This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AP30, 9.400, VLANs, and ESXi - need help

Hi,

For many years I've been using an AP30 with VLANs on my Netgear GS108T 'smart' switch, most recently with UTM 9.355.


I've decided to move the UTM to a new VM server running ESXi 6.0u2, and I've setup a UTM 9.400 system (build from ISO).

Everything is working fine except the AP30... the UTM saw it briefly, but after I configured it, it's listed as 'inactive'.

Configuration:

Netgear:

Port 6: AP30; all VLANs TAGGED (1, 10, 11, 13)

Port 2: ESXi server; all VLANs TAGGED (1, 10, 11, 13)

ESXi: (pic below)

Internet/WAN connection on separate physical NIC3

Each VLAN on separate virtual NIC

I prefer to keep it this way if possible, rather than managing the VLANs in the UTM (that would cause more complications)

UTM:

eth3: VLAN1

eth1: VLAN13 - management network 192.168.11.0/24. AP30 should gets its IP here (192.168.11.211)

both of these NICs are in the 'allowed interfaces' for Wireless Protection, although I have also tried one at a time.

The settings for the AP are set for it to use VLAN13.

I can see the BOOTP/DHCP requests from the AP on eth3, but the UTM does not respond. I haven't setup a DHCP server on eth3, but there is one on eth1.


Pics to follow.

Anyone know how I can get this working?
I'm not sure if this is related to https://community.sophos.com/products/unified-threat-management/f/52/t/75751

Thanks!
Barry



This thread was automatically locked due to age.
Parents Reply Children
  • Looks to me like the AP30 is only going to allow traffic on vlan1. You should move the AP30 into "All vlans" and that way it can be managed with vlan1 and accept any other vlan chucked at it eg vlan13

  • Hi, move the AP30 where?

    In ESXi, the switch, or a setting in the UTM?

    Thanks!

  • You will have to place the AP in an all vlans area. This is normally done on the switch in the same way as you set your vlans. There is a setting in there that does all vlans (4095).

    Now if you think about it, you would normally put a UTM or any other router etc into "all vlans" and then allow the VM to manage the vlans (as you mentioned in your post)

    Basically a trunk port in reality. Looking at your screenshots, your AP will only communicate with vlan1 whereas igf you drop it into "all vlans (4095), the AP will communicate with vlan1 and every other vlan you specify in the AP settings. 

    The setting is in the properties of the vswitch and you simply set the virtual machine port group just as you have done by setting them into their own vlan

  • Hi,

    I was hoping not to have to use trunking in the vSwitch, but it seems I can't avoid it.

    I think I will have to setup another interface first for admin access, and delete and reconfigure the UTMs other interfaces.

    Otherwise, I assume I could do 'Bridge to LAN' for the same LAN the AP is on, but no other LANs, right?


    Thanks,

    Barry

  • With vlans, you can never truly get away from trunking. If the device is vlan capable, you will need to use trunking unless you only want to use the one vlan to it. otherwise you would have to have multiple physical interfaces on it with one vlan per physical port.

    Personally, for your setup, I would have let the UTM manage the vlans as well as the AP. Hope this helps.

  • OK...

    I've decided to forget about the VLANs for WiFi for now...

    1. I've removed VLAN1 from VMWare ESXi's vswitches

    2. I've moved the AP30 to a non-VLAN switch, network .211

    3. the AP still showed 'inactive' in the UTM, so I removed it, and reset the wireless settings.

    The AP is not appearing in the UTM anymore, neither in the webadmin, the wireless.log, nor am I seeing it on tcpdump:

    # tcpdump -i eth2 ether host 00:1a:8c:29:77:88
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
    22:28:37.583385 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2
    22:29:47.035490 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2
    22:30:18.345263 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2
    22:32:45.297657 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2
    22:33:16.657318 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2

    I'm not sure if the mcast packets are from the AP.

    I'm guessing the AP is still trying to use VLANs; is there some way to reset it?
    edit: yes, the AP is trying to use VLAN1... don't they have a fallback that will work without VLANs?


    Thanks,

    Barry

  • Hi Barry,

    for me it looks like you ran into the vlan fallback issue we introduced with 9.400. This issue basically leads to an misbehaving AP and that is the reason why it is not automatically fixed in 9.401 for you.

    The AP tries to connect over a specific VLAN, after it fails it reboots and tries again over the same VLAN over and over. So to get it back running you need to know which VLAN it tries to connect (the last one which was configured in the Access Point configuration before the AP went inactive). Then you need to provide this VLAN to the AP as a tagged VLAN and also make the UTM able to receive packets from this VLAN, configure the interfaces which belong to this VLAN accordingly (DHCP + allowed interfaces in wireless), then it should come online. After it gets online once it gets the firmware from 9.401 and then you can make the configuration as used before (with the VLAN on the AP as untagged).


    Regards,
    Emanuel

  • Hi Emanuel,

    Let me make sure I understand...

    1. I should get the AP30 hooked back to a UTM running 9.401 on VLAN1 or 13 (both were previously used, but the AP is definitely trying to use VLAN1 at the moment) and the firmware will be updated.

    I will probably use a spare machine for this as I don't want to keep messing with my vSwitch.

    2. Once the firmware is updated, can I move the AP30 back to my virtual system and use the AP30 with NO VLANs?

    i.e. I will NOT be passing VLAN tags (trunking) in ESXi on the vSwitch to the UTM; can the AP30 with latest firmware work without VLANs at all?

    I want to use 'Bridge to LAN' and have a couple non-bridged SSIDs, but I don't need to use 'Bridge to VLAN' anymore.

    Thanks,

    Barry

  • Can anyone confirm if my idea above will work?

    Thanks,

    Barry

  • Hi Barry,

    yes, what you described above will work.

    Regards,
    Emanuel