Cannot easily create WiFi SSID with my VLANs config (multiple ports on FWG)
Background:
Just received my Firewalla AP7 (Ceiling model) yesterday. Today I hooked it up to my Linksys/Cisco 26 port POE+ switch, setting the port with the same VLAN settings as my current ancient Cisco Aeronet AP. Basically, port is set to Trunk, and the Management VLAN is Untagged (so untagged traffic is tagged to VLAN10), while other VLANs (Computers, Guest Net, IoT, and TVs) are tagged.
The Firewalla Gold is connected to two ports on the 26-port switch, both ports are set as Trunk, but one port supports tagged traffic for VLANs from Computers and a Guest Net, while the other port supports tagged traffic for VLANs from IoT Devices and TVs. Both ports also have Untagged, and set this to Management VLAN. This was split as I was playing around with an inline firewall for the IoT/TVs checking packets between the switch at the router (that inline firewall was removed when I got the Firewalla Gold last week).
When installing the Firewalla Gold, I created Networks for each VLAN (Computers, Guests, IoT, TVs). For Port 1, this was associated with Computer and Guests, while Port 2 is IoT and TVs. The Management network doesn't have a VLAN as that port is marked untagged on the switch, and I associated this with Ports 1, 2 and 3 (3 as a diagnostic port if I need to hook in a laptop).
The problem:
For the AP7, I cannot create SSIDs on my Computers or Guests network. They are greyed out with a message "Firewalla AP7 WiFi can only be created on networks that use the same ports as the LAN access points are wired to". At first, I could only create SSIDs on the Management network.
A solution?
I temporarily associated the Management network with just Port 1 & 2, and after doing this, I could now create SSIDs on Management, IoT and TV Networks. So I continued and associated all networks to Port 1 on the Firewalla, and the AP was able to create SSIDs on the "Computers" Network.
I then reconfigured Port 2 &3 back to IoT and TVs, and the Management Monitoring Port. This seems to "stick" (i.e. it works)
Cause?
Perhaps something in the app is not properly selecting what port the AP7 traces back to from a switch that has two ports connected to the Firewalla Gold, if two (or more) ports share a Management VLAN that is Untagged from the switch?
-
Can't create Wi-Fi on certain networks
- When creating Wi-Fi, the app will ask you to pick a network. Please note that Firewalla Wi-Fi can only be created on networks using the same ports as the LAN the AP7 is wired to.
- For example, if you have three networks—LAN 1 on Port 1, and LAN 2 and LAN 3 on both Port 2 and Port 3—with the AP7 wired to Port 2 via Ethernet, then Wi-Fi can only be created on LAN 2 and LAN 3, not LAN 1.
- If you want to create Wi-Fi on LAN 1, try editing your network to make LAN 1 use Port 2 and Port 3 as well, with a VLAN ID.
More on this here https://help.firewalla.com/hc/en-us/articles/35673830268691-Firewalla-Access-Point-7-Troubleshooting-Guide#01JKHQBKCTYS00CYGG9MA5ER7D
-
Hello, thank you for your reply!
The issue is that the AP7 is on a network that is associated with two (or more) ports already.
AP7 --> Managed Switch Port 1 (Trunk, VLAN10 Untagged, VLAN11,12,13,14 Tagged)
| |
FWG Port 1 (VLAN10 Untagged, VLAN11,12 Tagged) Firewalla Port 2 (VLAN10 Untagged, VLAN13,14 Tagged)
On network settings, Management Network (no VLAN, it is using Untagged VLAN10) is associate with both Port 1, Port 2, & Port 3. Computers (VLAN11) and Guests (VLAN12) is associate with Port 1, while IoT and TVs associate with Port 2. Port 3 is dark (disconnected Management port for troubleshooting).
As the Trunk Port for the AP7 is associated with all VLANs, technically, it should be compliant with the msg: Please note that Firewalla Wi-Fi can only be created on networks using the same ports (I note the plural, ports as in more than one) as the LAN the AP7 is wired to. As it is connected to Management VLAN under Port 1, Port 2, and Port 3 of FWG, Port 1 of Computers/Guests, and Port 2 of IoT and TVs.
But it seems that the SSID creation rules in the app doesn't detect what Networks it can add to automatically - as mentioned above, first it only allowed SSIDs to be created on the Management Network alone (which is Port 3), then when I removed Management Port from Port 3 (so no network is using Port 3), it allowed SSIDs to be created for Networks on Port 2 (Management, IoT, and TVs Networks). Then when I collapse everything to Port 1 only, it finally allowed SSIDs to be created for Computers and Guests (which is what I wanted to create). Then by changing networks back to the original ports (Port 1 = Computers, Guests, Management; Port 2 = IoT, TVs, Management; Port 3 = Management) the SSIDs created on the AP7 remained associated with the correct Computers and Guests network.
I was guessing this might be a bug in the software code, as the behavior sounds similar to a rule/conditional issue that I created (and fixed) in some code I wrote a while ago on a software project, especially as it only added from the highest number port (Port 3) and worked down to Port 1, as if the code was in "for loop" with the highest value found before breaking out of the loop.
-
Experienced a similar problem after introducing my new AP7s to my network and then setting up VLANs with a managed switch. Gold pro is linked to switch port 1, one AP7 is liked to switch port 2 and the other AP7 is linked to switch port 3, all set as trunk ports. Had same message when trying to associate existing SSIDs with Vlans "Firewalla AP7 WiFi can only be created on networks that use the same ports as the LAN access points are wired to".
Thought it was a problem with the Firewalla switch interfaces, but cause was simpler than that. I previously used all 4 Frewalla gold pro ports, but now port 4 is linked to the WAN and port 1 is linked to the switch. Setting port 2 and port 3 to no longer connect to lan1 solves the problem. i can now associate the SSIDs to the appropriate VLAn.
-
@David, when WiFi is first activated on one LAN, the WiFi interface will be grouped with other Ethernet ports in this LAN network.
If you need to enable WiFi on another network, new network must use the same set of Ethernet ports as the first network.
Another solution for you is to enable ports 2 and 3 in all other VLAN networks. Devices without a VLAN tag behind those two ports won't be divided into VLAN networks.
Please sign in to leave a comment.
Comments
4 comments