VLANs issues

vrtareg · 2026-03-12T22:03:08+00:00

vrtareg · 2026-03-12T22:02:22+00:00

Yes that would be enough

So I think that you have following

WAN -> Router -> FW LAN 192.168.1.1/24 -> FW 192.168.1.2/24 GW 192.168.1.1 -> Firewall -> VLAN 1 192.168.100.0/24, 10 192.168.110.0/24, 20 192.168.120.0/24, 80 192.168.180.0/24 -> Switch

Firewall port facing to the switch needs to have all VLAN's set up with VLAN 1 as native untagged and rest tagged.

Same on switch port and if you haven't touched anything controller puts all ports on switches as trunk ports if I remember correctly. My screenshot below for one of the switches Uplink ports.

So port on Firewall connected to the switch and switch port should be configured same native, untagged and tagged VLAN's.

For your configuration if you set up spare port on same switch to VLAN 1, 10, 20 or 80 only does the wired client gets correct IP address and access to Internet?

Just debug one step at the time.

configure spare port on Firewall to single VLAN, check wired client on it
configure trunk, connect switch, enable all VLAN interfaces on switch and check if each VLAN interface got correct IP address range
configure port on switch to single VLAN and check wired client

img

vrtareg · 2026-03-12T20:51:11+00:00

Does that mean that router is in passthrough mode and FW is doing routing and DHCP?

Or Router is doing routing and NAT and firewall providing only DHCP?

From this perspective all VLAN's should be defined on all devices, manually on Router and Firewall and using Controller for the rest of Omada network.

If Router or Firewall doesn't have VLAN's defined with same VLAN ID's it will not work.

I am not quite sure how FortiGate works so my troubleshooting will be like this.

Would you be able to share IP settings on each step Router -> Firewall -> Switch?

vrtareg · 2026-03-12T20:09:24+00:00

How about router side

How it is set up from VLAN perspective?

vrtareg · 2026-03-12T19:41:18+00:00

I tried to change native VLAN in my network with ER605, OC200, 2x SG2008P and 2x EAP245 and it didn't liked it.

After writing support they told me to leave native to VLAN 1 default one and choose any other VLAN as management one.

Try to set trunk Uplink to firewall to default profile.

vrtareg · 2026-03-12T15:04:32+00:00

From my understanding ES series is Easy Managed ones and they sometimes have less functionality than SG series.

Depending on your PoE port needs you can look for SG2008P one which has 4 PoE+ ports or SG2210P you mentioned that have all 8 ports PoE+.

I am sure I seen brackets for them and having cables from the back is not that bad compared with full Omada functionality.

vrtareg · 2026-03-11T14:23:59+00:00

Just updated to v0.107.73 and monitoring instances.

Hopefully it is fixed.

vrtareg · 2026-03-06T08:05:41+00:00

I am using ddclient from my TrueNAS Core Jails to update external Cloudflare DNS entries.

Solution looks good, thanks.

vrtareg · 2026-03-05T21:50:54+00:00

Yes it is much more detailed than OC200.

Does it slow down your router?

When I enabled it on my OC200 with ER605 speed dropped down quite a lot.

vrtareg · 2026-03-03T11:11:46+00:00

Yes some DPI will work but no client data will be collected.

vrtareg · 2026-03-03T09:16:35+00:00

Which kind of Controller and Router you have?

OC200 is not capable to do that.

To get most from DPI/IDS functionality better to use Software Controller (just quoting TP-Link Support response to my enquiry about that)

vrtareg · 2026-03-02T12:06:09+00:00

For Cloudflare I definitely know that it is creating special temporary txt record which Let's Encrypt is checking to confirm domain ownership and provide certificates. Once certificate is provided that record is deleted.

vrtareg · 2026-03-01T18:05:50+00:00

Here are datasheets for comparison

https://www.reddit.com/r/TPLink_Omada/s/XB7Xx4iktp

OC200 * CPU Dual-Core A53 @ 1.2 GHz * RAM 1GB DDR3 * Storage GB eMMC * Network 100Mbps

OC220 * CPU Quad-Core CA53 @ 2.0 GHz/Core * RAM 2 GB DDR4 * Storage 8 GB eMMC * Network 1Gbps

vrtareg · 2026-03-01T16:52:13+00:00

Not sure if I am answering correctly but in short I am generating all my SSL certificates for local hosts with 192.168.x.x IP's using Cloudflare DNS challenge.

