OMADA CLOUD CONTROLLER on VLAN
Hello, I have the following query, because it is confusing all this vlan with the EAP.
I have 3 different networks in my network. for example:
LAN Offices 10.10.10.1/24 + (vlan20; vlan30)
LAN Students 10.10.20.1/24 + (vlan10; vlan30)
LAN Rooms10.10.30.1 / 24 + (vlan10; vlan20)
Each network is for different uses, for example offices, students and rooms.
The need arises to have EAP in all ranges, because not all cables reach everywhere.
2 EAP + omada controller on 10.10.10.1/24
2 EAP on 10.10.20.1/24
2 EAP at 10.10.30.1/24
create 3 wifi signals and their respective ssid
SSID: Offices
SSID: Students
SSID: Rooms
but what I need is more complete, I need to be able to place a VLAN to each EAP particularly
EAP that are DHCP 10.10.20.1, configure VLAN10, to see omada controller.
*Summary, I need to use EAP nodes in all wired IP ranges and that emit all ranges over Wi-Fi, I need that each EAP node has the option of choosing which VLAN to connect regardless of which VLAN emits over Wi-Fi.
am I clear?
ideas?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
BruMa wrote
RB3011 Mikrotik
port 1 WAN
port 2 WAN
port 6 (trunk vlans)
port 7 (oc200) (IP200) VID: 1
That's even better (a separated management network for OC200: VLAN 200).
But why then VID: 1? Port to OC200 must be an untagged member of VLAN 200 and needs to have PVID 200 to make it work.
CRS326 Mikrotik switch
V10U-V20T-V30T-V200T (Port 1-8)
V10T-V20U-V30T-V200T (Port 9-16)
V10T-V20T-V30U-V200T (Port 17-22)
Port23 reserved (empty)
Port24 (trunk vlans)
No. Ports for EAPs with VLANs 10, 20, 30 and 200 must be all tagged (trunk ports). No untagged traffic to EAPs, this will not work with VLAN-aware Multi-SSIDs! Only OC200 needs to transmit untagged (management) traffic.
Of course, if you want to distribute a single VLAN, say 10, only to an EAP group (say, the two in Office space) you need to assign those EAP's ports only membership of VLAN 10 and 200, both tagged, but not VLAN 20 and 30. The port's PVID should be 200 then. But I think it's better to feed them all VLANs and enable/disable the SSID-VLAN per EAP where needed.
This is the topology:
- Copy Link
- Report Inappropriate Content
@BruMa, can't work this way.
All EAPs need an IP in the mgmt VLAN 200 (10.200.0.0/16).
You need to enable »Site Settings → Management VLAN« in OC200 and set its VLAN ID to 200.
The port to which the OC200 is connected must not be a member of any other VLAN except 200/PVID 200 (access port). As I wrote, the OC200 only sends untagged traffic. The Management setting of OC200 only sets EAPs to use VLAN ID 200 in their (tagged) traffic, but not the OC200 itself. Therefore it makes no sense to have the switch port for OC200 in any other VLAN except 200.
All trunks to TL-SG105E must be tagged members of VLANs 10, 20, 30 and 200. I don't understand what you mean with »LAN20 (untagged)«.
When adopting an EAP the first time, you need to set the trunk port of the TL-SG105E to the EAP as an untagged member of VLAN 200 temporarily (PVID 200), so it can reach the OC200. After adopting the EAP, the OC200 will provision the EAP and set the EAP's mgmt VLAN ID to 200, thus you need to change the port back to be a tagged member of VLAN 200 to allow communication between OC200 and EAP again (now via VLAN 200).
If you want to use portal functions of OC200, you need Inter-VLAN (host) routing from all VLANs 10, 20 and 30 to the OC200. Just open the RB3011 firewall for HTTP/HTTPS traffic from clients in all VLANs to the IP of OC200.
- Copy Link
- Report Inappropriate Content
BruMa wrote
Hello, I have the following query, because it is confusing all this vlan with the EAP.
