Need Help Setting Up Multiple VLANs - GS1920
Freshman Member
Hi all,
I am requesting help from the community to setup multiple VLANs in my house. I have various APs each with multiple SSIDs tied to a specific VLAN ID.
As a test and when I enable the VLAN ID 99 on the Router, I am unable to get a DHCP when connecting to the SSID.
My goal is to segment the VLAN (9,11,12,99) based on the SSID. VLAN 1 is the default for hardwired devices.
Appreciate your help and time in advance - Thanks!
Setup:
FIOS → Fortigate 60F → Firewalla (Transparent Bridge) → GS1920 → Various AP, Switches, End Devices
|
|
|
| VLAN |
|
|
|
|
|---|---|---|---|---|---|---|---|---|
Endpoint | PORT | PVID | Trunk | 1 | 9 | 11 | 12 | 99 |
AP (Multiple SSIDs) | 1 | 1 | Y | Fixed, No tag | Fixed, Tagged | Fixed, Tagged | Fixed, Tagged | Fixed, Tagged |
AP (Multiple SSIDs) | 2 | 1 | Y | Fixed, No tag | Fixed, Tagged | Fixed, Tagged | Fixed, Tagged | Fixed, Tagged |
AP (Multiple SSIDs) | 3 | 1 | Y | Fixed, No tag | Fixed, Tagged | Fixed, Tagged | Fixed, Tagged | Fixed, Tagged |
Ethernet Hub | 4 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
AP (Multiple SSIDs) | 5 | 1 | Y | Fixed, No tag | Fixed, Tagged | Fixed, Tagged | Fixed, Tagged | Fixed, Tagged |
Unused | 6 | 1 |
| Fixed, No tag | Normal, No Tag | Normal, No Tag | Normal, No Tag | Normal, No Tag |
Ethernet Hub to Devices | 7 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Ethernet Hub to Devices | 8 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 9 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 10 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 11 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 12 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 13 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 14 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 15 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 16 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 17 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 18 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 19 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 20 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 21 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Device | 22 | 1 |
| Fixed, No tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag | Forbidden, No Tag |
Router (SSIDs configured with VLAN 9,11,12,99) | 23 | 1 | Y | Fixed, No tag | Fixed, Tagged | Fixed, Tagged | Fixed, Tagged | Fixed, Tagged |
Unused | 24 | 1 |
| Fixed, No tag | Normal, No Tag | Normal, No Tag | Normal, No Tag | Normal, No Tag |
Ethernet Hub connected to AP(Multiple SSIDs) and Devices | 25 | 1 | Y | Fixed, No tag | Fixed, No tag | Fixed, No tag | Fixed, No tag | Fixed, No tag |
Unused | 26 | 1 |
| Fixed, No tag | Fixed, No tag | Fixed, No tag | Fixed, No tag | Fixed, No tag |
Unused | 27 | 1 |
| Fixed, No tag | Normal, No Tag | Normal, No Tag | Normal, No Tag | Normal, No Tag |
Unused | 28 | 1 |
| Fixed, No tag | Normal, No Tag | Normal, No Tag | Normal, No Tag | Normal, No Tag |
All Replies
-
What AP you have?
Firewalla would need to have the VLAN's setup for Transparent Bridge along with the VLAN's on Fortigate per subnet.
You should test without the Firewalla to rule out problems.
So really its just a case of make a VLAN set fixed port both from Fortigate and to AP both as tag.
I'm not sure about Firewalla Transparent Bridge support vs how Zyxel bridge is I do have one of them Firewalla but back when I tried it its Bridge support was not that good.
on Zyxel Bridge with a WAN side and LAN side you can't have like VLAN99 go through it from what I can tell so like you have to do like VLAN98 WAN side and VLAN99 LAN then Bridge them not sure if Firewalla is the same or it can VLAN through WAN to LAN side as VLAN99
0 -
Thanks for the feedback.
I have Fortinet APs along with Fortigate Router. They seem to work nice together :)
The Firewalla is in Transparent bridge mode and is a VLAN aware device. It is able to see traffic on VLAN1. I have only configured VLAN 99 interface on it (as a test) and it has NOT yet picked up any devices. I suspect there is a misconfiguration in my VLAN setup.
