× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Reply

WAX214 VLAN set up Correctly?

fattom23
Aspirant

WAX214 VLAN set up Correctly?

I'm trying to set VLANs on my network based on SSID and can't seem to find out where things are going wrong. I have an SSID set on my WAX214 with VLAN Isolation activated and the VLAN ID set to 20. When I connect to that Wi-Fi network, I can't get an IP address from the DHCP server, although the SSID that I have set up as untagged functions properly (devices can connect and get IPs from the DHCP server normally).

 

The frames go through two switches to a Mikrotik routerboard (which all seem to be set up correctly); is there any way to test that the frames are at least being tagged on the AP before they're sent through to the router (so that I can verify that the problem isn't with the AP)?

Message 1 of 16
microchip8
Master

Re: WAX214 VLAN set up Correctly?

VLANs on NETGEAR consumer devices are very limited and there for only one purpose; ISP configuration needs. They are not full blown VLANs you will come across the upper level of devices.
Message 2 of 16
fattom23
Aspirant

Re: WAX214 VLAN set up Correctly?

So I shouldn't expect that it will tag VLAN 20 and pass that information on? The VLANs are defined on the switches and router; all I'm relying on the AP to do is tagging based on SSID (which appears to be an option in the settings).

 

I don't know if this matters, but the Access Points are also pretty prominently stamped "Business" on the front, so it seems they should have this capability.

Message 3 of 16
schumaku
Guru

Re: WAX214 VLAN set up Correctly?


@fattom23 wrote:

The frames go through two switches to a Mikrotik routerboard (which all seem to be set up correctly); is there any way to test that the frames are at least being tagged on the AP before they're sent through to the router (so that I can verify that the problem isn't with the AP)?


And the two switches in the data path are configured for handling the VLAN in question as tagged along the complete data path - from the router to the WAX214?

 

A good starting point for testing might be defining an access port for that specific VLAN on the switch (and only for this VLAN), and connect a computer there, the PC should get an IP address for that specific subnet.

Message 4 of 16
fattom23
Aspirant

Re: WAX214 VLAN set up Correctly?

I've tried that; a computer plugged straight into and Access port for that VLAN *does* get an IP in the expected range. I would normally plug the AP into that port and see what happens, but the router is not POE, so that's not really an option.

I'm guessing that there's not any way to view the data being sent from the AP into the network so I can diagnose?
Message 5 of 16
schumaku
Guru

Re: WAX214 VLAN set up Correctly?

So make this former access port a tagged trunk port, and connect the WAX214 with the SSID configured for that VLAN in question.

 

Are we facing a WAX214 or WAX214v2 here? Reason asking: On the WAX214v2 I see some oddities (at least, nicely saying):

 

WAX214v2 VLAN oddity v1.0.2.3.PNG

Message 6 of 16
fattom23
Aspirant

Re: WAX214 VLAN set up Correctly?

I don't have the v2, but I should be able to borrow a POE injector to try and plug directly into an access port straight on the router.
Message 7 of 16
schumaku
Guru

Re: WAX214 VLAN set up Correctly?


@fattom23 wrote:
I don't have the v2, but I should be able to borrow a POE injector to try and plug directly into an access port straight on the router.

What should this test be good for? You want to test a specific SSID mapping into a certain (tagged) VLAN.

 

Tell us more about the config of your router, and he switches along of the data path.

Message 8 of 16
fattom23
Aspirant

Re: WAX214 VLAN set up Correctly?

I have a Mikrotik routerboard with Port 2 going to Port 1 on a Zyxel switch (its a GS1900-24). Port 7 on that switch goes to Port 5 on a Netgear switch (it's a Netgear GS308EPP). I use this switch because it's POE (which neither the switch or router are).

 

The APs (2 WAX214s) are plugged into Ports 3 and 4 of the Netgear switch. Both switches (for testing purposes) have all ports listed as Trunk (tagged) ports for VLAN 20. The SSID LaPortaPile-Test is mapped to VLAN 20 on the AP.

