NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Wireless devices not connecting to WAX214 when VLAN isolation enabled
Hello, I have a netgear WAX214 and I’ve been trying to use the vlan isolation feature that allows vlan tagging per ssid. I have a Cisco 2960CG switch, and a pfsense firewall connected to the WAN. So pfsense > Cisco switch > ap.
My Cisco switch was configured with a trunk port to pfsense, and a trunk port to the AP.
Commands were as such from global config:
Vlan 2
Name IOT-bitches-here
Vlan 3
Name everyone-else
Int g0/3 (access point interface)
Switchport mode trunk
No shut
Int g0/1
Switchport mode trunk (pfsense interface)
No shut
Then I assigned vlan 2 to ssid “IOT”
And vlan 3 to ssid “weefee”
When I try connecting my devices to the AP they attempt to connect, but never do, I’ve tried adding the vlan interfaces to pfsense as well, but no luck, they only connect after I disable the vlan isolation. Any help is appreciated
My Cisco switch was configured with a trunk port to pfsense, and a trunk port to the AP.
Commands were as such from global config:
Vlan 2
Name IOT-bitches-here
Vlan 3
Name everyone-else
Int g0/3 (access point interface)
Switchport mode trunk
No shut
Int g0/1
Switchport mode trunk (pfsense interface)
No shut
Then I assigned vlan 2 to ssid “IOT”
And vlan 3 to ssid “weefee”
When I try connecting my devices to the AP they attempt to connect, but never do, I’ve tried adding the vlan interfaces to pfsense as well, but no luck, they only connect after I disable the vlan isolation. Any help is appreciated
4 Replies
No magic when I comes to the WAX214/218 or any WAX6xx: SSID mapped to a VLAN are simply doing tagged traffic. Check your switch and port config and security appliance please.
For infrastructure troubleshooting, I strongly suggest to configure access ports on the switch, one per each VLAN.
Thank you for the reply, however, I do not see an issue with my config that I posted. I am not an experienced network engineer so I may be wrong, but on a cisco switch, would you not configure this as a VLAN trunk port? In addition, If I were to configure this as just an access port, I do not believe there is a way to do this other than trunking. On an aruba device, I know you would configure this to be an untagged interface with the required vlans, however, I do not see a path to configure this other than I already have. If the device is doing what it is supposed to, shouldn't it be sending the traffic over the interface, and to the pfsense firewall? In addition, how would this cause my devices to not even connect? My devices aren't just unable to access the internet, but are unable to create a connection and complete a handshake with the WAX214.
On the WAX214 and similar APs, the default VLAN is untagged. If you have tagged VLANs on your network, you can of course configure an addtional SSID and assign it to the VLAN. No rocket science on the WAX214 ... permittting the infrasturcure is configured accordingly, the switch has the VLAN assigned to the trunk, and the security appliance is configured as intended, too.
It appears many Netgear customers are struggling with their (to complex) VLAN and network design I'm afraid. Yes, tjhe codlet snip does look like a trunk port, with all VLANs tagged - according the comment to connect the security appliance. Zero insight, I'm not a pfsense crack 8-)
In case you are uncertain, configure a dedicated SSID and map it to the (tagged) VLAN in question.
Similar, for testing the wired infrastucture: Define a pure access port mapped to one VLAN as an untagged port, and nothing else.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
