Hi I'm hoping someone can help me figure out what I'm doing wrong in regards to my VLAN. I have a network with 1 wireless access point Linksys LAPAC1200,
1 managed D-Link DES-1228 switch, and 1 pfsense box as my router. What I'm trying to do is create a VLAN for guests having their own seperate SSID with a
printer on the VLAN for them to use. The pfsense box has 2 ports 1 for WAN and 1 for LAN.
On the pfsense box I have created a VLAN under the interfaces called guest wireless and set the VLAN tag to 2 and it is assigned the LAN interface. I
created a new interface called GuestVLAN and enabled it. I enabled DHCP on that GuestVLAN and assigned it 192.168.1.1 IP address.I set the DHCP serverto
hand out 192.168.1.100-200. I also have the DHCP server enabled on the the LAN port handing out 172.20.3.100-200 for my non VLAN network. I have an
Outbound NAT rule that NATs 192.168.1.0/24 network traffic to my 172.20.3.0/24 network. That allows me get internet on the devices on my VLAN. In the
firewall settings I had to create rules on the GuestVLAN to allow things like port 53 for DNS, port 80 for http, etc... Once I did that then internet
worked on devices on the GuestVLAN.
Next on the DLink switch there is a vlan called default with VID of 1. All ports are set to untagged. I created a VLAN called GuestVLAN and set its VID to
2. I then set the port 1 (the port that goes to my wireless access point) and port 25 (the port that goes to the LAN port on my pfsense box) to tagged in
the GuestVLAN on the switch. So port 1 and port 25 on the switch are both in the default VID 1 set as untagged and in the GuestVLAN VID 2 set as tagged.
All other ports are in the default VID 1 untagged.
Finally I created two SSIDs on the access point. One called Guest and one called Home. The one called Home is assigned VLAN ID 1 and the one called
Guest is assigned VLAN ID 2. VLAN is enabled, untagged VLAN is enabled and the untagged VLAN is assigned ID 1. Isolation between the SSIDs is enabled but
Isolation between the devices on a single SSID is not enabled.
So I can join my Guest network and I get a 192.168.1.0/24 IP address I can get online and everything works but I can not connect to the wireless printer
which is also joined the Guest network and has a 192.168.1.0/24 IP address. Now I can also connect to Home network and get a 172.20.3.0/24 IP address and I
can connect and print to a different wireless printer that is connected to the Home network and gets a 172.20.3.0/24 IP address.
So why can't I see other computers or printers when I'm on the Guest network but can on the Home network. I'm guessing it has something to do with the
fact that the Guest network devices get tagged? But I'm not sure how I would go about creating a seperate VLAN network if I don't tag them? Any help is
greatly appreciated.
Thanks
1 managed D-Link DES-1228 switch, and 1 pfsense box as my router. What I'm trying to do is create a VLAN for guests having their own seperate SSID with a
printer on the VLAN for them to use. The pfsense box has 2 ports 1 for WAN and 1 for LAN.
On the pfsense box I have created a VLAN under the interfaces called guest wireless and set the VLAN tag to 2 and it is assigned the LAN interface. I
created a new interface called GuestVLAN and enabled it. I enabled DHCP on that GuestVLAN and assigned it 192.168.1.1 IP address.I set the DHCP serverto
hand out 192.168.1.100-200. I also have the DHCP server enabled on the the LAN port handing out 172.20.3.100-200 for my non VLAN network. I have an
Outbound NAT rule that NATs 192.168.1.0/24 network traffic to my 172.20.3.0/24 network. That allows me get internet on the devices on my VLAN. In the
firewall settings I had to create rules on the GuestVLAN to allow things like port 53 for DNS, port 80 for http, etc... Once I did that then internet
worked on devices on the GuestVLAN.
Next on the DLink switch there is a vlan called default with VID of 1. All ports are set to untagged. I created a VLAN called GuestVLAN and set its VID to
2. I then set the port 1 (the port that goes to my wireless access point) and port 25 (the port that goes to the LAN port on my pfsense box) to tagged in
the GuestVLAN on the switch. So port 1 and port 25 on the switch are both in the default VID 1 set as untagged and in the GuestVLAN VID 2 set as tagged.
All other ports are in the default VID 1 untagged.
Finally I created two SSIDs on the access point. One called Guest and one called Home. The one called Home is assigned VLAN ID 1 and the one called
Guest is assigned VLAN ID 2. VLAN is enabled, untagged VLAN is enabled and the untagged VLAN is assigned ID 1. Isolation between the SSIDs is enabled but
Isolation between the devices on a single SSID is not enabled.
So I can join my Guest network and I get a 192.168.1.0/24 IP address I can get online and everything works but I can not connect to the wireless printer
which is also joined the Guest network and has a 192.168.1.0/24 IP address. Now I can also connect to Home network and get a 172.20.3.0/24 IP address and I
can connect and print to a different wireless printer that is connected to the Home network and gets a 172.20.3.0/24 IP address.
So why can't I see other computers or printers when I'm on the Guest network but can on the Home network. I'm guessing it has something to do with the
fact that the Guest network devices get tagged? But I'm not sure how I would go about creating a seperate VLAN network if I don't tag them? Any help is
greatly appreciated.
Thanks
Last edited:
