FLEX100 + GS1200-5HP v2 and VLAN

jtk
jtk Posts: 10  Freshman Member
First Comment Friend Collector
edited December 9 in USG FLEX H Series

hi,

I have a Flex 100 firewall. On one port, there is a trunk, including VLAN55, going to GS1200-5HP2 switch. The switch has two relevant ports for this question: one of them is in trunk mode, where the trunk includes VLAN 55, connected to NWA1123 -AP. The other port is untagged, and set for VLAN55.

Now: traffic flows nicely to the untagged port, and also the client for the AP in VLAN55 works nicely. The problem is that I cannot get the wired client in the untagged switch port to see the wireless client in the same VLAN.

Here an image:

FLEX100

||

GS1200-5HP v2 —- Wired client

||

\===NWA1123 AP—-Wireless client

where == is trunk mode, and — untagged.

Any ideas?

«1

All Replies

  • Xydocq
    Xydocq Posts: 22  Freshman Member
    First Comment First Answer Friend Collector

    Hello @jtk

    Is your wireless client a windows laptop?

    If so, you have to allow Networkdiscovery on the laptop and also make sure Function Discovery Resource Publication service is running.

    I have a similar setup like yours. Just with a GS1915 and an NWA130BE.

  • jtk
    jtk Posts: 10  Freshman Member
    First Comment Friend Collector

    No, it is not. The wireless clients are smart home appliances, such as lightbulbs and power switches. They connect to the cloud nicely, but the controller in the LAN does not see them. And I checked that it is not about OS, as I was able to ping a lightbulb from a different VLAN (with security policy allowing that in place).

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited December 9

    Does the wired client get a IP by DHCP?

    From what I can tell you have a VLAN tag for AP to FLEX by switch meaning the wired device being untagged can't get to FLEX for a IP?

  • jtk
    jtk Posts: 10  Freshman Member
    First Comment Friend Collector

    Yes, the wired client gets an IP by DHCP, from the correct VLAN, and can connect to internet and I can ssh to it from another VLAN. The switch adds the tag for VLAN55 for packets incoming from the wired client.

  • Xydocq
    Xydocq Posts: 22  Freshman Member
    First Comment First Answer Friend Collector
    edited December 10

    You could try to switch the port settings for the connection between Switch an AP.

    I assume currently you have on that Port PVID1 and the Tag 55 added to it, same goes for the AP.

    You could set PVID to 55 and add the Tag 1 to the ports. Starting with the AP. So all traffic on VLAN 55 becomes untagged.

    A word of warning: changing the PVID will disconnect a device until the other end has the same setting. PVID 1 is the "native" VLAN-ID and is also used as default VLAN on such ports.

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    How about ping from wireless client to wired client ICMP inbound allowed ? does that work?

  • jtk
    jtk Posts: 10  Freshman Member
    First Comment Friend Collector

    hi,

    indeed, the port settings for the AP port in the switch are

    PVID 1

    VLAN ID 1 ”Untag Egress member”

    VLAN ID 22 ”Tag Egress member”

    VLAN ID 55 ”Tag Egress member”

    and a couple of other VLANs. The FLEX gives the AP its address on VLAN22, and VLAN1 is nonexistent in the network (there is no such VLAN in the FLEX)

    The port with the wired client has

    PVID 55

    VLAN ID 55 "Untag Egress member"

    and nothing else.

  • jtk
    jtk Posts: 10  Freshman Member
    First Comment Friend Collector

    I hadn't tried, but tried now. As expected, "Destination Host Unreachable"

  • Xydocq
    Xydocq Posts: 22  Freshman Member
    First Comment First Answer Friend Collector

    How many WLANs do you run? Is there a dedicated WLAN with VLAN-ID 55?

  • jtk
    jtk Posts: 10  Freshman Member
    First Comment Friend Collector

    Yes, I have. I have five different SSID:s for different purposes. (guest, two for active use, one for a specific legacy device — and this fifth for this building service technology purpose (which connects to VLAN55)).