VLAN with Synology RT600AX in AP mode

[Tobanja]

Hey everybody! First post here. So, first of all, I'm pretty new to networking in general, but I fell in love with opnsense and want to learn more. So I quickly converted my old router, the RT6600AX, into an AP and happily started to create a VLAN network tagged 10. I'm using a TP-Link SG2210P switch, and have made sure to set the port from the AP to the switch, and also the one from switch to opnsense, into "tagged".

With the help of AI, I have created a guest VLAN, tagged 10, the same as on the AP and switch, however no matter how I try, I don't seem to be able to create an isolated VLAN in spite of correct rules (I believe). When connecting to the guest network on 192.168.10.x, I can still ping devices on 192.168.1.x although my first rule is to block traffic to 192.168.0.0/16 "in" from the guest interface. Grok suggested floating rules in "out" direction, but I tried that as well.

When checking the opnsense live log, I notice the ping is present from the phone, but coming from the standard LAN interface in spite of all my struggles. Grok's theory is that the synology AP simply doesn't send the tag correctly so it all ends up on the same network in opnsense anyway.

I'm not sure if anyone understands what I'm writing here. I guess I'm interested in knowing if anyone else has had any luck with the synology AP for isolated VLAN, or if it rather belongs in the trash can?

[Seimus]

The best practice is to block and permit ingress (IN). But the critical part is what you found yourself.

When checking the opnsense live log, I notice the ping is present from the phone, but coming from the standard LAN interface in spite of all my struggles.

This basically means that the traffic, devices from the SSID guest is not beying forwarded with the guest VLAN ID 10.

You need to bind the SSID to that VLAN if its possible for the RT6600AX. Usually this is done in a way that you create an interface that has the proper VLAN TAG (unnumbered) and attach on it the SSID. I don't use synology so I cant be more specific.

Regards
S.

[nero355]

With the help of AI, I have created a guest VLAN

Next time skip the Machine Learning Chatbot and just read the OPNsense Documentation : https://docs.opnsense.org/manual/how-tos/guestnet.html

I think my Guest VLAN was done in 5 to 10 minutes by just following the steps in the document ;)

You can skip the Guest Portal stuff ofcourse!

[Tobanja]

With the help of AI, I have created a guest VLAN

Next time skip the Machine Learning Chatbot and just read the OPNsense Documentation : https://docs.opnsense.org/manual/how-tos/guestnet.html

I think my Guest VLAN was done in 5 to 10 minutes by just following the steps in the document ;)

You can skip the Guest Portal stuff ofcourse!

I will try it out! I have followed so many guides already, why not one more? Can I just confirm, you made it work with the RT6600AX as AP? From what I can tell in many places, people in general have problems with the VLAN tagging for this AP. And maybe I should add, I only want VLAN for wireless devices, anything wired goes to my main LAN. So I guess I need to tag the VLAN 10 and have VLAN 1 untagged from the AP through the switch to opnsense, according to my logic (so I can use the "standard" LAN wirelessly as well)?

[Tobanja]

After a few more hours of testing, I'm pretty sure everything inside opnsense is correctly configured. However, the VLAN 10 network still has full access to my primary LAN, since I can ping anything from the phone on this network, so my tests have failed. Anyway, thanks for trying to help me out here.


The RT6600AX as AP doesn't have much settings, just a name and a VLAN, and of course an SSID for the network. And some "advanced settings" as seen in the picture, probably not relevant to my problems.

[nero355]

Can I just confirm, you made it work with the RT6600AX as AP?

I made it work for a Wired VLAN but if I would add a SSID to that VLAN then it would work too for sure!

From what I can tell in many places, people in general have problems with the VLAN tagging for this AP.

What is so special about it ?!

Give me a link to a Manual PDF of the thing and I will take a look for you for fun :)

And maybe I should add, I only want VLAN for wireless devices, anything wired goes to my main LAN. So I guess I need to tag the VLAN 10 and have VLAN 1 untagged from the AP through the switch to opnsense, according to my logic (so I can use the "standard" LAN wirelessly as well)?

