Int/Ext Wifi Access Points, Multiple VLAN, Single Interface

I'm trying to configure the following:

Multiple WLAN(s) with specific VLAN(s) configuring for int/Trusted, guest/Optional on 3rd party access points (VLAN A & VLAN B)

I've configured on the Watchguard:

  1. Single interface receiving traffic from POE switch for 3rd party access points
  2. Configure interface as type VLAN and accepting traffic for tagged VLAN A & VLAN B)
  3. DHCP set up to assign appropriate IP address from two different subnets
  4. Policy(s) set to allow outbound tcp/udp From Any-Trusted & Any-Internal

However, the minute the policy is saved, all traffic from access points immediately denied and they lose contact with cloud controller.

Revert the interface to just optional resumes traffic.

Am I missing a step here?


  • Options

    What is the deny?
    Please post a sample deny log message.

  • Options

    Hi Bruce,

    I've reversed the settings for now, but it's the standard Deny/Unhandled Packet message for that interface.

    I'll do some more testing this weekend when staff are out of the office.

  • Options

    Check the Zone specified on your VLAN settings and verify that your policies match those zone settings.

  • Options

    I did set up as:

    Interface: VLAN

    VLAN-A (Trusted)
    VLAN-B (Optional)

    Outbound (Any-Trusted, Any-Optional)

    and also tried adding VLAN-A and VLAN-B explicitly to the Outbound rule.

    These are current Aruba access points set up through Aruba Central with the respective WLANs configured for VLAN-A and VLAN-B IDs.

    I have a similar setup with a LAG connection coming from my virtual hosts with a couple of VLANs coming through the interface (using LAG type).

    I didn't set anything for "Send and Receive untagged traffic" as it should be listening for VLAN-A and VLAN-B tagged traffic. Is this not the right setup?

  • Options

    Nothing seems wrong with your settings.

    An actual deny log message may help sort this out.

    I have APs with 4 VLANs, and for 3 different Zones.
    1 AP has the 4 VLANs going to a single firewall interface, all tagged.
    A 2nd AP has a tagged and an untagged VLAN going to a different firewall interface.

  • Options


    I made one change on the Interface settings:

    Send & receive tagged traffic for the selected VLAN: VLAN-A (internal)

    Send and receive untagged traffic for selected VLAN: VLAN-B (external); on the access point, this WLAN is designated "native VLAN" with no VLAN ID).

    which lets the external Wifi network function as previously (guest network, outbound traffic only, DHCP served up from the Watchguard). Logging does show that traffic is on VLAN-B and properly allocated to an Optional network.

    However, connecting to the internal WLAN, nothing seems to be passing traffic; possibly traffic with tagging VLAN traffic?

  • Options

    Seems to be an inconsistency on tag settings on the AP, switch ports & firewall.

    The change seems to indicate that the VLAN-B setting on the AP was not set to tag?

    Review those settings on the switch ports.

    What brand/model PoE switch do you have?

  • Options

    I'm using an existing POE switch (Unifi) so it might be something to do with the way the switch is managed; even though a "profile" with the tagged VLANs has been applied, I'm not convinced it's properly passing the tags.

    Will get a more standard managed POE+ switch that doesn't require an app to manage.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    If you have a spare port on the WatchGuard, and another way to power a test AP, you can try tagging the VLANs as you expect on the WG firewall and plug directly in.

    -James Carson
    WatchGuard Customer Support

  • Options

    I think the original POE switch wasn't properly recognizing the VLAN setup; installed a proper managed POE switch and at least the Watchguard now sees traffic on the two configured VLANs (internal and guest).

    I thought Trusted interfaces allowed traffic to pass freely between each other though; looks like I have to set up additional policy to pass traffic between original internal VLAN and the new wireless internal VLAN.

    Off to do some more testing!

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    No, "Trusted" and "Optional" are just aliases that you can use in policies. The default policies that the firewall builds only handle outbound traffic. You need to make any rules that handle traffic between networks. If you want to allow any type of traffic between trusted networks, you can create an "any" packet filter from "any-trusted" to "any-trusted" to handle that traffic for you.

    "Trusted" simply adds that interface to the "Any-Trusted" Alias, as does "Optional" to "Any-Optional. "Custom" doesn't add the interface to any alias. "External" adds the interface to the "Any-External" alias, but also invokes the default NAT rules in Network -> NAT.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.