I have a firewall (Pfsense). I have a managed switch (TP Link TL-SG108E.) I have a wireless access point (TP Link TL-WA801ND.)
The firewall (Pfsense) has 1 Ethernet port with four sub interfaces.
- em0.10 disabled - will be DHCP client after testing
- em0.20 192.168.0.1/25 (Network 192.168.0.0/25 [126 host addresses])
- em0.30 192.168.0.129/25 (Network 192.168.0.128/25 [126 host addresses])
- em0.40 disabled - will be 10.0.0.1/30 (Network 10.0.0.0/30 [2 host addresses]) after testing
The managed switch (TL-SG108E) is configured to operate on 4 corresponding 802.1Q VLANs:
- VLAN 10 (INTERNET)
- VLAN 20 (PRIVATE)
- VLAN 30 (GUEST)
- VLAN 40 (PUBLIC)
The wireless access point (TL-WA801ND) is set to Multi-SSID mode with VLANs enabled. There are two SSIDs configured:
- SSID-Private - VLAN 20
- SSID-Guest - VLAN 30
Here is a list of hardware plugged into the 8 port managed switch (TL-SG108E):
- unplugged - will plug in modem after testing
- Firewall (Pfsense)
- Wireless access point (TL-WA801ND)
- Router with successful internet connection.
- PRIVATE vlan hosts
- PRIVATE vlan hosts
- PRIVATE vlan hosts
- unplugged - will plug in web server after testing
Here are the VLAN settings for each of the ports on the managed switch (TL-SG108E):
- PVID 10 | VLANs: [10-untagged]
- TRUNK - PVID 1 | VLANs: [10-tagged], [20-tagged], [30-tagged], [40-tagged]
- TRUNK - PVID 1 | VLANs: [20-tagged, 30-tagged]
- PVID 20 | VLANs: [20-untagged]
- PVID 20 | VLANs: [20-untagged]
- PVID 20 | VLANs: [20-untagged]
- PVID 20 | VLANs: [20-untagged]
- PVID 40 | VLANs: [10-untagged]
Firewall rules have been set to allow all traffic among all interfaces for testing. I'll lock it down after I figure out how to enable Internet access to my guest SSID.
The hosts on the private network (VLAN 20 192.168.0.0/25) have Internet access and hosts on the guest network (VLAN 30 192.168.0.128/25) do not. The Internet facing router is providing DHCP addresses ending in 50-99 to the private subnet and the firewall (Pfsense) is providing DHCP addresses ending in 150-199 to the guest subnet.
I guess it could be NAT, firewall rules, DNS, or something else but I'm thinking it's probably a misconfiguration on my managed switch - but I'm not sure.
Are there any experts in the house?