This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AP30, 9.400, VLANs, and ESXi - need help

Hi,

For many years I've been using an AP30 with VLANs on my Netgear GS108T 'smart' switch, most recently with UTM 9.355.


I've decided to move the UTM to a new VM server running ESXi 6.0u2, and I've setup a UTM 9.400 system (build from ISO).

Everything is working fine except the AP30... the UTM saw it briefly, but after I configured it, it's listed as 'inactive'.

Configuration:

Netgear:

Port 6: AP30; all VLANs TAGGED (1, 10, 11, 13)

Port 2: ESXi server; all VLANs TAGGED (1, 10, 11, 13)

ESXi: (pic below)

Internet/WAN connection on separate physical NIC3

Each VLAN on separate virtual NIC

I prefer to keep it this way if possible, rather than managing the VLANs in the UTM (that would cause more complications)

UTM:

eth3: VLAN1

eth1: VLAN13 - management network 192.168.11.0/24. AP30 should gets its IP here (192.168.11.211)

both of these NICs are in the 'allowed interfaces' for Wireless Protection, although I have also tried one at a time.

The settings for the AP are set for it to use VLAN13.

I can see the BOOTP/DHCP requests from the AP on eth3, but the UTM does not respond. I haven't setup a DHCP server on eth3, but there is one on eth1.


Pics to follow.

Anyone know how I can get this working?
I'm not sure if this is related to https://community.sophos.com/products/unified-threat-management/f/52/t/75751

Thanks!
Barry



This thread was automatically locked due to age.
Parents
  • I'm on 9.401 now; no luck so far.

    I don't think the UTM upgraded the firmware on the AP30; at least I'm not seeing it in wireless.log.

    Barry

  • Looks to me like the AP30 is only going to allow traffic on vlan1. You should move the AP30 into "All vlans" and that way it can be managed with vlan1 and accept any other vlan chucked at it eg vlan13

  • Hi, move the AP30 where?

    In ESXi, the switch, or a setting in the UTM?

    Thanks!

  • You will have to place the AP in an all vlans area. This is normally done on the switch in the same way as you set your vlans. There is a setting in there that does all vlans (4095).

    Now if you think about it, you would normally put a UTM or any other router etc into "all vlans" and then allow the VM to manage the vlans (as you mentioned in your post)

    Basically a trunk port in reality. Looking at your screenshots, your AP will only communicate with vlan1 whereas igf you drop it into "all vlans (4095), the AP will communicate with vlan1 and every other vlan you specify in the AP settings. 

    The setting is in the properties of the vswitch and you simply set the virtual machine port group just as you have done by setting them into their own vlan

  • Hi,

    I was hoping not to have to use trunking in the vSwitch, but it seems I can't avoid it.

    I think I will have to setup another interface first for admin access, and delete and reconfigure the UTMs other interfaces.

    Otherwise, I assume I could do 'Bridge to LAN' for the same LAN the AP is on, but no other LANs, right?


    Thanks,

    Barry

  • With vlans, you can never truly get away from trunking. If the device is vlan capable, you will need to use trunking unless you only want to use the one vlan to it. otherwise you would have to have multiple physical interfaces on it with one vlan per physical port.

    Personally, for your setup, I would have let the UTM manage the vlans as well as the AP. Hope this helps.

  • OK...

    I've decided to forget about the VLANs for WiFi for now...

    1. I've removed VLAN1 from VMWare ESXi's vswitches

    2. I've moved the AP30 to a non-VLAN switch, network .211

    3. the AP still showed 'inactive' in the UTM, so I removed it, and reset the wireless settings.

    The AP is not appearing in the UTM anymore, neither in the webadmin, the wireless.log, nor am I seeing it on tcpdump:

    # tcpdump -i eth2 ether host 00:1a:8c:29:77:88
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
    22:28:37.583385 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2
    22:29:47.035490 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2
    22:30:18.345263 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2
    22:32:45.297657 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2
    22:33:16.657318 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2

    I'm not sure if the mcast packets are from the AP.

    I'm guessing the AP is still trying to use VLANs; is there some way to reset it?
    edit: yes, the AP is trying to use VLAN1... don't they have a fallback that will work without VLANs?


    Thanks,

    Barry

  • Hi Barry,

    for me it looks like you ran into the vlan fallback issue we introduced with 9.400. This issue basically leads to an misbehaving AP and that is the reason why it is not automatically fixed in 9.401 for you.

