VLAN Not Working on GS1900-24 between NWA130BE and Flex 200
Freshman Member
tl;dr
I'm trying to setup a guest WiFi network that as zero access to the FLEX 200's normal LAN.
When I connect the NWA130BE's LAN1 port directly to port P5 on the FLEX 200, the guest network works.
When I connect the NWA130BE's LAN1 port to port 24 on the GS1900-24 switch (which is connected to port P4 on the FLEX 200). I can't get the guest network to work.
I've tried ZyXEL's suggestions & many web posts, clearly I'm missing something…
Quick diagram:
NWA130BE Guest Setup:
Network > VLAN: Added
Name: vlan123
VID = 123
Member of lan1 (lan1(T))
SSID Profile:
SSID: different than main SSID
VLAN ID: 123
Enable Intra-BSS Traffic blocking
FLEX 200 Setup:
VLAN:
Interface Type: Internal
Not working config:
Zone: LAN1
Base Port: lan1
Working config:
Zone: LAN2
Base Port: lan2
IP Address: 10.0.1.1, Subnet Mask: 255.255.255.0
DHCP: DHCP Server
IP Pool Start Address: 10.0.1.100, Pool Size:100
Policy Control for working config required 2 new rules:
LAN2-ZyWALL LAN2 ZyWALL any any any any any none allow no
LANZ-Any_Except_ZyWALL LAN2 any (Excluding ZyWALL) any any any any any none allow no
(I'll add rules to block LAN1 <> LAN2 traffic.)
GS1900-24 Setup:
Configuration: VLAN: VLAN: Added:
Name: vlan123
VLAN ID: 123
Configuration: VLAN: VLAN Port:
VLAN ID 1: all Untagged except 24 which is Forbidden
VLAN ID 123: all Forbidden except 24 which is Tagged
Configuration: VLAN: Port: 24:
PVID: 123
Accepted Type: Tag Only
Ingress Filtering: Disable
VLAN Trunk: Enable (I also tried Disable, also did not work).
All Replies
-
Hi @CyborgSam,
There are some misconfigurations. Please reference the below suggestion to configure:
- (Firewall) Please create a VLAN 123 interface under LAN 1.
- (Switch) Please let port 1 also be a VLAN 123 member (tagged).
- (Switch) Port 24 doesn't need to change the PVID. You can leave it as VLAN 1.
- (AP) LAN 1 doesn't need to set a VLAN if your guest only connects to your network via Wi-Fi.
Hope it helps.
Zyxel Melen0 -
Melen, thanks for your help.
My iPad now connects to the guest network, but DHCP isn't working (I get a self-assigned IP). Guests only connect to WiFi, not Ethernet.
Here's what I did in my words:
- (Firewall) Configuration: Network: Interface: VLAN: I create a Virtual Interface for VLAN 123 (vlan123:1) and assigned the static address 10.0.1.2
- (Switch) Configuration: VLAN: VLAN Port: for VLAN 123 I changed port 1 to Tagged.
- (Switch) Configuration: VLAN: Port: 24: I changed the VLAN to 1.
- (AP) Network > VLAN: I removed VLAN 123.
What are the next steps?
TIA,
Sam0 -
Hi @CyborgSam,
Sorry, I forgot the AP uplink connects to the GS1900 port 20. Could you help configure port 20 to VLAN 123's member (tagged)?
If the issue remains, please help collect the configuration file from these devices and share it with me via private message. I will help check the whole configuration.
Zyxel Melen0
Zyxel Employee
Categories
- All Categories
- 429 Beta Program
- 2.6K Nebula
- 163 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 350 USG FLEX H Series
- 291 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 261 Service & License
- 406 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 82 Security Highlight
