I am trying to segregate devices in my home network with 2 different VLANs: HOME and IOT. I have the following network devices:
- 1 cable modem
- 1 OPNsense router with WAN, LAN and OPT1 ports
- 1 Netgear MS108EUP managed switch with 8 ports
- 1 Netgear WAX630E VLAN capable access point
This is how the wired connections are laid out:
- Port WAN of OPNsense is connected to the cable modem.
- Port 1 of the switch is connected to the Netgear AP.
- Port 2 of the switch is connected to OPNsense OPT1 port.
- Port 3 of the switch is connected to OPNsense LAN port.
- Port 4 of the switch is connected to a Windows PC.
- Port 5 of the switch is connected to a wired IP camera.
Here's a diagram I created to help visualize the network layout
In OPNsense, I have created the following VLANs:
- vlan02[HOME], tag 2, assigned to OPT1 port.
- vlan03[IOT], tag 3, assigned to OPT1 port.
DHCP is enabled in the LAN and both VLANS, as follows:
LAN:
- Subnet: 192.168.1.0
- Gateway: 192.168.1.1
- Range: 192.168.1.100 - 192.168.1.254
HOME:
- Subnet: 192.168.2.0
- Gateway: 192.168.2.1
- Range: 192.168.2.100 - 192.168.2.254
IOT:
- Subnet: 192.168.3.0
- Gateway: 192.168.3.1
- Range: 192.168.3.100 - 192.168.3.254
In OPNsense, I have created firewall rules to allow:
- LAN: Access to the internet and all VLANS.
- HOME: Access to the internet and IOT VLAN.
- IOT: Access to the internet only.
In the switch, I have configured VLANs and ports as follows using Advanced 802.1Q VLAN:
- VLAN ID 1 (Default): all ports Untagged.
- VLAN ID 2 (HOME): Ports 1 and 2 are tagged. All others Excluded.
- VLAN ID 3 (IOT): Ports 1 and 2 are tagged. Port 5 untagged. All others excluded.
In the PVID table of the switch, all ports have ID 1, except for port 5, which has ID 3.
In the Access Point, I have created 3 SSIDs:
SSID1:
- Name: admin
- VLAN ID: 1
SSID2:
- Name: home
- VLAN ID: 2
SSID3:
- Name: iot
- VLAN ID: 3
To the SSID2, I have a Windows laptop connected. To the SSID3, I have a Wi-Fi IP camera connected.
All of this seem to work fine for the most part. All devices get assigned to their respective VLAN, with correct DHCP assignments and they all can access the internet. Also, any inter VLAN communication between wired and wi-fi devices (where firewall rules allow) work correctly. For example, I am able to connect to the IOT Wired IP camera from the HOME Wi-fi laptop and likewise I am able to connect to the IOT Wi-Fi camera from the LAN Wired PC desktop. Inter VLAN wired to wired communication also works fine (again, where firewall rules allow).
The issue only arises when I attempt a connection between Wi-Fi devices in different VLANS. If I try to access the Wi-fi IOT camera from the Wi-Fi HOME laptop, the connection cannot be established.
In an attempt to troubleshoot the issue, I connected a linux laptop running an Nginx webserver to the Wi-Fi SSID3 (IOT VLAN). In this laptop, I run tcpstat to show me incoming and outgoing connections. When I try to access the home page hosted in the linux laptop from the SSID2 (HOME VLAN) Windows laptop, the page never loads. tcpstat shows the incoming connection from the Windows laptop, however it stays stuck in SYN_RECV and never reaches ESTABLISHED. Accessing the page from the Wired Windows PC works just fine.
At this point I am at a loss why there is this seemingly inter-VLAN routing issue when both devices are Wi-Fi, but they work correctly when at least one device is wired. Any tips or insights here are highly appreciated.
PS: both AP and the switch are running the latest firmware versions from Netgear.
