PLZ HELP with setup - multiple VLANs to one port (Unifi AP)

zasukurabu · June 20, 2024, 6:58pm

Been banging my head against the wall for this setup. Your assistance is appreciated.

So I have a virtualized opnsense setup, the routers LAN port only carries tagged VLAN traffic for now. I configured VLAN IDs 10 and 20, each had their own IP and DHCP. The LAN port was connected to Mikrotik switch (CRS312)’s combo1 port.

I followed https://m.youtube.com/watch?v=4Z32oOPqCqc this video to set up VLAN filtering. Basically - added combo1, ether1/2/3 to a bridge, with ether1/2/3’s PVID being 10, 20, 1. For VLAN I created 2 instances with VLAN ID 10/20, and had combo1 tagged, ether1/2 untagged respectively (left ether3 alone)

Then I turned on VLAN filtering. I can confirm that by connecting a device to ether 1/2, it gets assigned to subnet belonging to VLAN ID 10/20 no problems w/ DHCP assignment and internet access.

Now I wanted to add my Unifi AP into the mix. Since the controller was on VLAN10’s subnet, I set it up when connected to ether1. It got adopted and initialized OK. I set up 2 networks on it with VLAN 10/20 and assigned 1 SSID (main = 10, guest = 20)

Now the tricky part comes - the AP should receive traffic with both VLAN tags to differentiate between 2 networks. How could I achieve that? I’ve tried the following -

Plug it into ether3 - it won’t reach controller (understandably - if I plug other device to ether3 they would receive no IP)

Remain plugged in ether1 - it talks to controller fine, and SSIDs are discoverable. I tried to connect a device to main SSID - it received NO IP.

I tried to add ether1 under both VLANs, untagged - no change. Tried to add bridge / ether1 under tagged interface under both VLANs, no change.

Very interesting thing - while connected to ether1, if I TURN OFF VLAN FILTERING, all of a sudden traffic would start flowing to and from the AP, both SSIDs clients would start receiving IP and gain internet access - however only for a short while. After that all ports cease to function as expected.

Has anyone tried a similar setup with success? Thank you very much in advance for your assistance.

zasukurabu · June 21, 2024, 12:06am

I ended up figuring it out.

With AP connected to ether1, I tried to add ether1 under VLAN 20 - tagged (on top of combo1) suddenly Guest SSID started working!

Which made me think - could it have to do with the config on the AP side? I then stripped the VLAN designation for Main SSID’s network so that it now sits on default network (VLAN ID = 1). It almost instantly started working as well.

Lesson learned - I guess at the time VLAN was untagged on the access port, the VLAN subnet has become its de facto “default network” I.e. VLAN ID 1. No point in further trying to track VLAN ID 10. However, other VLAN IDs would need to be tagged for the AP to pick up their packets?

So the end setup looks like -

Bridge with VLAN filtering on, without further customization
Bridge ports - set PVID for the VLAN ID that you want to land on it
Bridge VLAN interfaces - set up the ones you desire. Trunk port = always tagged. Untag per the port specifications in the previous step. E.g. if a port has PVID 10 and you want the network device connected to it to further pick up PVID 20, 30, 40…Tag that port under VLAN 20,30,40…