VLANs with multiple switches not working

[strangerinusall]

Hi everyone! I am attempting to make a setup with LAN and 4 VLANs.

In first room I have a Cisco SG250 switch (Switch A) with following desired config:

- Port 1 - connects to another Cisco SG250 switch which is located in a closet (Switch B).
- Port 2 - Grandstream WIFI AP connects here and should land on MGMT VLAN 10. The AP will have 2 SSIDs - one for TRUSTED VLAN 20 and one for GUEST VLAN 40.
- Port 3-7 - IOT VLAN 30 for IOT devices.

Closet switch desired config (Switch B):
- Port 1 - connects to OPNsense/Protectli on igc1 port (LAN interface)
- Port 2-6 - other non-VLAN aware devices (these land on 192.168.2.1/24 network)
- Port 7 - another Grandstream WIFI AP connects here which is on MGMT VLAN 10. This will be the slave AP for a first one and will have same 2 SSIDs, one for TRUSTED VLAN 20 and one for GUEST VLAN 40.
- Port 8 - here connects the Switch A

Right now when all is connected I see that AP is giving SSID on the network but if I connect I don't get the IP addresses (I had SSIDs configured previously). However, most of the IOT devices don't get an IP and I can't reach APs either (neither from OPNsense itself).

All the devices on LAN network work fine. When I connect manually to switch A on IOT port and do DHCP I do not get the IP.

There are separate Dnsmasq DHCP assignments running for each VLAN - 192.168.<VLAN_ID>.1/24 subnet.

Would appreciate any tips or hints on where I am going wrong with this.

OPNsense assignments:


Switch A:


Switch B:

[viragomann]

You're missing the PVID on the untagged switch ports.

For the wifi, what if you configure static IP and gateway on a device? Can you access the gateway and other devices, presumed, there are firewall rules allowing it?

[strangerinusall]

Thanks! So I added PVID 30 on IOT access ports. Do I also add PVID 10 on Trunk ports where APs connect?? This didn't help with IOT devices auto-obtaining IPs.

Regarding you other suggestion, I set my static IP within the VLAN 10's range, and set the gateway, but I still can't reach anything on that subnet.

You're missing the PVID on the untagged switch ports.

For the wifi, what if you configure static IP and gateway on a device? Can you access the gateway and other devices, presumed, there are firewall rules allowing it?

Thanks! So I added PVID 30 on IOT access ports. Do I also add PVID 10 on Trunk ports where APs connect?? This didn't help with IOT devices auto-obtaining IPs.

Regarding your other suggestion, I set my static IP within the VLAN 10's range, and set the gateway, but I still can't reach anything on that subnet.

Also don't know if that matters but my switches by default are operating on layer 2 (it's possible to make them layer 3 I believe). But I would expect that OPNsense takes care of layer 3 stuff.

[nero355]

Switch A:
https://i.ibb.co/cXK0Gvvc/SCR-20260322-pudb-2.png

Switch B:
https://i.ibb.co/996vyH4W/SCR-20260322-rooy-2.png

Administrative and Operational VLANs ?! What's in a name ?!

Never heard of it before...

It's really simple IMHO in general :

- Decide which Main Interface in OPNsense is going to carry the Tagged VLANS.
- Create VLAN Interfaces and Assign them to that Main Interface.
- On your Switch the Switchport you connect the OPNsense Main Interface's Port should be Tagging all the VLANs.
- The Switchports you use to connect Switch A to Switch B should be Tagging all the VLANs too.
- Any Clients should be connected to a Untagged Switchport.
- For the Accesspoint you probably need the Switchport to be Untagged and Tagged too.
You then use the Untagged VLAN for Management and the Tagged VLANs for the SSIDs :)

And real CISCO Switches also use the whole VLAN Trunk Database thing to allow/accept VLANs but I think that does not apply here ??

[viragomann]

Do I also add PVID 10 on Trunk ports where APs connect??

This depends on your APs. Since you mentioned, you have multiple SSIDs on them, I assume, that each has a VLAN assigned on the AP. In this case, the switch port has to be assigned as tagged tot the VLAN and no PVID set.

The PVID is responsible to tag incoming packets on the respective port. So you only need it to connect non-VLAN-aware devices to a VLAN.

[strangerinusall]

Administrative and Operational VLANs ?! What's in a name ?!

This is what Cisco says:
• Administrative VLANs-Port is configured for these VLANs.
• Operational VLANs-Port is currently a member of these VLANs.

And real CISCO Switches also use the whole VLAN Trunk Database thing to allow/accept VLANs but I think that does not apply here ??

Indeed, I believe these are their simple small business switches.

I can't seem to even get it to work even on a single switch.. The IOT devices connect if I set VLAN 30 untagged, but I cant's seem to configure
the AP port (2nd port) properly.

Do I also add PVID 10 on Trunk ports where APs connect??

This depends on your APs. Since you mentioned, you have multiple SSIDs on them, I assume, that each has a VLAN assigned on the AP. In this case, the switch port has to be assigned as tagged tot the VLAN and no PVID set.

The PVID is responsible to tag incoming packets on the respective port. So you only need it to connect non-VLAN-aware devices to a VLAN.

So on trunk port #2 I set 20 and 40 as tagged and 10 as untagged, but it's not working. Perhaps I am not setting this properly in the interface.