How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios

How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios

How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios
How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios
2024-01-10 06:09:31 - last edited 2024-08-27 01:54:10

Background:

 

This post provides a configuration guide to bridge VLAN on the router to meet the requirements of the apartment or hotel room network design.

If you don't know what this bridge VLAN is for, please read this article. Enterprise Wi-Fi Solutions for MDUs | TP-Link Omada Pro

 

This Article Applies to:

 

All routers with multiple VLANs are supported.

 

Application Scenario:

 

 

Configuration Steps:

 

1. Select your Organization and choose your Site.

2. Go to Settings > Wired Networks > LAN.

3. Create a new VLAN interface. Set the VLAN Type as Multiple and specify the VLAN ID. Set other parameters according to your needs. Click Create.

 

In this setup, the AP is connected to the WAN/LAN5. PC is on WAN/LAN6. Yet the computer would not get an IP from the VLAN.

 

 

4. Then go to Wireless Networks > WLAN > Create New Wireless Network. Set up the parameters accordingly and click Create. Note that Guest Network is not enabled.

 

 

 

5. Because the multiple VLAN itself blocks the access between the VLAN range you set but it is not blocking the core network(LAN). We need to set up extra ACL rules to block access from the Room VLAN to the core network(LAN).

Go to Network Security > ACL > Gateway ACL > Create New Rule.

 

 

6. The setup is complete.

 

Verification:

 

Goal:

  • VLAN between the room SSID is isolated.
  • The core network(LAN) cannot be accessed.

 

1. Read the IP from the controller.

SSID = Room1001 IP = 10.0.0.2;

SSID = Room1002 IP = 10.0.0.3.

 

 

2. Test the isolation between the networks.

 

 

3. WIFIman and Wi-Fi Toolkit from TP-Link.

 

 

4. Test the core network cannot be accessed.

 

 

Note:

 

1. We recommend you set up 20 VLANs in 1 VLAN interface. If it exceeds this, you may experience some performance when the controller sends the config to the router.

2. If you want to set up the switch, you should do it from the Profile. If you have trouble with this part, please read the User Guide of the Omada Controller.

 

Example: This screenshot demonstrates the process of creating a new profile to include VLAN1001 to 1020. By assigning this profile to a switch port, that specific port will only receive traffic from VLAN1001 to VLAN1020. The default ALL profile will not be used on this switch port.

 

 

 

Update Log:

 

Jan 11th, 2024:

Update the format.

 

Recommended Threads:

 

 

Configuration Guide How to Configure WireGuard VPN on Omada Controller

Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates

Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates

 

Feedback:

 

  • If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
  • If there is anything unclear in this solution post, please feel free to comment below.

 

Thank you in advance for your valuable feedback!

 

------------------------------------------------------------------------------------------------

Have other off-topic issues to report? 

Welcome to > Start a New Thread < and elaborate on the issue for assistance.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  5      
  5      
#1
Options
9 Reply
Re:How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios
2024-05-19 12:30:23

  @Clive_A It's quite conveinient to create multiple VLAN on the same physical interface. But why use the same DHCP pool for all these VLAN? Can I use different DHCP pool for different VLAN? I think it's not very practical to use one DHCP pool/Subnet for different VLAN either. Firstly, not easy for management. Secondly, the IP address may not be enough. On this example, there are only 254 IP address shared by 20 VLAN/SSID, I think for most scenarios, it's not enough.

  1  
  1  
#2
Options
Re:How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios
2024-05-20 01:02:50 - last edited 2024-05-20 01:04:22

Hi @TOHanks 

Thanks for posting in our business forum.

TOHanks wrote

  @Clive_A It's quite conveinient to create multiple VLAN on the same physical interface. But why use the same DHCP pool for all these VLAN? Can I use different DHCP pool for different VLAN? I think it's not very practical to use one DHCP pool/Subnet for different VLAN either. Firstly, not easy for management. Secondly, the IP address may not be enough. On this example, there are only 254 IP address shared by 20 VLAN/SSID, I think for most scenarios, it's not enough.

You can create multiple VLAN interfaces manually for different purposes.

If you are setting this up for an apartment, I think placing your guests into the same subnet would not hurt anything. If you are setting up for the home, usually, less than 5 or 10 VLAN interfaces would suffice.

