Guest Captive Portal Issues / VLAN


We have a location that has four access points managed by cnmaestro. At the location we have a primary data network routed through a VLAN that is untagged. This network has no issues. We have secondary WLAN's routed through their own tagged VLANs, and we have the appropriate default gateways setup for their access. These networks on their own have no issues, and the subnets are protected via ACLs setup on the Cisco ASA they all route through (eventually). The secondary VLANs for the Guest Wireless LAN (lets say VLAN 20 is tagged) and works with or without security. 

When the internal guest captive portal is enabled for this WLAN and someone connects they get the appropriate IP from the DHCP Server, but are not presented with the Guest Captive Portal or access. When I run Wireshark to check what's happening I see syn requests coming from the VLAN 20 and they are trying to route traffic through the primary untagged VLAN. We observed the same thing in other situations where we used the cnmaestro captive portal that the initial requests routes web traffic through the default untagged VLAN. If we setup a subinterface on VLAN 20 with a static IP it still attempts to route this traffic through the primary VLAN and subsequently does not present the guest captive portal.

Has anyone run into issues with guest captive portal on secondary VLAN's? Is there a suggested best practice for setup of a network that has multiple VLANs that does not require cross-communication between VLANs for authentication?

Thanks for any help

Please share tech-support of device at

Thank You.

We are facing exactly the same issue at a Hotel installation. 

Did you find a solution?

Could you please share the tech-support to, so that we can debug the issue further 

Hi ndem,

I hope I do not speak out of term, please excuse my engagement.

We are a cloud-based guest access business fully onboarded with the CNMaestro, if you speak with your Cambium representative/channel advisor, I’m sure we can provide you with a trial for a month?

For further details, please go to or drop me a message. Happy to help if I can.


I will reproduce it in the lab and send you the tech sup file. In the meantime we implemented the captive portal on a MTIK router since the hotel could not wait.

Sounds like the same problem I'm having. I've got a ticket in, any resolution to this?

Hi , 

 I am not seeing any tech-support file attached in any of the communication . Could you please provide the same , so that we can understand the config and recreate. Tech-support  can be sent to   .

I submitted a tech support file, but I found the issue on my own. 

If you are going to be creating a second vlan, you must have an ip assigned to that interface to be able to use the captive portal.