Re: MS510TXUP confused about VLAN for Guest Network

diehardbattery1 · ‎2024-04-18

I have 3 WAX630E AP's connected to this switch, which connects to my firewall appliance. I am trying to setup a VLAN for guest network. I have created VLAN 10 on my firewall. The firewall is connected to Port 7, Ports 1-3 have the AP's and are trunked (marked) with the same VLAN ID (10). Port 8 uplinks to another GS752TPv2 switch on port 48 (not marked, but is an uplink port on the main VLAN 1). Port 48 is currently uplink on VLAN 1 only. To simplify:

MS510TXUP - Dedicated 2.5G switch for AP's (directly connected to firewall appliance)

GS752TPv2 - 1G Switch for all wired connections

Everything seems to work, but the GS752TPv2 no longer connects to Insight. I am very new at VLANS, so I'm not sure if this is setup correctly. If not, what am I missing/doing wrong?

schumaku · ‎2024-04-18

To shorten this question a little bit: It appears like some VLAN configs (access ports and/or tagged trunks) don't allow the GS752TP management VLAN to access the Internet, and so the Insight cloud. Carefully review the connection to the firewall or security appliance (could be untagged [much easier for the management]), where the MS510 TXUP is connected, and then the port and the link where the GS752TPv2 is connected.

Strongly suggested: Keep the management VLAN untagged all over your infrastructure, and just define tagged trunks for the special VLANs and IP subnets where really required. Keep it as simple as possible! Start with a list writing everything down first.

diehardbattery1 · ‎2024-04-18

So the problem seems to have gotten worse. I cannot access the GS752TPv2 at all now (neither local or Insight). I checked the firewall appliance running OPNSense. When creating a VLAN, a tag must be assigned (I assigned 10 for the guest network). I created VLAN 10 on the MS510TXUP, which is physically connected to igc1 on the appliance via port 7 (igc0 is WAN).

On the MS510TXUP, there are 3 WAX630E AP's (connected to ports 1-3) which I need both a normal wifi, and a guest wifi. On VLAN 10, ports 1-3 on the MS510TXUP are assigned trunk. Port 8 connects to a second switch (GS752TPv2, on port 48). This port currently does not have an assignment. Neither ports 7 or 8 are assigned to anything. The GS752TPv2 does not have any AP's connected to it and is only connected to the MS510TXUP because I thought that was the correct way of setting up. This is very confusing to me and I am at a loss on how to proceed (due to lack of knowledge on VLANs). I have no idea if this is setup correctly...

To note, my appliance has a total of 4 ports (igc2 and 3 are not currently used). Should I make each switch have its own physical connection?

schumaku · ‎2024-04-19

How is this igc1 interface configured in relation to the VLANs?

Is there one (the primary LAN) untagged [the easy way for most inexperienced newbies], and just the guest VLAN 10 tagged?

Sure, if you manage to configure an additional port on the security appliance to deal to the same VLANs, this could simplify things.

Yes, networking can easy become difficult, especially when deploying various different equipment.

diehardbattery1 · ‎2024-04-19

igc1 is the main LAN port, no tag. The VLAN is a virtual interface with igc1 as it's parent. I believe that I somehow messed up the GS752TPv2's VLAN assignments I had at the time as I have also been troubleshooting this guest network issue already and was having trouble figuring out why I would lose it intermittently. I ended up factory resetting the GS752TPv2. Doing this eliminated the VLAN on that switch, leaving only the default ones, and everything started working. So now, do not have any VLAN assigned on the GS752TPv2, and have configured the ports on the MS510TXUP acording to the attached screenshot. So far, everything's been working, so I am hoping that I have stumbled on the correct configuration.

schumaku · ‎2024-04-19

The screenshot only shows VLAN 10 - assuming the tagged ports are serving the WAX6xx and/or the security appliance uplink. This does not say anything about the normal LAN resp VLAN (1?), where you might have Internet access as required for the Insight connection.

diehardbattery1 · ‎2024-04-19

I wanted to attach more screenshots, but apparently the limit is only 1, so I am providing a imgur link https://imgur.com/a/ORKfIG6. Hopefully this makes things more clear.

schumaku · ‎2024-04-19

Great, so VLAN 1 is flat and untagged, add-on an additional switch should be straightforward.

Using the Photo icon in the editor (assuming you're on Desktop view) you can upload and insert as many inline images as you need.

diehardbattery1 · ‎2024-04-19

Based on how I have it setup now, is the configuration for VLAN 10 on the MS510TXUP correct? I'll reattach the screenshots per your suggestion if that makes things easier.

schumaku · ‎2024-04-19

@diehardbattery1 wrote:

Based on how I have it setup now, is the configuration for VLAN 10 on the MS510TXUP correct?

Looks ok to me. Now the same config for the GS752TPv2<->MS510TXUP with a link creating a trunk with the untagged VLAN1 and a tagged VLAN 10.

ErwinL · ‎2024-05-28

Hello @diehardbattery1

Upon reading this thread it looks like you just forgot to tag port 48 on GS752TPv2 from your initial message and member port 48 to all VLAN as tag port. Assuming you have set also tag port as well on port 8 on MS510TUP.

Have a lovely day,
Erwin
Netgear Team