GS1900-24 and VLAN

Options
srebhan
srebhan Posts: 5 image  Freshman Member
First Comment
in Switch

Hey everyone!

When configuring my VLANs I've got an issue with a VLAN aware device (WIFI access point) which cannot talk to it's DHCP servers…

Setup

My switch is a GS1900-24 with the latest firmware and the following connections

Port 1: DHCP server and jumping point for management network (not VLAN aware)

Port 22: DHCP server for WIFI clients (not VLAN aware)

Port 23: Unifi WIFI access point (VLAN aware)

My management network in in VLAN 10 while the WIFI client should live in VLAN 99. The configuration looks as follows

Port 1:
- PVID=10, Ingress check enabled, VLAN trunk disabled
- VLAN 10 untagged
- VLAN 99 excluded

Port 22:
- PVID=99, Ingress check enabled, VLAN trunk disabled
- VLAN 10 excluded
- VLAN 99 untagged

PORT23:
- PVID=10, Ingress check enabled, VLAN trunk disabled
- VLAN 10 untagged
- VLAN 99 tagged

Working

The access-point on Port 23 can talk to the management machine on Port 1 receiving an IP address and also exposing the management webpage so it appears VLAN 10 is working fine.

Problem

The access-point on Port 23 cannot talk to the DHCP server on Port 22 and as a consequence my WIFI clients are unable to get an IP via DHCP, so it appears VLAN 99 is not working.

With tcpdump on the WIFI access-point I can see IP packets tagged with VLAN 99 are sent towards the switch

listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:50:15.949934 28:ee:52:0d:d1:0d (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 24: vlan 99, p 0, 802.3LLC, dsap Null (0x00) Individual, ssap Null (0x00) Response, ctrl 0xaf: Unnumbered, xid, Flags [Response], length 6: 01 00
11:50:15.991878 28:ee:52:0d:d1:0d (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 335: vlan 99, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 28:ee:52:0d:d1:0d (oui Unknown), length 289


but on the DHCP server nothing arrives.

It's probably some misconfiguration but I'm really out-of-ideas… Anyone got any idea on what is wrong here?

Thanks in advance!

Sven

All Replies

  • PeterUK
    PeterUK Posts: 4,272 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    Ingress check can be set to default disabled

    Most wifi devices are not VLAN aware its the AP that then tags them to a VLAN by a switch if needed then to a router VLAN or the switch untag to the router.

    What router do you have? You likely need to setup a VLAN subnet for it.

  • srebhan
    srebhan Posts: 5 image  Freshman Member
    First Comment

    Tried both enabling and disabling the ingress check but no success.

    My router is a OPNsense machine being on another port of the switch and being in all VLANs that should be routed. This works for the other VLANs configured on the same switch. However, for testing I stripped down the setup to what is shown above. The goal is to setup two separated WIFIs (by VLAN) with the AP.

    The AP is a Unifi U7 Pro and the AP correctly tags the VLAN to 99 (as shown in my tcpdump), it's just that the traffic does not arrive on port 22 of the switch. I.e. there is no packet at all on port 22…

  • PeterUK
    PeterUK Posts: 4,272 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited December 8

    If its VLAN99 you need the port the AP is on to be tagged and the port the OPNsense is on to be tagged

    I take it you setup a VLAN 99 interface on the OPNsense with its own subnet?

  • srebhan
    srebhan Posts: 5 image  Freshman Member
    First Comment

    Sorry I think we are mixing up things. I don't have OPNsense in the test here (see my first post). I do have the AP on port 23 with PVID 10 (management net) and in VLAN 10 as untagged. VLAN 10 is for getting an IP on the AP for management (192.168.x.y/24 subnet). Additionally the AP has VLAN 99 as tagged for the WIFI VLAN.

    Then I do have a Linux machine with DHCP server (nothing else) on port 22 with PVID 99 untagged for assigning IP addresses to the WIFI clients of the AP.

    Currently there is no router in the setup, I only want WIFI clients to connect to VLAN 99, get an IP and talk to each other, no routing! And this is where things go wrong… I cannot get a DHCP request on the Linux machine (port 22) even though I see the AP sends a DHCP request with VLAN 99 tag…

  • PeterUK
    PeterUK Posts: 4,272 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited December 8

    You need to add a VLAN to the untag NIC for VLAN99 on Linux with its own subnet.

    Then again what your saying is AP to port 23 tag for VLAN99 then untag on port 22 with PVID99 I guess that should work…

    can you run Wireshark on Linux with filter

    port 67 or port 68 or arp

  • Zyxel_Tina
    Zyxel_Tina Posts: 471 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 100 Answers First Comment

    Hi @srebhan,

    Welcome to the Zyxel Community!

    Based on your configuration, it appears to be set up correctly. Since the issue persists even after following PeterUK's suggestion to disable Ingress Check, we recommend enabling port mirroring on the switch to capture network traffic for further analysis. This approach will help determine whether the problem originates from the switch itself or from the client-side configurations.

    Zyxel Tina

  • srebhan
    srebhan Posts: 5 image  Freshman Member
    First Comment

    Sorry everyone, the configuration above is correct and works as expected!

    Note to myself: bring up the interface on the Linux machine before expecting traffic… :facepalm:

    So the issue was between chair and keyboard…

Categories

Switch Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)