Can't get VLANs to work

[sfox4159]

Hi,

Objective
To configure a multi-SSID setup where:

Default SSID operates on native VLAN 1 (untagged) for management

Guest SSID operates on VLAN 3 (tagged) for client isolation

OPNsense firewall handles routing/DHCP for both VLANs


Diagram: https://ibb.co/ymD8wd8p

Devices:

Switch: TL-SG108E

AP: TL-WA1201

Firewall: OPNsense (25.1.9)

Symptoms:

Clients on Guest SSID (VLAN 3) fail to obtain IP address (stuck "obtaining IP")

Manual IP assignment (192.168.3.20) cannot ping gateway (192.168.3.1)

VLAN 1 clients can ping 192.168.3.1, but not the other way around

Default SSID (VLAN 1) works normally

No VLAN 3 traffic detected in packet captures


Troubleshooting Performed

1. Switch Configuration
VLAN ID   VLAN Name   Tagged Ports   Untagged Ports
1   Default               None   1-8
3   Guest               1, 8   None
PVID: All ports set to 1

VLAN setup from opnsense: https://ibb.co/p6KG55kn
Firewall rule: https://ibb.co/wXgpyNn
DHCP from opnsense: https://ibb.co/LzbcGpXy

Please assist.

[julsssark]

I am not familiar with your switch but looking at the configuration, I think vlan 1 should include ports 1 and 8 with tagged traffic. The devices on port 1 and 8 speak vlan and therefore their traffic is being tagged. Since you've set port 8 in your switch as untagged for vlan 1 and the PVID of port 8 is 1, the traffic from port 8 is likely being tagged as vlan 1 even though some of it is vlan 3.

Mixing tagged and untagged traffic on the trunk to OPNsense is not recommended. See here https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Consider creating another VLAN for management. You will need to configure your switches and AP to use this VLAN.

[craig_]

I would expect to see the interface for VLAN3 look something like: "vlan01.3"

Also, are you configuring the VLAN on the AP? The doco says you can.

Can you share a screenshot of the INTERFACES: DEVICES: VLAN page, please.