Configuration issues wireless VLAN Cisco RV325 and WAP371

Cisco RV325 and Cisco WAP371 question.
I'm trying to set up the WAP for BYOD access and doesn't need access to the corporate LAN. (Just internet access)

WAP371 plugged directly into Port 7 on RV325 Router. No switches in between. WAP on an external power supply as the RV325 doesn't support PoE.

I've changed the name of the guest VLAN (25) on the router (to "Wireless"). All VLAN IDs on the WAP have been set to 25
Port 1 on the router has the corporate network connected and is tagged on VLAN 25 and untagged on VLAN 1
Port 7 on the router has the WAP connected and is tagged on VLAN 25 and untagged on VLAN 1

Wireless clients get an IP address (192.168.2.x) but can't access the internet.

Corporate network can access the WAP.

Clients can ping
1. Corporate firewall
2. RV325 Router LAN address
3. RV325 Router WAN address

RV325 Router WAN gateway address is where it falls apart.

Any input will be most gratefully appreciated. More than happy to provide any details I may have forgotten to include.

HELP!!

WAP_1WAP_2
Router_1
Peter PNetwork AdminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Natty GregIn Theory (IT)Commented:
You need an access port unless your router speaks trunk- so you will need a switch to assist with your configuration.

Configuration --
router 1 vlan 25 - interface let's say etho 1 - trunk- tag

router 2 vlan 25 - interface port 7 trunk -tag
            port 8 member of vlan 25 - port 8 untagged- this will be the port you connect your access point to ---devices connecting to wifi does not understand trunk so port 8 being access port will strip all the vlan info so devices can connect
masnrockCommented:
Port 7 seems to be set up right. But you might need to fix data in first screen shot. What network does the address for the access point come from?
Peter PNetwork AdminAuthor Commented:
The AP gets addresses from the router. DHCP set up on VLAN 25 192.168.2.x. The AP picks up addresses fine as do the AP Clients.
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

Peter PNetwork AdminAuthor Commented:
@Natty Greg.

Just to clarify.

AP (VLAN 25) to Switch port X (tagged 25)
Switch port Y (tagged 25) to Router Port Z (tagged 25)

Ports X,Y and Z Untagged on other VLANS or Excluded?
masnrockCommented:
Looking at your router configuration, there's nothing you need to change. Can devices on the wireless network ping outside IP addresses (such as 4.2.2.2 and 8.8.8.8)? If so, then the problem is the DNS servers those systems are getting from DHCP.
masnrockCommented:
Disable the untagged setting in the first screenshots. However note you will end up giving the access point an IP on VLAN 1.
Peter PNetwork AdminAuthor Commented:
@masnrock.

Wireless devices can ping everything up to but not including the routers WAN gateway address. i.e. internal network and internal (real) internet addresses. And nothing beyond the WAN gateway either (e.g. 8.8.8.8)
The problem with running the AP on VLAN1 is VLAN1 uses real IP addresses (/28 network) so we don't have the addresses to spare for all the wireless devices.

PS: On VLAN1 it works fine, but there is the aforementioned lack of addresses
masnrockCommented:
Very interesting layout. From what I remember of that series of routers, you are literally trying to do something it isn't designed to do. You would be better off with a separate router, unless you are willing to get a more capable one.

Another approach would be to change port 7 to VLAN 1. Then get a second router, give it one of your public IP addresses, and place it between the router and access point. That would eliminate the entire need for VLAN 25.
Peter PNetwork AdminAuthor Commented:
@masnrock.

Yes you may be right. I think I'll have to rethink my config and run the AP off our firewall on a separate interface instead. Was looking for a simpler 'more elegant' solution, but we don't have the $$ to upgrade the router.

Rather pee'd off that I didn't investigate the capabilities of the router and AP better before purchasing. Very annoyed that the AP doesn't provide a DHCP server
masnrockCommented:
I am thinking you were using 1 to 1 NAT. You have to use it or not, but you cannot do both.

Based on your circumstances, the less elegant solution is the only way to fo. A wireless router instead of an access point would've been one of the only solutions to keep the RV325 and do what you wanted.
Peter PNetwork AdminAuthor Commented:
Thanks for the input people, but as I feared it's just that I bought the wrong WAP. Should've grabbed a wireless router instead.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Natty GregIn Theory (IT)Commented:
@ Peter
I'm sorry for the late reply but just seeing this- The AP would connect to the access port so port 7 would be untag so that clients can connect
Lan 1 would be tag from router to switch port let say 5 - Lan1 and port 5 would be trunk and tag while port 7 access port being a member in that vlan with un-tagged traffic making port 7 an access port- the reason why port 7 or lan7 being a member where you connect the acess point is because most devices connected to the access point will not be able to read the tag traffic
Peter PNetwork AdminAuthor Commented:
No resolution available as I was trying the impossible. :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VLAN

From novice to tech pro — start learning today.