VLAN Tag from wifi gets right ip address but appears on wrong interface

Started by Mr. Happy, August 03, 2020, 12:30:00 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 03, 2020, 12:30:00 AM
I have recently made a fresh install of the most recent OPNSense on ESXi.
On my OpenWRT router I have three ssids (30,70 & 90) with each a different vlan (two ssids are disabled at the moment - 70 & 90).
On my OPNSense I have 2 physical nics, 1 connected to my wan and 1 connected to a virtualswitch on a portgroup with vlan 4095.
Also I created different vlans (10, 20, 30, 70 & 90) in OPNSense and assigned interfaces to them.
When I connect my phone to the ssid it gets an ipaddress from the dhcp-range configured for vlan 30, but it cannot access anything local. Internet works fine.
My phone's ipaddress appears in the firewall logging as a client of vlan 20.
When I disable vlan 20 my phone can access local stuff...

I've searched several places and for a long time, but have not found anything remotely helpfull.

What can cause this and how to resolve this?
Where can I
August 03, 2020, 11:01:55 PM #1
I somehow suspect that your described config adds multiple VLAN tags or just replaces them with 4095.

In general I would recommend to do the VLAN tagging on the vSwitch and use separate vNICs to the VM, see Virtual Switch Tagging (VST) [1]. It has the benefit that you explicitly assign a VLAN to a VM and you don't have to configure anything VLAN related in the VM itself.

Did you configure a trunk port (multiple VLANs on one port) between ESXi and OpenWRT? Do you have any switches in between?

Please also add a diagram of your network (at least physical).

[1] https://kb.vmware.com/s/article/1003806#vstPoints
August 06, 2020, 11:47:30 AM #2
Removed the vlan configs from opnsense and created several vnics and portgroups on esxi and everything seems to be working now.
Thanks!

Verstuurd vanaf mijn HD1903 met Tapatalk

August 09, 2020, 09:32:23 AM #3
Quote from: Mr. Happy on August 03, 2020, 12:30:00 AM
When I connect my phone to the ssid it gets an ipaddress from the dhcp-range configured for vlan 30, but it cannot access anything local. Internet works fine.
My phone's ipaddress appears in the firewall logging as a client of vlan 20.
[...]
What can cause this and how to resolve this?

I've had exactly the same issue. But I'm using an Asus Router (with Merlin firmware) as the wifi access point and opnsense on an APUBoard. I've enabled a packet monitoring feature to investigate and suddenly the problem was gone. The issue was caused by "NAT acceleration" on the APs side so maybe it is the same for your OpenWRT based device. I've noticed, that after rebooting, the first device, that connected to a wifi, was working while all further devices on other vlans were just getting the correct IP-adress and using the vlan from the first connected device. I'm not a network expert so I'm not 100% certain but I think that this NAT acceleration optimizes the packets in a way that it just looks in the very first packet and caches some "header information" that it then applys to all further packets. So whatever is sent via the trunk port, it will get the vlan the same vlan tag instead of the individual one for the specific ssid. Disabling this feature resolved the issue for me.

August 09, 2020, 09:48:19 PM #4
Thanks for this--I was tearing my hair out trying to figure out why traffic kept showing up on the wrong VLANs. My Asus-Merlin access points had hardware acceleration turned on, and turning it off resolved things. Note to anyone in the future reading this thread that the hardware acceleration option is not accessible when your access point is in AP-only mode. You have to switch it to router mode, turn off hardware acceleration, and switch back to AP-only mode.
Print
Go Up Pages1
User actions