Can log in Surf Admin on one VLAN but not the other

I can’t log in to my Surf Admin panel on one of my VLANs, but I can on my other LAN and VLAN. All of the LANs/VLANs have internet connectivity.

I have a Main_LAN (untagged), and a Guest_VLAN, and an IoT_VLAN. (I don’t know the VLAN tagged/untagged status; I’ve recently changed some around and didn’t see those terms during the process.) I recently opened the Surf Admin to allow LAN access, not just the Main_LAN. The IoT_VLAN (VLAN 1) logs into the Surf without issue, while the Guest_VLAN (VLAN2) does not.

I have saved and confirmed, and have re-booted the Surf. Is there something else I should consider looking at or doing? Or is there something different about a “VLAN 2?”

Enable inter-VLAN routing between the VLANs in question under Network>Network Settings. I tested this with Port Type>Access.

Thanks. Any idea why one VLAN will connect to the router and the other won’t? I’d like to keep my projects and networks separate, if I can.

One VLAN allowed you to login because you had inter-VLAN routing enabled. The other VLAN didn’t allow you to login because you did not have inter-VLAN routing enabled.

I agree, you should isolate your IoT and Guest VLANs from the untagged LAN. Uncheck inter-VLAN routing on all of your networks.

Network>Network Settings

uncheck

You should also do this***…

System>Admin Security

***Assuming the untagged LAN is 192.168.50.1 and assigned to a port for accessing the admin webpage. If you select the wrong network you will get locked out. Make a config save just in case!

I confirm all three of my LAN/VLAN pages “Inter-VLAN routing” boxes have been and are unchecked - no inter-VLAN routing.

System Security “Allowed LAN Networks” up until recently has been set to “Allow this network only”: “Main_LAN,” and with that setting, it blocked both the GuestVLAN and the IoTVlan.

Recently I changed it to “Allowed LAN Networks”: Any. That brings me back to my question - with it set to “Any,” why does it let IoT_VLAN access the admin page and not the Guest_VLAN. It looks to me like either a bug or an undocumented feature. In fact, I don’t even see that section (“LAN Connection Access Settings”) below the “Web admin port” in the 8.01 user manual.

Hey, if it’s a bug it’s a bug - it isn’t a huge one. I’m just concerned I’m overlooking something.

I suspect you had inter-VLAN routing disabled on one but not the other originally.

Another possibility…

Are both VLAN’s identical other than subnets? Ie. Does the Guest VLAN have some firewall rules set up?

Are you able to recreate this?

OTOH you shouldn’t really have admin access connected to a guest or IoT network.

No, the situation is still going on - no access with the Guest_VLAN and the boxes are checked/unchecked properly.

Normally (up till recently) I would not allow either inter-VLAN access or admin access to IoT or Guest. When I’m adjusting IP or DNS in the Mac I temporarily open up the Admin page in case I manage to lock myself out of the router. I’d rather use Guest_VLAN for backup than IoT_VLAN, but as I said - that one doesn’t work.

I had a similar problem where the SURF didn’t like some IP range I picked for a subnet. Try a new IP range perhaps? Try making a new VLAN to assign to the Guest network.

Are the Guest and IoT wireless networks using identical settings? Layer 2 isolation enabled on one but not the other?

AP>Wireless SSID>Guest Network>blue ? top right>Layer 2 Isolation

Try to compare the 2 networks - there is something different settings wise about one of them.

Hmm. I re-did the Guest_VLAN, but I used the same ranges as the original - easier to remember. I’ll do it again and use different ranges.

As to Layer 2 isolation - don’t know. Over my head.

Are you logging in to the Guest network with the same device as on the IoT?

I think I know what it is. The Guest network has different DNS server settings (Assign DNS server automatically) than the IoT because of your pihole. Your mac book is pointed at those DNS server settings per the pi-hole webpage. You can’t surf another network that has different DNS server settings - ie the guest network vs. IoT VLAN DNS settings are different.

Network>Network Settings>Guest VLAN>DNS servers

If you want ad blocking on each isolated VLAN then you would have to get a separate pi-hole for each one like user cable171 has - I think.

If you want to use the same pi-hole on multiple VLANs they would have to have inter-VLAN routing enabled - I think.

You should not get locked out of the untagged LAN / admin webpage if you have a dedicated computer connected to it that never changes any DNS settings.

https://docs.pi-hole.net/main/post-install/

You had to set your mac books network card’s DNS settings to the pi-holes - if you do that you can’t join another network that has different DNS settings.

You’re on to something - close. The Pi is offline and all the devices work, so it’s not that, exactly. But you’re right - I did have to reconfigure the MacBooks in order for them to work with the Pi on the untagged LAN - then I manually configured them back. I just need to figure out which .plist I need to toss out to get them back to default setting. Then I’ll change the GuestVLAN name and IP range and see what’s what. Thanks.

You would have to set all your mac books (or WIN10 machines) DNS settings page to the pre pi-hole settings or they would mess with other devices on the Guest VLAN.

Turning all devices connected to the SURF off, waiting 1 min, then on, should also help reinitialize DHCP/DNS.

Or you could try navigating to Network>Network Settings>Guest VLAN>Lease Time and temporarily set it to 2 mins. With all guest LAN devices on and connected wait 5 minutes and then see if you can log in via the guest VLAN. Return the lease time to 1 day.

While you are there check Network>Network Settings>Guest VLAN>DNS Servers>Assign DNS server automatically is enabled.

Sometimes if I can’t fix a problem I just do a factory reset and start from scratch. You can try out whatever ideas you have or settings worry free and if it doesn’t work just factory reset. Write down, cut and paste or screen shot your WiFi passwords or any other settings you wish and you can reconfigure the SURF pretty quickly / clients seamlessly. Initial login is admin/admin.

It appears to be fixed. In my MacOS MacBook Pro I had manually set Network Settings, and they carried over in some odd ways. I deleted five .plists from LIbrary/Preferences/SystemConfiguration, then removed and replaced the existing VLANs with different IP addresses and ranges.

Now, at least, access into Surf Admin is consistent: only from the LAN I selected, even if I select “Any,” I can’t access with a VLAN. I’m not sure what the point of “Any” is, but I’m calling it consistent/okay/complete.

For any future efforts, if I can’t get the MacBook to automatically change the IP address or DNS, I just won’t do it.

That’s good. That’s how it should work. You literally should not be accessing the admin webpage from a guest or IoT VLAN - except for testing purposes - which is what you were doing.

None of the VLANs contain the IP address 192.168.50.1 which is where the admin webpage resides. Only the untagged LAN does. Therefore only a client connected to the untagged LAN can access the admin webpage.

If you created a VLAN with the 192.168.50.1 subnet and connected a client to it then you would be able to connect to the admin webpage from that client. But then you would have to give the untagged LAN a different IP range/subnet to avoid duplication. I did a TUT on it on one of the threads. It’s FUN. (It’s actually easy - kudos to peplink)

Or…

Setting Network>Network Settings>select a network>inter-VLAN routing to enabled and the System>Admin Security>LAN Connection Access Settings>Allowed LAN Networks>Any allows a client on another VLAN to get to the admin webpage, but now that VLAN is no longer isolated.

Allowing Any VLAN client to access the admin webpage is not a good security practice - but it is handy for testing.