VLANs with multiple switches not working

[strangerinusall]

Hi everyone! I am attempting to make a setup with LAN and 4 VLANs.

In first room I have a Cisco SG250 switch (Switch A) with following desired config:

- Port 1 - connects to another Cisco SG250 switch which is located in a closet (Switch B).
- Port 2 - Grandstream WIFI AP connects here and should land on MGMT VLAN 10. The AP will have 2 SSIDs - one for TRUSTED VLAN 20 and one for GUEST VLAN 40.
- Port 3-7 - IOT VLAN 30 for IOT devices.

Closet switch desired config (Switch B):
- Port 1 - connects to OPNsense/Protectli on igc1 port (LAN interface)
- Port 2-6 - other non-VLAN aware devices (these land on 192.168.2.1/24 network)
- Port 7 - another Grandstream WIFI AP connects here which is on MGMT VLAN 10. This will be the slave AP for a first one and will have same 2 SSIDs, one for TRUSTED VLAN 20 and one for GUEST VLAN 40.
- Port 8 - here connects the Switch A

Right now when all is connected I see that AP is giving SSID on the network but if I connect I don't get the IP addresses (I had SSIDs configured previously). However, most of the IOT devices don't get an IP and I can't reach APs either (neither from OPNsense itself).

All the devices on LAN network work fine. When I connect manually to switch A on IOT port and do DHCP I do not get the IP.

There are separate Dnsmasq DHCP assignments running for each VLAN - 192.168.<VLAN_ID>.1/24 subnet.

Would appreciate any tips or hints on where I am going wrong with this.

OPNsense assignments:


Switch A:


Switch B:

[viragomann]

You're missing the PVID on the untagged switch ports.

For the wifi, what if you configure static IP and gateway on a device? Can you access the gateway and other devices, presumed, there are firewall rules allowing it?

[strangerinusall]

Thanks! So I added PVID 30 on IOT access ports. Do I also add PVID 10 on Trunk ports where APs connect?? This didn't help with IOT devices auto-obtaining IPs.

Regarding you other suggestion, I set my static IP within the VLAN 10's range, and set the gateway, but I still can't reach anything on that subnet.

You're missing the PVID on the untagged switch ports.

For the wifi, what if you configure static IP and gateway on a device? Can you access the gateway and other devices, presumed, there are firewall rules allowing it?

Thanks! So I added PVID 30 on IOT access ports. Do I also add PVID 10 on Trunk ports where APs connect?? This didn't help with IOT devices auto-obtaining IPs.

Regarding your other suggestion, I set my static IP within the VLAN 10's range, and set the gateway, but I still can't reach anything on that subnet.

Also don't know if that matters but my switches by default are operating on layer 2 (it's possible to make them layer 3 I believe). But I would expect that OPNsense takes care of layer 3 stuff.

[nero355]

Switch A:
https://i.ibb.co/cXK0Gvvc/SCR-20260322-pudb-2.png

Switch B:
https://i.ibb.co/996vyH4W/SCR-20260322-rooy-2.png

Administrative and Operational VLANs ?! What's in a name ?!

Never heard of it before...

It's really simple IMHO in general :

- Decide which Main Interface in OPNsense is going to carry the Tagged VLANS.
- Create VLAN Interfaces and Assign them to that Main Interface.
- On your Switch the Switchport you connect the OPNsense Main Interface's Port should be Tagging all the VLANs.
- The Switchports you use to connect Switch A to Switch B should be Tagging all the VLANs too.
- Any Clients should be connected to a Untagged Switchport.
- For the Accesspoint you probably need the Switchport to be Untagged and Tagged too.
You then use the Untagged VLAN for Management and the Tagged VLANs for the SSIDs :)

And real CISCO Switches also use the whole VLAN Trunk Database thing to allow/accept VLANs but I think that does not apply here ??