Sunday, December 31, 2017

Trouble with simple VLAN on Wactchguard Firebox+AP and HP switch.

I'm a system admin with some network experience and recently became the top/main tech at my small MSP so now I'll need to know and do it all, and VLANs have been a weak area for me since we have so few clients that require them. Trying to VLAN the guest wireless straight out to the internet but it's not passing traffic to the router/firewall and not getting DHCP. Everything else on the main network works fine so far. This is about as simple as it should get as far as VLANs go, but it has me stumped and I couldn't even get a resolution from my thread over on Spiceworks.

 

This client is set up with a Watchguard M200 router/firewall, Watchguard AP300 access point, and an HPE 1920-48G-PoE+ switch. The goal here was to have the default VLAN1 = corp/lan, and VLAN10 = guest wifi. The AP is plugged in to port 45 of the switch, and port 1 of the switch is plugged in to the watchguard.

 

On the Watchguard I have VLAN1 set as trusted and untagged on interfaces 1-7 and DHCP Server enabled, VLAN10 set as optional and tagged on interfaces 1-7 and DHCP server enabled, Any-Optional removed from all firewall policies except Outbound and Gateway Wireless Controller, Corp SSID VLAN Tagging not enabled(should use VLAN1 by default), Guest SSID VLAN Tagging enabled for VLAN10.

 

On the switch I have Port 1 set as 1U/10T/PVID1/Trunk and Port 45 set as 1U/10T/PVID1/Hybrid. I have also tried Port 1 as hybrid, and Port 45 untagged for 10, same issue of no traffic or DHCP on guest wireless. Can't get a valid IP configuration when connected to guest SSID and no traffic gets back to the M200. Also noticed that if you're connected to Corp SSID you don't see the guest SSID until you disconnect from corp first or you disable VLAN tagging on guest SSID...not really a problem, but found it odd.

 

I've searched google, asked on spiceworks, etc and don't have any solution yet. I've even had several of the higher level engineers at Watchguard look over the M200 and AP300 settings and they say it must be the switch. Unfortunately they don't know switches so they had little advice for me there.

 

Any ideas? I'd very much like to better understand what's happening here and why so I can learn from it.



No comments:

Post a Comment