions, I'd greatly appreciate that

My MikroTik is a CRS304-4XG and it's on RouterOS 7.16.2
January 06, 2025, 05:31:54 PM #5
The only soft requirement is to remember that for freeBSD which OPN is based on, mixing tagged and untagged traffic in the same interface is strongly recommended to avoid. Soft because the weird behaviours might not get exposed depending on the setup.
I'd like to swap them :) my switch for yours :) --joking--. I wanted to play with L3 stuff where my setup is limited.
Just see if you can find a way to have one port as trunk with all traffic tagged to OPN and the access ports on the switch as untagged. That is what the switchOS gives and how it will work with OPN without weirdness.
January 06, 2025, 05:47:45 PM #6
Quote from: cookiemonster on January 06, 2025, 05:31:54 PMThe only soft requirement is to remember that for freeBSD which OPN is based on, mixing tagged and untagged traffic in the same interface is strongly recommended to avoid. Soft because the weird behaviours might not get exposed depending on the setup.
I'd like to swap them :) my switch for yours :) --joking--. I wanted to play with L3 stuff where my setup is limited.
Just see if you can find a way to have one port as trunk with all traffic tagged to OPN and the access ports on the switch as untagged. That is what the switchOS gives and how it will work with OPN without weirdness.

I appreciate the help! Thank you!

I thought this newer MikroTik would be fun to play with and a way of making sure I don't need to buy another managed switch in the future, but seems hard :) .

I am attempting to do what you're describing and every time I try to set the trunk port to admin only VLAN tagged, I lose all connections to OPN. Going to keep trying to play around with it and will report here what config ends up working. Here is what I have right now:

Code Select
/interface bridge
add admin-mac=xxxxx auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface list
add name=BASE
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 #adding frame-types=admit-only-vlan-tagged cuts connection to OPN
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5
/interface bridge vlan
add bridge=bridge comment=UNTRUSTED tagged=ether1,ether2,bridge vlan-ids=20
add bridge=bridge comment=GUEST tagged=ether1,ether2,bridge vlan-ids=10
/ip dhcp-client
add interface=bridge
/ip route
add distance=1 gateway=192.168.2.1 # my OPN IP
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
January 06, 2025, 05:58:32 PM #7
You need to create a tagged VLAN for LAN and assign it in OPNsense before you change the switch side to tagged only.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 06, 2025, 06:15:44 PM #8 Last Edit: January 06, 2025, 06:29:34 PM by GWarrior5595
Quote from: Patrick M. Hausen on January 06, 2025, 05:58:32 PMYou need to create a tagged VLAN for LAN and assign it in OPNsense before you change the switch side to tagged only.

Hmm, other guides I've seen online haven't talked about that before. Do I just set the parent of that VLAN (id 1) to WAN then? Like in this screenshot?


January 06, 2025, 06:24:44 PM #9
No, you set it to the same parent you are using for the other VLANs, then switch the assignment of LAN from e.g. igc0 to e.g. vlan01. You will lose connectivity in that moment. Then reconfigure the switch and connectivity should return.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 06, 2025, 06:49:27 PM #10
Quote from: Patrick M. Hausen on January 06, 2025, 06:24:44 PMNo, you set it to the same parent you are using for the other VLANs, then switch the assignment of LAN from e.g. igc0 to e.g. vlan01. You will lose connectivity in that moment. Then reconfigure the switch and connectivity should return.

Ahh dang, I just tried doing that and now I can't connect back, even after reconfiguring the switch to send vlan tagged only to ether1 or to admit all

Need to get access back to OPN and try again
January 07, 2025, 02:46:34 AM #11 Last Edit: January 07, 2025, 03:03:57 AM by GWarrior5595
Quote from: Patrick M. Hausen on January 06, 2025, 06:24:44 PMNo, you set it to the same parent you are using for the other VLANs, then switch the assignment of LAN from e.g. igc0 to e.g. vlan01. You will lose connectivity in that moment. Then reconfigure the switch and connectivity should return.

So after locking myself out of my OPN device trying to mess around with VLAN settings to get this to work and needing to factory reset OPN,.. I just want to confirm that this is what I need?



And then on the switch, I just need to make ether1 (which is what is connected to OPN) set to admit-only-vlan-tagged?

I didn't think RouterOS would be this difficult to work with. Seems like other managed switches are a lot easier to set up
January 07, 2025, 07:56:24 AM #12
Quote from: GWarrior5595 on January 07, 2025, 02:46:34 AMAnd then on the switch, I just need to make ether1 (which is what is connected to OPN) set to admit-only-vlan-tagged?
On a Mikrotik switch running Router OS you need to create VLAN 1 in the bridge submenu, assign ether1 tagged, in ports > ether1 set the PVID to something that is not used like 99. Then it should work.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 07, 2025, 11:34:56 AM #13
Thanks for the aid Patrick. Sorry Gwarrior, I have switchOS only devices, can't tell how the config should be, but you shall get help here.
Print
Go Up Pages1
User actions