Getting VLANS and AP to work with my Netgear GS108Ev3 and Unifi Controller

[meddyuk76]

My small network setup is my home server which hosts OPNsense virtually via Proxmox. I've got a Unifi AP running into to my Netgear GS108E, which I've configured as a trunk port (port 7) and then Port 8 is also a trunk port running into the LAN port on the router (opnsense).

I set up 3 Wifi networks on Unifi Controller with Vlans IOT(20), Guest(50) and Personal(10). I set up the same vlans on the switch and on opnsense and ensured that DHCP is set up for all Vlan assignments. They are identical other than the change in IP.

I can only get Vlan 10 to work and connect to the internet. The other vlans will not connect to the internet. I tried connected several devices to the guest network to try and get connected. These devices get an IPIPA address on Unifi. This would suggest that it's a DHCP issue, but the DHCP set up is identical on each.

I reset everything this morning and Vlan 10 lost connection, much to the dismay of everyone in the household and then Vlan 50 would only connect. I've had to just delete everything...reset just so that the wifi is working via the default vlan1

Is the Netgear struggling to pass tagged packets from the Unifi AP? Any ideas?

[hibbeldi]

Hi,
do you get dhcp leases? Then I would guess it's a DNS Problem. If so what are your settings there?

[meyergru]

You need (in this order):

1. IP address assigments on each VLAN (DHCP) on the clients.
2. A gateway inside the subnet of the VLAN (i.e. the respective OpnSense VLAN interface IP) clients.
3. A DNS resolver IP on the clients.
4. An outbound NAT rule for each VLAN to be able to access the internet.

The outbound NAT rule can be done via automatic or hybrid NAT rules or if you create them manually. Remember that an "allow any" rule exists per default only on the first LAN interface.

[meddyuk76]

So, i deleted all vlan's and started again from fresh. I am able to set up a default SSID and default vlan in Unifi controller, this gets access to the internet. I then tried to log in to the second SSID called 'Guest', i can connect to it on my phone, but with no internet.

I've looked at the DHCP lease on OPNsense and my phone gets a lease on the DHCP.

The firewall rules i've created on each VLAN assignment are 'IN' rules, e.g. ensure that the NET host gets DNS and also that it can connect to Private Networks e.g. 10.0.0.0./8 192.168.1.0/24.

I haven't created any outbound rules.

What would be the DNS issue?

[meyergru]

What about allowing outside access from your VLANs with "any"? Allowing only your local RFC1918 networks will not do much. Re-read my last sentence. Also: Can you resolve DNS names from all VLANs? If not, then probably the DNS server IP that is handed out via DHCP is also inaccessible.

Everything that is not allowed explicitely is denied per default on OpnSense. The only exceptions to this rule are some low-level mandatory ICMP messages and the default outbound "allow all" rule for the first LAN.

[meddyuk76]

So the default Vlan on the Unifi Controller and AP - Vlan1 works, we've connected all our devices to this SSID.
The Guest Wifi Vlan 50 also works.
I've created another vlan for IOT devices Vlan 20 same rules doesn't work.

[meddyuk76]

IT's Working!!!! - Spent the days double checking everything. Put the Firewall rules to Any instead of my Alias of 'Private RFC Networks'

Thanks for your help all!