NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Inter-VLAN routing issue only via Wi-Fi
Recently I purchased the AP WAX630E and switch MS108EUP for my network in order to be able to create VLANs and isolate certain types of devices in the network. I am using these two products along wit...
Hi ToniRod . I heard back from Netgear support. They confirmed that the issue is indeed with the WAX630E AP - it does not support Inter-VLAN communications when the devices are connected to the same AP, and they have no plans to add support for it. Apparently the only use case supported for this AP for inter-VLAN wi-fi communications is to use 2 different APs, which kinda doesn't make much sense in my head, but OK I guess. At least now I have confirmation that the issue is indeed where I suspected it was and can move on from here.
Routing issue? There is no Netgear router involved here.
Inter-VLAN routing issue only via Wi-Fi? Nothing like this, neither the switch nor the WAX630E have such a capability (you don't need here at all!)
What you need is some motivation to figure out on how to bring the three VLANs you have on dedicated ports.(from what I understand), and one trunk port for the WAX630E.
For each of the three VLAN ports, you need one access port each-
> Port 1: Connected to the WAX630E AP
> Port 2: Connected to OPNsense OPT1
> Port 3: Connected to OPNsense LAN
> Port 4: Connected to a Windows desktop PC ... which VLAN is undefined
> Port 5: Connected to an IP camera ... which VLAN is again undefined
Have defined the three VLANs you want on the switch?
- VLAN 1, Untagged, PVID 1 ... to connect the port you expect to have the VLAN1, only, and no other VLAN - I guess this is LAN on the firewall.
- VLAN 3, Untagged, PVID 3 ... to connect the port you expect to have the VLAN2, only, and no other VLAN - I guess this is USER on the firewall.
- VLAN 2, Untagged, PVID 2 ... to connect the port you expect to have the VLAN2, only, and no other VLAN - I guess this is OPT1 on the firewall.
- VLAN 3? Afraid, I don't see where and you want your IoT network connected to the switch, so the port you intend to bring the router VLAN 3 in is missing.
Similar, for the ports you like to be used as untagged access ports.
For the WAX630E, and three SSIDs, you need the three tagged VLANs on this port, creating a VLAN trunk
VLANs are no rocket science, the design and config just requires systematic work.
Does this help?
Thank you for taking the time of reading my post and providing your insight. Please keep in mind that I'm new to VLANs and I am indeed trying to take the time to learn and get better at it. I am also trying to understand what is the source of my problem - whether it is the firewall, the switch, the AP, or something misconfigured: thus why I am posting here. So please bear with me as I work through this - I do appreciate your patience.
My intended purpose with this setup, as mentioned, is to segregate devices, and I do have:
LAN (ID tag 1, Management)
VLAN2 USER (ID tag 2, For PCs and Phones)
VLAN3 IOT (ID tag 3, for IoT devices)
In the firewall, LAN has a dedicated port, which is connected to port 3 of the switch. VLAN2 and VLAN3 are both assigned to physical port OPT1 of the firewall, which is connected to port 2 of the switch.
The switch port 4 is connected to the Windows PC, which is supposed to be on the LAN - and it is: it's getting IP 192.168.1.100.
The switch port 5 is connected to the IP camera, which is supposed to be on VLAN3 (IOT) - and it is: it's getting IP 192.168.3.100
VLAN2 (USER) is only ever going to used by Wi-Fi devices - it doesn't need a dedicated port on the switch.
VLAN3 (IOT) is mostly going to be used by Wi-Fi devices, except for the Wired IP camera on switch port 5.
So with the setup I described in the original post, everything is mostly working as intended. The only issue being that when I have 2 Wi-Fi devices on separate VLANs they can't communicate properly. Wired to Wi-Fi communication does work (as long as the firewall rules allow). So:
- Wired LAN PC to Wired VLAN3 camera: OK
- Wired LAN PC to Wi-Fi VLAN3 camera: OK
- Wi-Fi VLAN2 PC to Wired VLAN3 camera: OK
- Wi-Fi VLAN2 PC to Wi-Fi VLAN3 camera: Cannot connect
- Wi-Fi VLAN2 PC to Wi-Fi VLAN3 linux laptop: Cannot connect
- Wi-Fi VLAN 2 PC to Wired VLAN3 linux laptop: OK
And as previously stated, the scenario where I have the linux laptop on Wi-Fi VLAN3 was an attempt to troubleshoot - tcpstat indicated there were incoming requests from Wi-Fi VLAN2 PC, only they would stay stuck on SYN_RECV and never reach ESTABLISHED. If I move the linux laptop to Wired VLAN3, the connection works (the webpage loads in Wi-Fi VLAN2 PC). This is what led me to believe there was a routing issue somewhere in inter-VLAN Wi-fi to Wi-fi connections.
Currently, there are no uplinks configured for VLAN 2 and VLAN 3 (readily available as dedicated ports, in VLAN and switch terms as access ports. How would you expect these VLAN are becoming available on the switch, and finally on the WAX? Have attempted to explain this briefly in my previous reply. but was ignored, probably because you found the VLAN 1 (default on the switch) seemed to work for you, so why bother?
Don't bother. Thanks mate.
If anyone else has any insights into this issue and would like to provide your feedback I'd highly appreciate it.
Hi,
We may be facing the same issue..
Detailed thead here: https://community.netgear.com/t5/Business-Wireless/WAX630E-VLAN-bug/m-p/2325009/highlight/true#M11089
I'm in discussion with Netgear support since late August trying to find a solution.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
