NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

tchubaba's avatar
tchubaba
Guide
Sep 26, 2023
Solved

Inter-VLAN routing issue only via Wi-Fi

Recently I purchased the AP WAX630E and switch MS108EUP for my network in order to be able to create VLANs and isolate certain types of devices in the network. I am using these two products along with an OPNsense router. This is my setup:

In the OPNsense router, I have created 2 VLANS:

 

USER:

Device: vlan01[USER]

Parent: igc2 (64:62:66:21:a9:a5) [OPT1]

Tag: 2

PCP: Best Effort (0, default)
Description: USER

 

IOT:
Device: vlan02[IOT]

Parent: igc2 (64:62:66:21:a9:a5) [OPT1]
Tag: 3
PCP: Best Effort (0, default)
Description: IOT

 

The idea is for PCs and Phones to be on the USER VLAN and IoT devices on the IOT VLAN. DHCP is enabled in the LAN and both VLANS:

LAN:
Subnet: 192.168.1.0

Gateway: 192.168.1.1

Subnet mask: 255.255.255.0

Range: 192.168.1.100 - 192.168.1.254


USER:
Subnet: 192.168.2.0

Gateway: 192.168.2.1
Subnet mask: 255.255.255.0

Range: 192.168.2.100 - 192.168.2.254

 

IOT:
Subnet: 192.168.3.0

Gateway: 192.168.3.1

Subnet mask: 255.255.255.0

Range: 192.168.3.100 - 192.168.3.254


In the switch, I have ports connected like this:
Port 1: Connected to the WAX630E AP
Port 2: Connected to OPNsense OPT1
Port 3: Connected to OPNsense LAN

Port 4: Connected to a Windows desktop PC

Port 5: Connected to an IP camera

I have enabled Advanced 802.1Q VLAN. And the configuration is like this:

 

VLAN ID 1:
Name: Default
Port Members: 1 2 3 4 5 6 7 8
(All ports untagged)

 

VLAN ID 2:

Name: USER

Port Members: 1 2

Ports 1 and 2 are tagged, all others Excluded

 

VLAN ID 3:

Name: IOT

Port Members: 1 2 5

Ports 1 and 2 are tagged, port 5 untagged, all others excluded

 

And in the PVID table, all ports are using 1 - Default, except for port 5, which uses 3 - IOT

And finally in my AP, I have setup 3 SSIDs:

SSID1:

Name: home-admin

VLAN ID: 1

 

SSID2:

Name: home-user

VLAN ID: 2

 

SSID3:

Name: home-iot

VLAN ID: 3

 

Back in OPNsense, I have created firewall rules that allow:
LAN: Access to internet and all VLANs
USER: Access to internet and IOT VLAN
IOT: Access to internet only

 

So the issue I'm having is there appears to be routing issues when devices connected to different VLANs via Wi-fi. It does not happen if one of the devices is wired. For example, consider these 4 devices:

Device 1:

Wired Windows desktop connected to switch port 4
IP address: 192.168.1.100 (LAN)

 

Device 2:

Wireless Windows laptop connected to Wi-Fi SSID2

IP address: 192.168.2.100 (USER VLAN)

 

Device 3:

Wired IP camera connected to switch port 5
IP address: 192.168.3.100 (IOT VLAN)

Device 4:
Wireless IP camera connected to Wi-Fi SSID3
IP address: 192.168.3.101 (IOT VLAN)

 

Device 1 (the desktop) is able to access both wired and wireless cameras, no issues there. However, Device 2 (the laptop) can only access the wired camera on the switch port 5. It is unable to connect to the wireless camera on SSID3.

In order to try and troubleshoot the issue, I connected a second laptop running Linux and an Nginx webserver to SSID 3 (IOT VLAN). This laptop got IP address 192.168.3.102. I then tried to access the webserver on this laptop from the Windows laptop on the USER VLAN. The webpage never loaded. Running tcpstat on the Linuix laptop, I can see the incoming request from the Windows laptop, however it never gets ESTABLISHED. It remains stuck on SYN_RECV. When I try to access this webpage from the desktop (which is wired), the webpage loads normally.

So all this leads me to believe that there may be something misconfigured with my WAX630E Access Point since inter-VLAN connections work fine when at least one of the devices is wired, but it doesn't when both devices are wireless.

Hopefully someone may be able to shed some light into this issue. Any insight is appreciated!

PS: These are the firmware versions (both claim to be the latest):
MS108EUP switch: 1.0.1.9
WAX630E AP: V10.6.0.7

  • tchubaba's avatar
    tchubaba
    Sep 30, 2023

    Hi ToniRod . I heard back from Netgear support. They confirmed that the issue is indeed with the WAX630E AP - it does not support Inter-VLAN communications when the devices are connected to the same AP, and they have no plans to add support for it. Apparently the only use case supported for this AP for inter-VLAN wi-fi communications is to use 2 different APs, which kinda doesn't make much sense in my head, but OK I guess. At least now I have confirmation that the issue is indeed where I suspected it was and can move on from here.

