Newbie here setting up a small enterprise / SOHO system with an EdgeRouter Lite, EdgeSwitch 24 PoE and UniFi AP-AC. I followed the EdgeMAX - VLAN Walkthrough with EdgeSwitch using Sample Enterprise Topology
tutorial where my setup only has just one EdgeSwitch.
The problem is WiFi devices connect to the AP and pull an IP address but can't reach the Internet. The WiFi clients do received a DHCP ip address from the pool for corresponding VLAN, e.g. 10.10.3.x for VLAN30_WLAN_Private. Trace route from a laptop on WiFi fails with no hops. Tried setting the AP DNS servers to the ER3 IP address and also Google 8.8.8.8 in Device -> Configuration -> Network -> Preferred DNS with no luck.
Wired connections to the EdgeSwitch work fine and have Internet access. I can ping the router, switch and AP. I setup the ER3 using the WAN+2LAN wizard with default firewall rules. Installed the UniFi controller app on my desktop PC and successfully configured the AP. All UBNT devices are running the latest software version.
Connections are:
ER3:
- 10.10.0.1 static ip address
- Eth0 - Internet (cable modem)
- Eth1 - EdgeSwitch port 0/1
- Eth2 - no connection
EdgeSwitch:
- 10.10.0.2 static ip address
- Port 0/1 - Trunk port to ER3. VLAN 1 untagged, VLANs 30 (Private) & 40 (Guest) WLANs tagged.
- Port 0/2 - Management PC (untagged).
- Port 0/24 - Trunk port to AP. VLAN 1 untagged, VLANs 30 (Private) & 40 (Guest) WLANs tagged.
AP-AC:
- 10.10.0.3 static ip address
- WLAN_Private on VLAN 30 with unique SSID
- WLAN_Guest on VLAN 40 with unique SSID
- Assigned VLANs 30 and 40 in the UniFi controller to the respective SSIDs in Settings --> Wireless Networks --> Advanced Options and in the Device view Properties -> Configuration -> WLAN.
Made sure the boot configs were saved and rebooted all devices.
The EdgeRouter Lite config is:
ubnt@ubnt:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 10.10.0.1/24
description LAN
duplex auto
speed auto
vif 10 {
address 10.10.1.1/24
description "IP Cameras"
mtu 1500
}
vif 20 {
address 10.10.2.1/24
description "VoIP"
mtu 1500
}
vif 30 {
address 10.10.3.1/24
description "WLAN Private"
mtu 1500
}
vif 40 {
address 10.10.4.1/24
description "WLAN Guest"
mtu 1500
}
vif 50 {
address 10.10.5.1/24
description "IoT"
mtu 1500
}
vif 60 {
address 10.10.6.1/24
description "Wired Jacks"
}
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 10.10.0.0/24 {
default-router 10.10.0.1
dns-server 10.10.0.1
lease 86400
start 10.10.0.38 {
stop 10.10.0.243
}
static-mapping UniFi_AP-AC {
ip-address 10.10.0.3
mac-address xx:xx:xx:xx:xx:xx
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.38 {
stop 192.168.2.243
}
}
}
shared-network-name VLAN20_VoIP {
authoritative disable
subnet 10.10.2.0/24 {
default-router 10.10.0.1
dns-server 10.10.0.1
lease 86400
start 10.10.2.50 {
stop 10.10.2.100
}
}
}
shared-network-name VLAN30_WLAN_Private {
authoritative disable
subnet 10.10.3.0/24 {
default-router 10.10.0.1
dns-server 10.10.0.1
lease 86400
start 10.10.3.50 {
stop 10.10.3.100
}
}
}
shared-network-name VLAN40_WLAN_Guest {
authoritative disable
subnet 10.10.4.0/24 {
default-router 10.10.0.1
dns-server 10.10.0.1
lease 86400
start 10.10.4.50 {
stop 10.10.4.75
}
}
}
shared-network-name VLAN60_Wired_Jacks {
authoritative disable
subnet 10.10.6.0/24 {
default-router 10.10.0.1
dns-server 10.10.0.1
lease 86400
start 10.10.6.50 {
stop 10.10.6.100
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
name-server 208.67.222.222
name-server 208.67.220.220
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/New_York
}
The EdgeSwitch VLAN Port Summary with trunk ports 0/1 (to ER3) and 0/24 (to AP-AC) highlighted:
Image may be NSFW.
Clik here to view.
I must be missing something simple that's preventing AP WiFi clients from reaching the Internet.
Thanks