Unable to access Device Interface from the VLAN

Started by shaam, June 28, 2025, 08:22:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 28, 2025, 08:22:56 PM
Hello Community,
I am unable to access the switch interface when I am on the VLAN network. My LAN interface IP range is 192.168.1.1/24, and I created three VLANs. One of the VLANs is for Wi-Fi devices, whose IP range is 192.168.40.1/24. I am using an eight-port TP-Link (TL-SG108E) switch. IP 192.168.1.2 is assigned to the Switch. Wifi using port seven from the switch with v-tag 40.
Opnsense firewall rules have a source of 'LAN Net' and 'WiFi Net', a port of any, and a destination of 'any' for both the LAN and WiFi interfaces. I am still unable to access the switch's interface. I can't even ping it when I am connected to the VALN network; however, I can ping the gateway 192.168.1.1. The only way I can access the switch's interface is by removing the Wi-Fi from the VLAN port and plugging it into a non-VLAN port; that way, both devices are on the same network. Is there a way that I can access my device's interface on a different network? Such as from a VLAN network? What can be the solution? Attaching screenshots. Thanks,



https://ibb.co/Q3J4YDWk
https://ibb.co/WrYDhCz
https://ibb.co/CpH20CYL
June 29, 2025, 05:59:24 AM #1 Last Edit: June 29, 2025, 06:09:03 AM by patient0
JFYI: If you don't include/embed the pictures in the post: there a people active in this forum who won't click on links to external image sites. So for the best chance of getting help include them directly in your post.

Now to the actual issue (or at least, part of it): Your switch configuration is not how it should be. A port on a switch can only carry one untagged VLAN. Right now you have VLAN1 untagged on port 1-8, VLAN20/IoT untagged on port 8, VLAN40/Wifi untagged on port 7 and VLAN50/Lab untagged on port 6. So you have two untagged VLANs on port 6, two untagged VLANs on port 7 and two untagged VLANs on port 8.

What you should do: Remove the ports 6,7 and 8 from VLAN1 ("Not Member"). And on '802.1Q PVID Setting' make sure that the PVID is set to 50 for port 6, 40 for port 7 and 20 for port 8.

PVID is the VLAN set for a specific port. As an example (untagged) traffic from a IoT devices on port 8 will be tagged with VLAN ID 20 and will leave - still tagged - on port 1 to reach OPNsense still tagged.

The trunk port 1 is ok and will carry the tagged VLANS 20,40 and 50.

Regarding the firewall rules: The rules with the default setting "direction in" apply to traffic coming in from the network the rules apply, e.g LAN. As a result the default allow rule on LAN will allow traffic from LAN to reach all destination, including all VLANs.

You edited the default rule to include 'LAB net' and 'Wifi net' as sources. But on the LAN network there will never by traffic with source 'LAB net' or 'Wifi net', only traffic from 'LAN net'. The same goes for the 'Wifi net', you can savely remove 'LAN net' and 'LAB net' as sources.

If you would want to restrict what a network can reach, you would add that to the 'Destination'. For example 'Source' -> 'IoT net', 'Destination' -> ! (== not) 'LAN net' would allow devices on 'IoT net' to access everything except 'LAN net'.
Deciso DEC740
July 02, 2025, 09:32:52 PM #2
Hi, I updated VLAN1 and added port 6,7 and 8 to not member. I am attaching screenshots. Can you check if the configuration is correct or I need to change something else? Thanks you!

July 03, 2025, 05:35:40 AM #3
Quote from: shaam on July 02, 2025, 09:32:52 PMCan you check if the configuration is correct or I need to change something else?
That looks correct that way, yes.
Deciso DEC740
Print
Go Up Pages1
User actions