11 Replies

  • schumaku's avatar
    schumaku
    Guru - Experienced User
    Sep 26, 2023

    Routing issue? There is no Netgear router involved here.

     

    Inter-VLAN routing issue only via Wi-Fi? Nothing like this, neither the switch nor the WAX630E have such a capability (you don't need here at all!)
     
     

    What you need is some motivation to figure out on how to bring the three VLANs you have on dedicated ports.(from what I understand), and one trunk port for the WAX630E.

     

    For each of the three VLAN ports, you need one access port each-

     

    > Port 1: Connected to the WAX630E AP
    > Port 2: Connected to OPNsense OPT1
    > Port 3: Connected to OPNsense LAN

    > Port 4: Connected to a Windows desktop PC  ... which VLAN is undefined

    > Port 5: Connected to an IP camera ... which VLAN is again undefined

     

    Have defined the three VLANs you want on the switch?

     

    • VLAN 1, Untagged, PVID 1 ... to connect the port you expect to have the VLAN1, only, and no other VLAN - I guess this is LAN on the firewall.
    • VLAN 3, Untagged, PVID 3 ... to connect the port you expect to have the VLAN2, only, and no other VLAN - I guess this is USER on the firewall.
    • VLAN 2, Untagged, PVID 2 ... to connect the port you expect to have the VLAN2, only, and no other VLAN - I guess this is OPT1 on the firewall.
    • VLAN 3? Afraid, I don't see where and you want your IoT network connected to the switch, so the port you intend to bring the router VLAN 3 in is missing.

    Similar, for the ports you like to be used as untagged access ports.

     

    For the WAX630E, and three SSIDs, you need the three tagged VLANs on this port, creating a VLAN trunk 

     

    VLANs are no rocket science, the design and config just requires systematic work.

     

    Does this help?

    • tchubaba's avatar
      tchubaba
      Guide
      Sep 26, 2023

      Thank you for taking the time of reading my post and providing your insight. Please keep in mind that I'm new to VLANs and I am indeed trying to take the time to learn and get better at it. I am also trying to understand what is the source of my problem - whether it is the firewall, the switch, the AP, or something misconfigured: thus why I am posting here. So please bear with me as I work through this - I do appreciate your patience.

       

      My intended purpose with this setup, as mentioned, is to segregate devices, and I do have:
      LAN (ID tag 1, Management)

      VLAN2 USER (ID tag 2, For PCs and Phones)

      VLAN3 IOT (ID tag 3, for IoT devices)

       

      In the firewall, LAN has a dedicated port, which is connected to port 3 of the switch. VLAN2 and VLAN3 are both assigned to physical port OPT1 of the firewall, which is connected to port 2 of the switch.

       

      The switch port 4 is connected to the Windows PC, which is supposed to be on the LAN - and it is: it's getting IP 192.168.1.100.

      The switch port 5 is connected to the IP camera, which is supposed to be on VLAN3 (IOT) - and it is: it's getting IP 192.168.3.100

       

      VLAN2 (USER) is only ever going to used by Wi-Fi devices - it doesn't need a dedicated port on the switch.

      VLAN3 (IOT) is mostly going to be used by Wi-Fi devices, except for the Wired IP camera on switch port 5.

       

      So with the setup I described in the original post, everything is mostly working as intended. The only issue being that when I have 2 Wi-Fi devices on separate VLANs they can't communicate properly. Wired to Wi-Fi communication does work (as long as the firewall rules allow). So:

       

      - Wired LAN PC to Wired VLAN3 camera:  OK
      - Wired LAN PC to Wi-Fi VLAN3 camera:  OK
      - Wi-Fi VLAN2 PC to Wired VLAN3 camera:  OK

      - Wi-Fi VLAN2 PC to Wi-Fi VLAN3 camera: Cannot connect

      - Wi-Fi VLAN2 PC to Wi-Fi VLAN3 linux laptop: Cannot connect

      - Wi-Fi VLAN 2 PC to Wired VLAN3 linux laptop: OK

       

      And as previously stated, the scenario where I have the linux laptop on Wi-Fi VLAN3 was an attempt to troubleshoot - tcpstat indicated there were incoming requests from Wi-Fi VLAN2 PC, only they would stay stuck on SYN_RECV and never reach ESTABLISHED. If I move the linux laptop to Wired VLAN3, the connection works (the webpage loads in Wi-Fi VLAN2 PC). This is what led me to believe there was a routing issue somewhere in inter-VLAN Wi-fi to Wi-fi connections.

      • schumaku's avatar
        schumaku
        Guru - Experienced User
        Sep 27, 2023

        Currently, there are no uplinks configured for VLAN 2 and VLAN 3 (readily available as dedicated ports, in VLAN and switch terms as access ports. How would you expect these VLAN are becoming available on the switch, and finally on the WAX? Have attempted to explain this briefly in my previous reply. but was ignored, probably because you found the VLAN 1 (default on the switch) seemed to work for you, so why bother?

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More