GS1900-24 and VLAN
Freshman Member
Hey everyone!
When configuring my VLANs I've got an issue with a VLAN aware device (WIFI access point) which cannot talk to it's DHCP servers…
Setup
My switch is a GS1900-24 with the latest firmware and the following connections
Port 1: DHCP server and jumping point for management network (not VLAN aware)
Port 22: DHCP server for WIFI clients (not VLAN aware)
Port 23: Unifi WIFI access point (VLAN aware)
My management network in in VLAN 10 while the WIFI client should live in VLAN 99. The configuration looks as follows
Port 1:
- PVID=10, Ingress check enabled, VLAN trunk disabled
- VLAN 10 untagged
- VLAN 99 excluded
Port 22:
- PVID=99, Ingress check enabled, VLAN trunk disabled
- VLAN 10 excluded
- VLAN 99 untagged
PORT23:
- PVID=10, Ingress check enabled, VLAN trunk disabled
- VLAN 10 untagged
- VLAN 99 tagged
Working
The access-point on Port 23 can talk to the management machine on Port 1 receiving an IP address and also exposing the management webpage so it appears VLAN 10 is working fine.
Problem
The access-point on Port 23 cannot talk to the DHCP server on Port 22 and as a consequence my WIFI clients are unable to get an IP via DHCP, so it appears VLAN 99 is not working.
With tcpdump on the WIFI access-point I can see IP packets tagged with VLAN 99 are sent towards the switch
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 11:50:15.949934 28:ee:52:0d:d1:0d (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 24: vlan 99, p 0, 802.3LLC, dsap Null (0x00) Individual, ssap Null (0x00) Response, ctrl 0xaf: Unnumbered, xid, Flags [Response], length 6: 01 00 11:50:15.991878 28:ee:52:0d:d1:0d (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 335: vlan 99, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 28:ee:52:0d:d1:0d (oui Unknown), length 289
but on the DHCP server nothing arrives.
It's probably some misconfiguration but I'm really out-of-ideas… Anyone got any idea on what is wrong here?
Thanks in advance!
Sven
All Replies
-
Ingress check can be set to default disabled
Most wifi devices are not VLAN aware its the AP that then tags them to a VLAN by a switch if needed then to a router VLAN or the switch untag to the router.
What router do you have? You likely need to setup a VLAN subnet for it.
0 -
Tried both enabling and disabling the ingress check but no success.
My router is a OPNsense machine being on another port of the switch and being in all VLANs that should be routed. This works for the other VLANs configured on the same switch. However, for testing I stripped down the setup to what is shown above. The goal is to setup two separated WIFIs (by VLAN) with the AP.
The AP is a Unifi U7 Pro and the AP correctly tags the VLAN to 99 (as shown in my tcpdump), it's just that the traffic does not arrive on port 22 of the switch. I.e. there is no packet at all on port 22…
0 -
If its VLAN99 you need the port the AP is on to be tagged and the port the OPNsense is on to be tagged
I take it you setup a VLAN 99 interface on the OPNsense with its own subnet?
0 -
Sorry I think we are mixing up things. I don't have OPNsense in the test here (see my first post). I do have the AP on port 23 with PVID 10 (management net) and in VLAN 10 as untagged. VLAN 10 is for getting an IP on the AP for management (192.168.x.y/24 subnet). Additionally the AP has VLAN 99 as tagged for the WIFI VLAN.
Then I do have a Linux machine with DHCP server (nothing else) on port 22 with PVID 99 untagged for assigning IP addresses to the WIFI clients of the AP.
Currently there is no router in the setup, I only want WIFI clients to connect to VLAN 99, get an IP and talk to each other, no routing! And this is where things go wrong… I cannot get a DHCP request on the Linux machine (port 22) even though I see the AP sends a DHCP request with VLAN 99 tag…
0 -
You need to add a VLAN to the untag NIC for VLAN99 on Linux with its own subnet.
Then again what your saying is AP to port 23 tag for VLAN99 then untag on port 22 with PVID99 I guess that should work…
can you run Wireshark on Linux with filter
port 67 or port 68 or arp
0 -
Hi @srebhan,
Welcome to the Zyxel Community!
Based on your configuration, it appears to be set up correctly. Since the issue persists even after following PeterUK's suggestion to disable Ingress Check, we recommend enabling port mirroring on the switch to capture network traffic for further analysis. This approach will help determine whether the problem originates from the switch itself or from the client-side configurations.
Zyxel Tina
0 -
Sorry everyone, the configuration above is correct and works as expected!
Note to myself: bring up the interface on the Linux machine before expecting traffic… :facepalm:
So the issue was between chair and keyboard…
0
Guru Member
Zyxel Employee
Categories
- All Categories
- 441 Beta Program
- 2.9K Nebula
- 208 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.4K Security
- 529 USG FLEX H Series
- 333 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.3K Wireless
- 51 Wireless Ideas
- 6.9K Consumer Product
- 292 Service & License
- 461 News and Release
- 90 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.7K FAQ
- 34 Documents
- 86 About Community
- 99 Security Highlight