If you have a hotel and you'd like to specify the networks a little more, you can set up one VLAN interface for a floor. IMO, I don't see any reason why you would set up one VLAN interface for one room. If you have 100 rooms, you need to create 100 subnets. 

This will also increase the CPU usage and load up the traffic overall. And if you set up ACL, you are gonna create 100 ACLs or maybe 200 for bi-directional.

 

And, this is a common way we have investigated and developed to set up the VLAN int for condos.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#3
Options
Re:How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios
a week ago

  @Clive_A You are correct and wrong.

 

The main benefits of the Bridge VLAN is that, for an ordinary Gateway, it's easy to support 4096 VLANs. But even for a high end Cisco Router/Gateway, it's not capable to support 256 VLAN interfaces even.

  0  
  0  
#4
Options
Re:How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios
a week ago

Hi @Kenallo 

Thanks for posting in our business forum.

Kenallo wrote

  @Clive_A You are correct and wrong.

 

The main benefits of the Bridge VLAN is that, for an ordinary Gateway, it's easy to support 4096 VLANs. But even for a high end Cisco Router/Gateway, it's not capable to support 256 VLAN interfaces even.

It depends on the DHCP IP a router supports. The RFC defines the VLAN ID to 4096 as its maximum but it does not mean every router can reach that.

Of course, it is hard to implement on a pre-built router as the budget limits the hardware resources.

It depends on the DHCP IP, and routing tables a router can support. When it comes to networking, multiple aspects contribute to a result that may be expected or unexpected.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#5
Options
Re:How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios
a week ago

  @Clive_A I tried setting up a Bridge VLAN today for a client according to your directions. If I understand your example, it describes setting up an SSID for each of the Bridged VLANs. The problem is that you run out of SSIDs. Your unfinished example only has 4 SSIDs created, but 20 VLANs. If you have an AP in each apartment/room with only 2 frequencies available, then most likely you have only 2.4 and 5 GHz available with 16 SSIDs total or 8 if you use both frequencies at the same time for each SSID as in most setups. So, your instructions seem flawed. If I misunderstand, kindly help me to understand.

 

I was able to modify your setup slightly to achieve a working result. In my scenario, the client owns 17 apartments above 6 shops. I want each apartment and each shop to have its own isolated VLAN, so each apartment or shop can securely share devices on their own VLANs. Each apartment has an EAP615 AP and each shop has an EAP610 AP. The router is an ER7206 with an OC200 controller. There are SG2428P and SG2218P switches.

 

I started by creating 2 Bridge VLANs. The first was called Apartments with 17 VLANs and the second called Shops with 6 VLANs. Your Notes said that each Bridge VLAN should have a maximum of 20 VLANs for the sake of performance and that's why I made the 2 Bridge VLANs. Next, I created a PPSK profile called "Tenant" with 23 passwords linked to 23 VLANs.The VLANs in the PPSK Tenant profile are the same ones in the 2 Bridged VLANs (Apartments and Shops). I created one SSID that uses PPSK without RADIUS to authenticate. This allows all users to enter the same SSID and authenticate to their own VLAN based on their own personal password. I followed up by creating the Gateway ACL the way you specified to block access to the default LAN.

 

To make things even better, I went to the port configuration for the EAP615 AP for each apartment and configured the 3 Ethernet ports to match the VLAN ID for that apartment. So, whether the apartment tenants use the Ethernet ports or the SSID with the password for that apartment network, they are on the same VLAN ID and can share devices.

 

Cheers!

 

 

  0  
  0  
#6
Options
Re:How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios
Thursday
not really. Bridge VLAN is not targeted for such use cases. Omada is a solution for Business Wi-Fi, and for Business Wi-Fi, it's not a good practice to have too many SSIDs. 8 SSIDs for each radio are far then enough. And for Business Wi-Fi use, it's alwasy recommended to have one SSID - One VLAN - One VLAN interface/DHCP pool. Bridge VLAN is typically for PPSK use case where you have more VLANs, but not enough VLAN interface/DHCP pool. For example, you create 1024 PPSK, and each PPSK is assigned with an individual VLAN, so you need 1024 VLANs. But your gateway can only support 64 VLAN interfaces. Then you can then use Bridge VLAN. So you bridge 16 VLANs on each VLAN interface, that is to say devices from these 16 VLANs will share the same DHCP pool bound with this VLAN interface. Hope this solve your question.
  1  
  1  
#7
Options
Re:How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios
Thursday

  @Kenallo What you said is confusing. You said, "Bridge VLAN is not targeted for such use cases." But then you go on to say, "Bridge VLAN is typically for PPSK use case where you have more VLANs, but not enough VLAN interface/DHCP pool." and "But your gateway can only support 64 VLAN interfaces." Isn't an Apartment or Hotel scenario exactly this scenario with this dilemma? And was not my solution using the use case you mentioned? Then how can you say the Bridge VLAN is not targeted for such use cases?