 

I've attached screenshots of the relevant screens from the AP, and have the config from the router and additional screenshots from the switches if it becomes helpful.

Message 9 of 16
fattom23
Aspirant

Re: WAX214 VLAN set up Correctly?

This is the router config:

 

# mar/03/2024 20:26:25 by RouterOS 6.49.11
# software id = DD4H-LACA
#
# model = RB3011UiAS
# serial number = HFG097R51BQ
/interface bridge
add admin-mac=78:9A:18:D8:75:F2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether9 ] name="ether9(Management)"
/interface vlan
add interface=bridge name=vlan1 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=98.111.140.2-98.111.140.254
add name=dhcp_pool3 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool13 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=bridge name=dhcp1
add address-pool=dhcp_pool13 disabled=no interface=vlan1 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=20
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether7
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface="ether9(Management)" list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.100.1/24 interface="ether9(Management)" network=\
192.168.100.0
add address=10.0.0.1/24 interface=vlan1 network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.246 mac-address=B8:AB:62:2E:A4:BD server=dhcp1
add address=192.168.1.23 mac-address=DC:E5:5B:5F:EC:94 server=dhcp1
add address=192.168.1.128 mac-address=10:BF:48:8D:AA:A0 server=dhcp1
add address=192.168.1.168 client-id=\
ff:f6:86:2c:2f:0:2:0:0:ab:11:67:e9:d2:38:8f:d2:99:5c mac-address=\
54:80:28:4E:FE:E9 server=dhcp1
add address=192.168.1.214 client-id=1:90:6a:eb:bf:b9:61 mac-address=\
90:6A:EB:BF:B9:61 server=dhcp1
add address=192.168.1.241 client-id=\
ff:eb:7c:56:8d:0:1:0:1:2a:34:d6:82:e8:4e:6:9b:1e:1e mac-address=\
B8:27:EB:7C:56:8D server=dhcp1
add address=192.168.1.109 client-id=1:d8:c0:a6:20:3c:91 mac-address=\
D8:C0:A6:20:3C:91 server=dhcp1
add address=192.168.1.146 client-id=1:c4:3c:b0:62:c5:3 mac-address=\
C4:3C:B0:62:C5:03 server=dhcp1
add address=192.168.1.15 client-id=1:e0:46:ee:14:98:92 mac-address=\
E0:46:EE:14:98:92 server=dhcp1
add address=192.168.1.47 client-id=1:d8:ec:e5:d3:bb:5e mac-address=\
D8:EC:E5:D3:BB:5E server=dhcp1
add address=192.168.1.51 mac-address=80:CC:9C:48:D8:20 server=dhcp1
add address=192.168.1.52 mac-address=80:CC:9C:48:FF:29 server=dhcp1
add address=192.168.1.31 client-id=1:8:bf:b8:b8:e:d9 mac-address=\
08:BF:B8:B8:0E:D9 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=10.10.10.0/24 gateway=10.10.10.1
add address=98.111.140.0/24 dns-server=192.168.1.1,129.168.1.1 gateway=\
98.111.140.1
add address=172.16.0.0/24 gateway=172.16.0.1
add address=172.16.1.0/24 gateway=172.16.1.1
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1,129.168.1.1 gateway=\
192.168.1.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=hfg097r51bq.sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input src-address=112.227.133.59
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT - Not Working" \
dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=ether1 out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=32400 \
protocol=tcp to-addresses=192.168.1.168
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
tcp to-addresses=192.168.1.168
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
protocol=tcp to-addresses=192.168.1.168
add action=dst-nat chain=dstnat comment="Needed for Xbox" dst-port=53 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.214 to-ports=53
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
tcp to-addresses=192.168.1.214
add action=dst-nat chain=dstnat dst-port=88 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.214 to-ports=88
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
udp to-addresses=192.168.1.214 to-ports=3074
add action=dst-nat chain=dstnat dst-port=500 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.214 to-ports=500
add action=dst-nat chain=dstnat dst-port=3544 in-interface=ether1 protocol=\
udp to-addresses=192.168.1.214 to-ports=3544
add action=dst-nat chain=dstnat dst-port=4500 in-interface=ether1 protocol=\
udp to-addresses=192.168.1.214 to-ports=4500
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.214 to-ports=53
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.1 to-ports=80
/ip service
set telnet disabled=yes
set ssh address=192.168.1.0/24
/system clock
set time-zone-name=America/New_York
/system package update
set channel=upgrade
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Message 10 of 16
schumaku
Guru