To be honest : I don't know if ANY Wireless Accesspoint works like that ?!
_{(Excluding those Consumer level Mesh things and such here...)}

Usually the Native VLAN (Untagged) is only transported to it so you can Manage the thing either via it's webGUI or some kind of Controller and any SSID on it is done via VLAN Tagging.

After a few more hours of testing, I'm pretty sure everything inside opnsense is correctly configured. However, the VLAN 10 network still has full access to my primary LAN, since I can ping anything from the phone on this network, so my tests have failed. Anyway, thanks for trying to help me out here.

Then your Firewall Rules are not configured properly :)

The RT6600AX as AP doesn't have much settings, just a name and a VLAN, and of course an SSID for the network.
And some "advanced settings" as seen in the picture, probably not relevant to my problems.

FYI Side note : DTIM for 2.4 GHz should be either 1 or 3 for compatibility so 4 is a weird value IMHO.

[Seimus]

To be honest : I don't know if ANY Wireless Accesspoint works like that ?!

OpenWRT can do that.

But rather than using a Native, I would TAG the traffic into dedicated VLAN and not use VLAN 1 as a PROD carrier.

Regards,
S.

[Tobanja]

@nero355

Ok so you like a challenge, I take it. To be fair, it is very likely the error is on me somewhere since I'm VERY new to networking. Let me tell my story from the start here, lay out the facts:

The Synology AP has two built in networks, the "standard" primary network - this is the one I'm using for wireless access to my LAN and it used to be the network for everything when the RT6600AX was my main router/FW. It also has a default "guest" network, which has a lot more settings than the manually created networks. The AP is connected to the switch, and I have configured this port in the switch with both VLAN 1 (untagged) and 10 (tagged). Massive manual here if you have too much spare time: https://www.manua.ls/synology/rt6600ax/manual

1. On the AP: I create a new network - name it and set VLAN 10. I enable the wireless radio, set an SSID. I use WPA2 security for testing.
2. On the switch: I confirm both the VLAN 1 and 10 are active on the connection from AP -> switch -> opnsense.
3. In opnsense: I create a new "guesttag10" interface, assign it VLAN 10 in VLAN settings, named opt2 in opnsense. I set its IP range to the 192.168.10.x addresses, assign it to parent re0 (LAN).
4. Firewall rules: Well I add a picture for that.
5. For testing: I connect to this 192.168.10.x network from phone, confirm DNS/gateway is correct. Try pinging 192.168.1.x-addresses in Termux, and those pings go through. (To my great annoyance should be added)

The network does work using that IP range, I can surf on the phone, but it isn't isolated one bit from the main LAN. It blatantly ignores my block guest -> LAN net.

I'm not good at troubleshooting, but I activated logging for all FW rules for guest interface, and the live log spits out a lot of blocked requests. Looks quite alright in fact, blocking to FW and 192.168.1.x. But I can still ping and connect to services on 192.168.1.x. According the the opnsense log, my phone pings arrive from the LAN interface and are allowed through the "let out anything from firewall host itself" rule.  But they should come from the guest network on the phone, right? My brain is exploding.

[Tobanja]

To be honest : I don't know if ANY Wireless Accesspoint works like that ?!

OpenWRT can do that.

But rather than using a Native, I would TAG the traffic into dedicated VLAN and not use VLAN 1 as a PROD carrier.

Regards,
S.

Could you please elaborate a bit for a beginner? I am very close to put this synology AP in the trashcan, and fire up my old Asus AC86U instead with some flashed firmware, maybe Merlin.

[Seimus]

VLAN1 is used by many vendors for control and management plane.
This is nowhere written but its more or less a rule by now. Usually vendors specify it in their documentation for the platform such as CISCO or Unify. By using VLAN1 you are unintentionally mixing Data plane where it should not be.

In regards of native VLANs. A native VLAN is just a any/any bucket. Basically what does not belong anywhere else specifically, will end up in Native, its like a mix. There are deployment and implementations where you needs this. Default VLAN can be VLAN1 (recommendation is to avoid VLAN1) or any other VLAN you choose.

https://community.cisco.com/t5/switching/why-vlan-1-is-so-insecure/td-p/3851689
https://networkengineering.stackexchange.com/questions/32737/why-should-the-native-vlan-never-be-used/32740

Regards,
S.