 

You also said, "Omada is a solution for Business Wi-Fi, and for Business Wi-Fi". From TP-Link's websites I quote regarding Omada, "Seamless wireless and wired connections are provided, ideal for use in hospitality, education, retail, and offices." Hospitality includes Hotels. TP-Link produced the following article to which I link regarding their release of the EAP615 wall mount AP.

 

https://community.tp-link.com/en/business/forum/topic/517094

 

It states it is "more suitable for high-density application scenarios such as hotels, dormitories, and classrooms." They expect us to use their Omada equipment for these situations, but you argue that Omada is not for these use cases.

 

Further, if a Bridge VLAN is not targeted for Apartment or Hotel scenarios, why did TP-Link produce this very discussion as a direct solution for these scenarios (albeit flawed)? And when I asked TP-Link support engineers for a solution for Apartment VLAN isolation support, why did they link this article and say this is how it is done.

 

I must disagree with you. This is TP-Link's solution, applying directly to this use case and included as a purpose for the Bridge VLAN isolation solution.

  0  
  0  
#8
Options
Re:How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios
Thursday - last edited Thursday

  @Icthus 

 

you should consider PPSK, then you only need one SSID for all vlans. it is the only way to solve your problem. on.

 

 

https://community.tp-link.com/en/business/forum/topic/620762

 

it is a little more work, but you can also create a wlan group for each apartment, if all apartments and shops have their own wifi device, then you assign these devices to their wlan group.

 

  1  
  1  
#9
Options
Re:How to Configure Bridge VLAN(MDUs) for Apartment or Hotel Scenarios
Friday

MR.S wrote

  @Icthus 

 

you should consider PPSK, then you only need one SSID for all vlans. it is the only way to solve your problem. on.

 

 

https://community.tp-link.com/en/business/forum/topic/620762

 

it is a little more work, but you can also create a wlan group for each apartment, if all apartments and shops have their own wifi device, then you assign these devices to their wlan group.

 

  @MR.S It is an absolute pleasure to hear from you (if you read on you will eventually see why). In my own scenario a few weeks ago, I started by using your suggestion of a PPSK using one SSID for all VLANs without using a Bridged VLAN operation, but that did not work. Why? We want to isolate the VLANs for security. If we use that solution, we need many more than the 32 allowed ACLs for a situation like my 23 VLANs. So that suggestion is a bust. It was a good though and I had it because of you actually! In a previous community thread I had asked a question and you suggested it as a better solution. I thought, "That's a FANTASTIC idea!!!" But in the end it was a bust, because of the hard limit of 32 ACLs. Mind you, until November of 2022 it worked because there were a lot more ACLs allowed and this post

 

https://community.tp-link.com/en/business/forum/topic/589956?sortDir=DESC&page=1

 

flames TP-Link for their firmware update without notifying anyone that they were going to establish a hard limit of 32 ACLs. That's the history of the dilemma.

 

That said, I DID use your FANTASTIC idea to modify the OPs flawed solution to make the Bridged VLANs work. Bridged VLANs are AUTOMATICALLY isolated, so no ACLs are needed to isolate each VLAN. Combining the OPs idea of Bridged VLANs and your FANTASTIC idea (have I said that enough to tell you how amazing your idea was? wink) of PPSK using one SSID gives us a working solution. In addition, because I don't need to create a massive number of ACLs to isolate the VLANs, it's a much easier solution to implement. SO MUCH EASIER!

 

The only downside I see is that you must use WPA2 and not WPA3 for the PPSK solution and eventually WPA2 will run into security issues. it's not a downside for today, but eventually. Then we will have to abandon it as we did WEP and WPA and come up with another solution that works with WPA3. I for one would like to hear suggestions for that solution, so we're ready for it, but that is probably best suited for another thread.

  0  
  0  
#10
Options