VLAN with Synology RT600AX in AP mode

Started by Tobanja, Today at 06:28:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 06:28:52 PM
Hey everybody! First post here. So, first of all, I'm pretty new to networking in general, but I fell in love with opnsense and want to learn more. So I quickly converted my old router, the RT6600AX, into an AP and happily started to create a VLAN network tagged 10. I'm using a TP-Link SG2210P switch, and have made sure to set the port from the AP to the switch, and also the one from switch to opnsense, into "tagged".

With the help of AI, I have created a guest VLAN, tagged 10, the same as on the AP and switch, however no matter how I try, I don't seem to be able to create an isolated VLAN in spite of correct rules (I believe). When connecting to the guest network on 192.168.10.x, I can still ping devices on 192.168.1.x although my first rule is to block traffic to 192.168.0.0/16 "in" from the guest interface. Grok suggested floating rules in "out" direction, but I tried that as well.

When checking the opnsense live log, I notice the ping is present from the phone, but coming from the standard LAN interface in spite of all my struggles. Grok's theory is that the synology AP simply doesn't send the tag correctly so it all ends up on the same network in opnsense anyway.

I'm not sure if anyone understands what I'm writing here. I guess I'm interested in knowing if anyone else has had any luck with the synology AP for isolated VLAN, or if it rather belongs in the trash can?
Today at 07:09:15 PM #1
The best practice is to block and permit ingress (IN). But the critical part is what you found yourself.

QuoteWhen checking the opnsense live log, I notice the ping is present from the phone, but coming from the standard LAN interface in spite of all my struggles.

This basically means that the traffic, devices from the SSID guest is not beying forwarded with the guest VLAN ID 10.

You need to bind the SSID to that VLAN if its possible for the RT6600AX. Usually this is done in a way that you create an interface that has the proper VLAN TAG (unnumbered) and attach on it the SSID. I don't use synology so I cant be more specific.

Regards
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Today at 07:53:44 PM #2
Quote from: Tobanja on Today at 06:28:52 PMWith the help of AI, I have created a guest VLAN
Next time skip the Machine Learning Chatbot and just read the OPNsense Documentation : https://docs.opnsense.org/manual/how-tos/guestnet.html

I think my Guest VLAN was done in 5 to 10 minutes by just following the steps in the document ;)

You can skip the Guest Portal stuff ofcourse!
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages1
User actions