    The AP tries to connect over a specific VLAN, after it fails it reboots and tries again over the same VLAN over and over. So to get it back running you need to know which VLAN it tries to connect (the last one which was configured in the Access Point configuration before the AP went inactive). Then you need to provide this VLAN to the AP as a tagged VLAN and also make the UTM able to receive packets from this VLAN, configure the interfaces which belong to this VLAN accordingly (DHCP + allowed interfaces in wireless), then it should come online. After it gets online once it gets the firmware from 9.401 and then you can make the configuration as used before (with the VLAN on the AP as untagged).


    Regards,
    Emanuel

  • Hi Emanuel,

    Let me make sure I understand...

    1. I should get the AP30 hooked back to a UTM running 9.401 on VLAN1 or 13 (both were previously used, but the AP is definitely trying to use VLAN1 at the moment) and the firmware will be updated.

    I will probably use a spare machine for this as I don't want to keep messing with my vSwitch.

    2. Once the firmware is updated, can I move the AP30 back to my virtual system and use the AP30 with NO VLANs?

    i.e. I will NOT be passing VLAN tags (trunking) in ESXi on the vSwitch to the UTM; can the AP30 with latest firmware work without VLANs at all?

    I want to use 'Bridge to LAN' and have a couple non-bridged SSIDs, but I don't need to use 'Bridge to VLAN' anymore.

    Thanks,

    Barry

  • Can anyone confirm if my idea above will work?

    Thanks,

    Barry

  • Hi Barry,

    yes, what you described above will work.

    Regards,
    Emanuel

  • Hi, I setup an old (former UTM) machine as a temp UTM (using the asg-9.401-11.1.ISO) to try to get the AP30 flashed...


    I setup DHCP on the second interface, and plugged the AP30 into a NON-managed/non-VLAN switch with PoE and connected it to the UTM.


    On the UTM, with tcpdump, I can see BOOTP/DHCP packets from the AP30, but I do not see a response from the UTM. Also, nothing shows up in wireless.log other than the startup messages.

    I forgot to check the DHCP log.

    Do I need to RESET the AP30 somehow?


    Thanks,

    Barry

Reply
  • Hi, I setup an old (former UTM) machine as a temp UTM (using the asg-9.401-11.1.ISO) to try to get the AP30 flashed...


    I setup DHCP on the second interface, and plugged the AP30 into a NON-managed/non-VLAN switch with PoE and connected it to the UTM.


    On the UTM, with tcpdump, I can see BOOTP/DHCP packets from the AP30, but I do not see a response from the UTM. Also, nothing shows up in wireless.log other than the startup messages.

    I forgot to check the DHCP log.

    Do I need to RESET the AP30 somehow?


    Thanks,

    Barry

Children
  • Hi Barry,

    on which VLAN do you see the DHCP requests? You can see this by "tcpdump -eni ethX". It is propably 1 or 13, then you need to provide a vlantagged interface on your UTM. This means for example if your AP is plugged into eth4 and the dhcp requests are coming with vlan 13 you need to configure a new vlan interface with hardware eth4 and vlantag 13. For this interface you also need a dhcp server and you need to add it in allowed interfaces under wireless protection.

    Regards,
    Emanuel

  • Hi,

    Previously, I was seeing VLAN tagged packets on VLAN1, and non-tagged BOOTP/DHCP requests as well.

    Last night, I only was looking at untagged packets.

    Are you saying I need to setup the VLANs on the new UTM because I was using VLANs before? 

    Because the docs don't seem to indicate it's necessary for a new setup... which is why I'm asking if I can do a RESET.

    I'm not using a VLAN switch on this temporary UTM, if that matters, and my goal is to get the AP30 to work on my ESXi system with NO VLAN tags needed.

    Thanks!
    Barry

  • BTW, I never had to setup VLAN1 on the UTM previously; the UTM picked up the AP without it.

    Does the 9.400 firmware bug cause it to now be necessary to setup VLAN1 myself?

    Thanks

  • Emanuel, I got it working after adding the VLANs to the temp UTM.

    After the firmware updated, I plugged it into my home network, and (after 4 minutes!) it started appearing in the logs and I was able to get it working with Bridge-to-LAN.

    Do I need to worry about anything else, or will it continue to work without any VLANs from now on?

    Thanks!
    Barry

  • It will continue to run from now on and you don't need to worry about anything else.

    Regards,
    Emanuel