IT troubleshooting: always come back to the basics!
or how I lost 1/2 day trying to fix something that was obvious.
(I'll write a more detailed blog post on this setup, since it's of interest and the articles I found were not matching exactly what I wanted to do.)
The requirement
Long story short: I wanted to isolate my "IoT devices" (think IP cameras, Raspberry Pi used for various purposes, PS4, ...) on a specific VLAN/Wifi network, as I didn't want them to communicate with more "sensitive" devices such as our laptops, tablets or smartphones.
Super easy - or is it?
As I mentioned before on that blog, I'm using OPNsense
as my home router and firewall.
As for the Wifi access points, I'm using Ubiquiti Unifi (2 of them).
Setup should be pretty straightforward:
- create a new SSID, and specify the VLAN number,
- create the same VLAN on OPNsense,
- configure DHCP server on OPNsense for this VLAN,
- configure the switch to add VLAN configuration.
I did all of that, could see the SSID, but when I tried to connect to it,
I didn't get any DHCP lease.
Doing a tcpdump on OPNsense showed that there was no DHCP requests arriving.
I spent a lot of time trying to understanding what was happening:
- I upgraded my HP switch to the latest firmware, just in case there were bugs with how VLAN are handled (even though other VLANs were working fine),
- I upgraded my OPNsense to the latest version as well,
- changed the Ethernet cables connecting the Unifi AP to my switch,
- went through the whole Ubiquiti Controller Web UI and tested pretty much everything.
- I even configured my MacBook Pro laptop wired connection to use the VLAN I had configured (yes, you can do it, there's even a support article on the Apple support website.
But nothing changed, still no luck :|
At some point I started wondering whether the VLAN part with the Unifi AP was only working if using a Ubiquiti switch. But checking on Reddit confirmed that it should be fine.
Giving up
Super frustrated, I went to bed at the end of the day, and while thinking about this, something hit me: yes, I tagged the switch ports where the AP are connected, but did I do it on the port connected to the OPNsense?
Fixing it
I went back to my home office, checked the configuration, and surely it was there, hidden in plain sight! The switch port #24 was excluded from the VLAN!
Changing it to Untag, tried again and boom, it worked straight away! :-)
I went back to bed with the satisfaction of having accomplished my duty.
Conclusion
To sum it up, when it comes to troubleshooting IT problems, you really need
to break down things in smaller parts, and check each part individually.
In my case, the mistake I did was focusing too much on the WIFI part of the VLAN,
not thinking about the OPNsense connection part - yes, in order to work, you
also need the router switch port to be aware of the VLAN! ;)