Re: WAX214 VLAN set up Correctly?

Great, and that VLAN 20 is trunked (tagged) throughout the ZyXEL switch on the data path (switch ports) connecting the router and the Netgear Plus switch?

Message 11 of 16
fattom23
Aspirant

Re: WAX214 VLAN set up Correctly?

It seems to be (see attached screenshot). I obviously went wild trunking the ports and don't need all this, but I figured I should reduce the chance of misconfiguration for now.
Message 12 of 16
fattom23
Aspirant

Re: WAX214 VLAN set up Correctly?

Now that I'm looking at it, the ports in question (2 and 7) are Tagged for VLAN 20 and Untagged for VLAN 1 on the Zyxel (which seems like not the correct configuration). I'll bet the problem is with the configuration of the Zyxel, because those should be Tagged for both in order for it to work, correct?
Message 13 of 16
schumaku
Guru

Re: WAX214 VLAN set up Correctly?


@fattom23 wrote:

So I shouldn't expect that it will tag VLAN 20 and pass that information on? The VLANs are defined on the switches and router; all I'm relying on the AP to do is tagging based on SSID (which appears to be an option in the settings).


No problems using the WAX214 over a tagged network connection over a mixed Netgear MS108EUP and ZyXEL  GS1900-24E/-48 infrastructure, all tagged to the router, VLAN ID is 250 in my environment, but that's not relevant- Perfectly fine for a non-exclusively used Internet connection and infrastructure, almost a one GbE link on WiFi (despite heavily used 5 GHz band for WiFi 7 testing, so plenty interference on-air:

 

Screenshot_20240305-132541.png Screenshot_20240305-133821.png

 

GS1900-24E VLAN 24.PNG

 

@fattom23 wrote:

I don't know if this matters, but the Access Points are also pretty prominently stamped "Business" on the front, so it seems they should have this capability.


Yes, it does -  and in general almost everything trouble-free. The special case I've showed before is reported to Netgear for some weeks.

 

 

 

 

Message 14 of 16
schumaku
Guru

Re: WAX214 VLAN set up Correctly?


@microchip8 wrote:
VLANs on NETGEAR consumer devices are very limited and there for only one purpose; ISP configuration needs. 

We're in the Business Wireless section here @microchip8 - all WAX6xx and WAX2xx are dealing with VLANs easily. - nothing t worry here my friend 8-) .. Yes, I know sometimes there are consumers coming to this are, too. And I bought some WAX214/WAX214v2/WAX218/WAX220 with my own hard earned money - these are not Beta samples btw, too.

Message 15 of 16
schumaku
Guru

Re: WAX214 VLAN set up Correctly?


@fattom23 wrote:
Now that I'm looking at it, the ports in question (2 and 7) are Tagged for VLAN 20 and Untagged for VLAN 1 on the Zyxel (which seems like not the correct configuration). I'll bet the problem is with the configuration of the Zyxel, because those should be Tagged for both in order for it to work, correct?

In case 2 and 7 making up the trunk connections, sure, 7 needs to be tagged, too. Unfortunately, the ports are not labeled on the switch, so hard to say what is connected there. So best guess Yes 8-)

Message 16 of 16
Top Contributors
Discussion stats
  • 15 replies
  • 1410 views
  • 2 kudos
  • 3 in conversation
Announcements