VLAN with Synology RT600AX in AP mode

[Tobanja]

Hey everybody! First post here. So, first of all, I'm pretty new to networking in general, but I fell in love with opnsense and want to learn more. So I quickly converted my old router, the RT6600AX, into an AP and happily started to create a VLAN network tagged 10. I'm using a TP-Link SG2210P switch, and have made sure to set the port from the AP to the switch, and also the one from switch to opnsense, into "tagged".

With the help of AI, I have created a guest VLAN, tagged 10, the same as on the AP and switch, however no matter how I try, I don't seem to be able to create an isolated VLAN in spite of correct rules (I believe). When connecting to the guest network on 192.168.10.x, I can still ping devices on 192.168.1.x although my first rule is to block traffic to 192.168.0.0/16 "in" from the guest interface. Grok suggested floating rules in "out" direction, but I tried that as well.

When checking the opnsense live log, I notice the ping is present from the phone, but coming from the standard LAN interface in spite of all my struggles. Grok's theory is that the synology AP simply doesn't send the tag correctly so it all ends up on the same network in opnsense anyway.

I'm not sure if anyone understands what I'm writing here. I guess I'm interested in knowing if anyone else has had any luck with the synology AP for isolated VLAN, or if it rather belongs in the trash can?

[Seimus]

The best practice is to block and permit ingress (IN). But the critical part is what you found yourself.

When checking the opnsense live log, I notice the ping is present from the phone, but coming from the standard LAN interface in spite of all my struggles.

This basically means that the traffic, devices from the SSID guest is not beying forwarded with the guest VLAN ID 10.

You need to bind the SSID to that VLAN if its possible for the RT6600AX. Usually this is done in a way that you create an interface that has the proper VLAN TAG (unnumbered) and attach on it the SSID. I don't use synology so I cant be more specific.

Regards
S.

[nero355]

With the help of AI, I have created a guest VLAN

Next time skip the Machine Learning Chatbot and just read the OPNsense Documentation : https://docs.opnsense.org/manual/how-tos/guestnet.html

I think my Guest VLAN was done in 5 to 10 minutes by just following the steps in the document ;)

You can skip the Guest Portal stuff ofcourse!

[Tobanja]

With the help of AI, I have created a guest VLAN

Next time skip the Machine Learning Chatbot and just read the OPNsense Documentation : https://docs.opnsense.org/manual/how-tos/guestnet.html

I think my Guest VLAN was done in 5 to 10 minutes by just following the steps in the document ;)

You can skip the Guest Portal stuff ofcourse!

I will try it out! I have followed so many guides already, why not one more? Can I just confirm, you made it work with the RT6600AX as AP? From what I can tell in many places, people in general have problems with the VLAN tagging for this AP. And maybe I should add, I only want VLAN for wireless devices, anything wired goes to my main LAN. So I guess I need to tag the VLAN 10 and have VLAN 1 untagged from the AP through the switch to opnsense, according to my logic (so I can use the "standard" LAN wirelessly as well)?

[Tobanja]

After a few more hours of testing, I'm pretty sure everything inside opnsense is correctly configured. However, the VLAN 10 network still has full access to my primary LAN, since I can ping anything from the phone on this network, so my tests have failed. Anyway, thanks for trying to help me out here.


The RT6600AX as AP doesn't have much settings, just a name and a VLAN, and of course an SSID for the network. And some "advanced settings" as seen in the picture, probably not relevant to my problems.

[nero355]

Can I just confirm, you made it work with the RT6600AX as AP?

I made it work for a Wired VLAN but if I would add a SSID to that VLAN then it would work too for sure!

From what I can tell in many places, people in general have problems with the VLAN tagging for this AP.

What is so special about it ?!

Give me a link to a Manual PDF of the thing and I will take a look for you for fun :)

And maybe I should add, I only want VLAN for wireless devices, anything wired goes to my main LAN. So I guess I need to tag the VLAN 10 and have VLAN 1 untagged from the AP through the switch to opnsense, according to my logic (so I can use the "standard" LAN wirelessly as well)?

To be honest : I don't know if ANY Wireless Accesspoint works like that ?!
_{(Excluding those Consumer level Mesh things and such here...)}

Usually the Native VLAN (Untagged) is only transported to it so you can Manage the thing either via it's webGUI or some kind of Controller and any SSID on it is done via VLAN Tagging.

After a few more hours of testing, I'm pretty sure everything inside opnsense is correctly configured. However, the VLAN 10 network still has full access to my primary LAN, since I can ping anything from the phone on this network, so my tests have failed. Anyway, thanks for trying to help me out here.

Then your Firewall Rules are not configured properly :)

The RT6600AX as AP doesn't have much settings, just a name and a VLAN, and of course an SSID for the network.
And some "advanced settings" as seen in the picture, probably not relevant to my problems.

FYI Side note : DTIM for 2.4 GHz should be either 1 or 3 for compatibility so 4 is a weird value IMHO.

[Seimus]

To be honest : I don't know if ANY Wireless Accesspoint works like that ?!

OpenWRT can do that.

But rather than using a Native, I would TAG the traffic into dedicated VLAN and not use VLAN 1 as a PROD carrier.

Regards,
S.