My goal is to have VLAN99 (along with 1,9,11,12) accessible from any APs on ports 1,2,3,5,25. As the unit sits between the router and the GS1920, it should be able to pickup any VLAN and devices on the network.
0 -
You seem to of lost me you say "I have Fortinet APs along with Fortigate Router. They seem to work nice together :)" then you have added Firewalla and a GS1920 switch but you seem to not be testing without Firewalla.
0 -
Hi @phugo,
Based on the configuration you shared, the VLAN settings on the GS1920 appear to be correct.
To assist you more accurately, could you please confirm whether the DHCP server for VLAN 99 is running on your FortiGate 60F?
If yes, recommend performing the following test:
- Temporarily bypass the Firewalla device.
- Reconnect to the SSID mapped to VLAN 99 and verify whether the client can successfully obtain a DHCP IP address.
- Please also ensure that the FortiGate 60F interface is passing VLAN 99 as tagged on the uplink toward the switch.
If the issue still persists even after removing Firewalla, it is necessary to further verify the FortiGate configuration as well.
Additionally, to help us double-check the GS1920 settings, could you please provide the Tech Support Info file from the switch?
Thank you for your cooperation! Kindly share the test results, and we’ll be happy to assist further.
Zyxel Tina
0 -
Hello,
I did additional testing as suggested.
- I unplugged Firewalla from network. Physical networking disconnected and powered off.
2. For SSID mapped to VLAN99, I found that if I do not pass the VLAN ID from the router, everything works fine (devices connect, IP received, can reach Internet). As soon as I pass the VLAN ID, that is when no DHCP is served and all connectivity in that VLAN breaks down.
3. I suspect the reason is due to SSID configuration on the Fortinet AP. Fortinet AP allows SSID to be configured in either Tunnel or Bridge Mode (see attached picture). As of now, I have all my SSIDs configured in Tunneled mode and all works fine as long as I do not pass the VLAN ID for each.
4. Tech support file attached. Redacted identifying info.
5. GS1920 probably does not know how to handle Tunneled SSID traffic?
Setup
FIOS → Fortigate 60F → GS1920 → Various AP, Switches, End Devices
0 -
What are the AP make and model?
Does the Fortigate 60F have VLAN interface setup per given VLAN for a given subnet?
0 -
I have several Fortinet APs. For this scenario, I have configured the VLAN 99 along with its SSID to only operate on FAP-221E. FAP-221E is directly connected to Port 2 on GS1920.
I have other models including 224E, 234F, U231F and U431F.
I have attached snippets of the router interface settings. On the second picture, I show the configuration where I set the VLAN 99.
I also noticed a Broadcast Suppression box where currently enabled suppression of DHCP uplink. I wonder if this has to do with it (this was default setting).
0 -
So after my last post, I did a few more tests.
- I disabled Broadcast Suppression with VLAN ID 99 set on the interface. End device does not receive DHCP.
2) I disabled Broadcast Suppression with VLAN ID 99 set on the interface. I set a static IP on the device. Connectivity works.
3) I re-enabled Broadcast Suppression with VLAN ID 99 set on the interface. I set a static IP on the device. Connectivity works.
This would rule out the broadcast suppression.
0 -
Never seem a Fortigate UI seem odd how they lay it out I don't seem to see the VLAN option for the given interface as a VLAN maybe show how you add a VLAN interface and options?
0 -
All, thank you for your input on my issue. The issue was with the FortiAP configuration.
I reconfigured the WiFi Traffic as a bridge and the VLANs appear to be working properly. I'll let it run for a few days and retry the Firewalla.
@PeterUK - Appreciate your suggestion on the VLAN interface setup. It prompted me to look closer in this area.
0
Guru Member
Zyxel Employee
Categories
- All Categories
- 441 Beta Program
- 2.9K Nebula
- 208 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.4K Security
- 529 USG FLEX H Series
- 333 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.3K Wireless
- 51 Wireless Ideas
- 6.9K Consumer Product
- 292 Service & License
- 461 News and Release
- 90 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.7K FAQ
- 34 Documents
- 86 About Community
- 99 Security Highlight
