Access Points failing to tag traffic for VLAN 43 - VLAN 33 and 113 work correctly
Product: Omada Controller + EAP Access Points + TL-SG1218MPE switch
Issue Description:
I have a pfSense firewall/router with multiple VLANs configured. The following VLANs are working correctly:
-
VLAN 33 (Staff network) - Works via SSID "KAOWiFi"
-
VLAN 113 (Guest network) - Works via SSID "KAO-Guest" (Guest mode enabled)
However, VLAN 43 (OfficeIoT) does NOT work on ANY SSID I create.
What I have verified:
-
pfSense configuration is correct - VLAN 43 interface is up (192.168.43.1/24), DHCP server is running with pool 192.168.43.150-199, and static reservations exist
-
Switch configuration is correct (TL-SG1218MPE):
-
Ports 3 & 4 (connected to APs): VLAN 43 = Tagged, PVID = 1
-
Port 10 (wired device): VLAN 43 = Untagged, PVID = 43
-
Port 1 (connected to pfSense): VLAN 43 = Tagged, PVID = 1
-
-
Wired device on VLAN 43 works - A fingerprint device (TA500) on port 10 gets IP 192.168.43.3 successfully
-
Packet capture on pfSense shows VLAN 43 traffic from the wired device, but NO DHCP discover packets from WiFi clients trying to connect to VLAN 43 SSIDs
-
I have tried:
-
Creating a brand new SSID (TEST-VLAN43) with VLAN 43
-
Enabling Guest mode on the test SSID
-
Adding an "Allow All" firewall rule on pfSense for VLAN 43
-
Rebooting the Access Points
-
Result: When any device (phone, Smart TV) tries to connect to a VLAN 43 SSID, it fails to obtain an IP address. The device connects to the SSID but never receives a DHCP lease. The same devices connect successfully to VLAN 33 and VLAN 113 SSIDs.
Question: Why are my Access Points failing to tag client traffic with VLAN 43 when they correctly tag VLAN 33 and VLAN 113? Is there a known limitation or bug with certain VLAN IDs on Omada APs?
Environment
-
Omada Controller version: OC200 1.0 1.40.18 Build 20260506 Rel.74003 (Stable)
-
EAP firmware version: EAP670(EU) v2.0 v1.3.7
-
Switch: TL-SG1218MPE 5.0 1.0.0 Build 20230616 Rel.57668
Greetings @Vincent-TP.
Please look at the pictures I included.
1. pfSense Interface Assignments (OfficeIoT VLAN43)
2. OfficeIoT Vlan43 ip
3. Office IoT DHCP range pg1 - note that Deny Unknown Clients sets to - Allow known clients from only this interface (page 2 known clients)
4. Office IoT DHCP range known devices (reserved IPs at the bottom) pg2. Smart TV1, Smart TV2 and phone are on KAO-IoT WiFi they don't get IP. But the TA500 which is connected via Ethernet got its ip as reserved.
5. OfficeIoT Alias - Was to apply the firewall rule to this Alias only but currently I've set the firewall to Allow Any to Any for testing (picture 6)
6. pfSense Firewall on OfficeIoT VLAN43 Allow Any to Any. The same rule apply to VLAN33 which is my KAOWIFI SSID and this works.
7. TL-SG1218MPE 802.1Q VLAN config - note that I have two Access Points EAP670 both connected to switch port below on port 3 & 4. The Tagged port 1 is my pfsense, port 3 and 4 are my EAP670 Access Points (Which clients connected to it didn't get their ips) and the untagged port 10 is my TA500 connected via ethernet got its ip and its working fine.
8. TL-SG1218MPE 802.1Q PVID Setting - port 3-4 are the Access Points for both the KAOWIFI SSID on VLAN33 which is working fine, and KAO-IoT SSID on VLAN43 which doesn't work.
9. Omada SSID KAO-IoT SSID Setting pg1 - pretty much the same configs as KAOWIFI SSID for VLAN33.
10. Omada SSID KAO-IoT Setting pg2 - KAO-IoT VLAN ID set to 43.
Please check my setup/configs above before I test the new suggestion to re-create SSID in VLAN43 without password and other Advance Settings. And then try changing VLAN43 to another number such as 100.
