[SOLVED] Guest VLAN Network Help

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Jeff

New Around Here
Hi I'm hoping someone can help me figure out what I'm doing wrong in regards to my VLAN. I have a network with 1 wireless access point Linksys LAPAC1200,

1 managed D-Link DES-1228 switch, and 1 pfsense box as my router. What I'm trying to do is create a VLAN for guests having their own seperate SSID with a

printer on the VLAN for them to use. The pfsense box has 2 ports 1 for WAN and 1 for LAN.

On the pfsense box I have created a VLAN under the interfaces called guest wireless and set the VLAN tag to 2 and it is assigned the LAN interface. I

created a new interface called GuestVLAN and enabled it. I enabled DHCP on that GuestVLAN and assigned it 192.168.1.1 IP address.I set the DHCP serverto

hand out 192.168.1.100-200. I also have the DHCP server enabled on the the LAN port handing out 172.20.3.100-200 for my non VLAN network. I have an

Outbound NAT rule that NATs 192.168.1.0/24 network traffic to my 172.20.3.0/24 network. That allows me get internet on the devices on my VLAN. In the

firewall settings I had to create rules on the GuestVLAN to allow things like port 53 for DNS, port 80 for http, etc... Once I did that then internet

worked on devices on the GuestVLAN.

Next on the DLink switch there is a vlan called default with VID of 1. All ports are set to untagged. I created a VLAN called GuestVLAN and set its VID to

2. I then set the port 1 (the port that goes to my wireless access point) and port 25 (the port that goes to the LAN port on my pfsense box) to tagged in

the GuestVLAN on the switch. So port 1 and port 25 on the switch are both in the default VID 1 set as untagged and in the GuestVLAN VID 2 set as tagged.

All other ports are in the default VID 1 untagged.

Finally I created two SSIDs on the access point. One called Guest and one called Home. The one called Home is assigned VLAN ID 1 and the one called

Guest is assigned VLAN ID 2. VLAN is enabled, untagged VLAN is enabled and the untagged VLAN is assigned ID 1. Isolation between the SSIDs is enabled but

Isolation between the devices on a single SSID is not enabled.

So I can join my Guest network and I get a 192.168.1.0/24 IP address I can get online and everything works but I can not connect to the wireless printer

which is also joined the Guest network and has a 192.168.1.0/24 IP address. Now I can also connect to Home network and get a 172.20.3.0/24 IP address and I

can connect and print to a different wireless printer that is connected to the Home network and gets a 172.20.3.0/24 IP address.

So why can't I see other computers or printers when I'm on the Guest network but can on the Home network. I'm guessing it has something to do with the

fact that the Guest network devices get tagged? But I'm not sure how I would go about creating a seperate VLAN network if I don't tag them? Any help is

greatly appreciated.

Thanks
 
Last edited:

degrub

Very Senior Member
here's why you cannot - different subnet.
"
So I can join my Guest network and I get a 192.168.1.0/24 IP address I can get online and everything works but I can not connect to the wireless printer

which is also joined the Guest network and has a 192.168.0/24 IP address
"
 

Jeff

New Around Here
here's why you cannot - different subnet.
"
So I can join my Guest network and I get a 192.168.1.0/24 IP address I can get online and everything works but I can not connect to the wireless printer

which is also joined the Guest network and has a 192.168.0/24 IP address
"
Sorry that's a typo. There both on the 192.168.1.0/24 subnet
 

coxhaus

Part of the Furniture
You need to make the pfsense LAN a trunked port for multiple network VLANs. Make sure you assign a network to the guess VLAN. Plug into switch with the switch port also trunked for multiple VLANs. The you can assign idividual ports to each VLAN. If you are using a wireless then it will need to be a trunked port also to support your regular VLAN and your guest VLAN.
 

Jeff

New Around Here
Hi everyone I just wanted to let you know I solved this issue. It was caused by a setting on the wireless access point. I had to disable isolation between SSIDs for it to work. I did not try disabling this setting right away because there is another setting isolation between clients on an SSID that is already disabled. So technically the isolation between SSIDs in my opinion shouldn't matter because I want the laptop to talk to the printer which is on the same SSID but sure enough when I disabled it everything started working.

Thanks,
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top