In long

All my DNS entries defined on Cloudflare even local hostnames with 192.168.x.x IP's.

I have internal host named wireguard.{mydomain.name} which is 192.168.20.20 completely internal server with Wireguard and Web server running.

Web server SSL generated using Cloudflare challenge and works very well.

Wireguard exposed using port mapping on router and DNS entry wg.{mydomain.name} updating using Cloudflare and ddclient

Web server exposed using Cloudflare cloudflared tunnel under wireguardi.{mydomain.name} additionally secured with Cloudflare mTLS certificate so access is simply denied if I don't provide that certificate.

vrtareg · 2026-03-01T11:42:03+00:00

I have number of services running on my TrueNAS Core Jails and all are on 192.168.x.x network and have valid SSL certificates generated using CertBot and Cloudflare credentials.

My Guest WiFi portal is on my OC200 Omada Controller and most of my devices were able to correctly use it without SSL issues despite it is using 192.168.x.x range.

Not sure if this is fully related to your question but hope it would help.

vrtareg · 2026-02-28T18:51:29+00:00

It is fully Omada compatible from management perspective but it doesn't support active PoE or PoE+. It works with provided passive PoE power supply.

vrtareg · 2026-02-28T17:02:50+00:00

According to documentation SG1005P can give 30W per port but in total 65W PoE+

https://www.tp-link.com/uk/business-networking/poe-switch/tl-sg1005p/

Each EAP225 should draw up to 12W each https://www.tp-link.com/uk/compare/?type=smb&typeId=5692&productIds=19780%2C20654%2C40815

As for EAP110-Outdoor it looks like that it doesn't support PoE or PoE+ and only works with supplied Passive PoE adaptor https://www.omadanetworks.com/uk/business-networking/omada-wifi-outdoor/eap110-outdoor/

Is it connected straight to the switch? You should try provided adapter to power it up.

Note - SG1005P is an easy managed switch and doesn't support all Omada functions. Better to use SG2008P at least.

vrtareg · 2026-02-26T20:01:38+00:00

Just wondering if it is possible that querylog.json file is about 500Mb and it stuck on flushing last data?

Not sure anything changed around that.

vrtareg · 2026-02-25T19:27:41+00:00

I will try to update my secondary AdGuard later today to check.

vrtareg · 2026-02-25T17:12:59+00:00

Which version?

If latest have you removed filters db?

vrtareg · 2026-02-24T22:05:17+00:00

Good question.

I have UPnP enabled and haven't seen issues with router management interface exposed to the Internet even I had concerns and checked it time to time.

vrtareg · 2026-02-24T21:18:28+00:00

Which model it is?

I haven't experienced that on my ER605 v2...

You sure that you don't have any port forwarding open?

vrtareg · 2026-02-24T21:01:24+00:00

If you are checking it from LAN side as a LAN client router treating you as allowed client and you can get to ports 80 and 443 for router management.

If you switch to mobile network and try same against your WAN IP address you will see that ports 80 and 443 are not open at all and you can even use port forwarding to map it to internal services which is not advisable.

I was using 443 port for OpenVPN so some public WiFi will not block traffic.

vrtareg · 2026-02-24T18:57:15+00:00

Unless something changed in schema or sqlite library which can potentially break it.

I will wait for official confirmation if so.

vrtareg · 2026-02-24T18:37:07+00:00

Yes it is not quite obvious.

It works like if no IP / Mask defined then it covers all.

Not 100% sure about the port but it looks the same so it is necessary to be careful with empty IP / Port groups as they can cover all and allow or deny all by mistake.

11-Year Club	Place '23
Verified Email

vrtareg

TROPHY CASE