I have 3 different networks in my network. for example:
LAN Offices 10.10.10.1/24 + (vlan20; vlan30)
LAN Students 10.10.20.1/24 + (vlan10; vlan30)
LAN Rooms10.10.30.1 / 24 + (vlan10; vlan20)Each network is for different uses, for example offices, students and rooms.
Important information is missing:
- What is the Primary VLAN ID (PVID) of the ports?
- Are the ports tagged or untagged members of the VLANs?
If ports are untagged members, then VLAN 30 is unused in your setup.
The need arises to have EAP in all ranges, because not all cables reach everywhere.
2 EAP + omada controller on 10.10.10.1/24
2 EAP on 10.10.20.1/24
2 EAP at 10.10.30.1/24
So you have three networks/broadcast domains, but only one network per two EAPs. Why? I would rather distribute all three networks over all six EAPs.
*Summary, I need to use EAP nodes in all wired IP ranges and that emit all ranges over Wi-Fi, I need that each EAP node has the option of choosing which VLAN to connect regardless of which VLAN emits over Wi-Fi.
Then why not just set it up?
Let's see:
- You have three networks 10.10.10.0/24, 10.10.20.0/24 and 10.10.30.0/24. You assign them three VLAN IDs 10, 20 and 30.
- Port 8 should be the trunk port to your (VLAN-aware) router or to another switch to which the router is connected to.
- Management network for OC200/EAPs should be VLAN 10 (Office LAN).
- EAPs should use VLAN 10 for management and Office LAN access.
- All EAPs should offer all three networks wirelessly, one per SSID.
- All wireless users should be able to reach the portal(s) on OC200 over the Office network (VLAN 10).
Port assignment on the switch:
Port 1-6: EAPs. Port 7: OC200, Port 8: uplink to router.
VLAN setup:
- In the switch, create VLAN 10, 20 and 30 to fulfill requirement #1.
- Assign switch port 8 (uplink) membership of VLANs 10, 20 and 30 as tagged port (trunk port) with PVID 10. Requirement #2 met.
- Assign switch port 7 (OC200) membership of VLAN 10 as untagged port with PVID 10. Set OC200 to a static IP from the IP 10.10.10.0 network. Requirement #3 met.¹
- Assign switch ports 1-6 membership of VLAN 10, 20 and 30, too, but again as tagged ports (trunk ports) with PVID 10. Assign all EAPs static IPs from the 10.10.10.0 network, so they can communicate with OC200. Set management VLAN of all EAPs to VLAN 10. Requirement #4 met.¹
- Assign the three SSIDs their VLAN IDs 10, 20 and 30 respectively. SSID "Office" is 10, "Student" is 20, "Rooms" is 30. Requirement #5 fulfilled.
- Create a forwarding rule in your router from networks/VLANs 20 and 30 into network/VLAN 10 (they are in different firewall zones). Define the OC200's IP address as exception in OC200 ACL default block rule for private IPs, assign this ACL to the three SSIDs (see Advanced Wireless Settings). Requirement #6 fulfilled.
¹ Be aware that connection to the OC200/EAP temporarily will fail when applying the change of the mgmt VLAN if you are not inside VLAN 10 while setting this up.
That's all.
Management traffic from EAPs will use VLAN 10, Office LAN.
Wireless clients use VLAN 10, 20 and 30 depending on the SSID they are connected to. IPs for wireless and wired clients will be assigned by a DHCP server which must maintain 3 pools for the 10.10.10.0, 10.10.20.0 and 10.10.30.0 networks.
Traffic from clients in any network can reach the OC200 for portal page via Inter-VLAN routing (forwarding) on the router.
PS: Please avoid double postings of the same question in different threads.
- Copy Link
- Report Inappropriate Content
Thank you very much, I have seen that you put some questions, yet you have answered very complete, when I have free time and equipment availability, I will perform the tests you say. sorry for doubling the thread.
I think I will do the following:
RB3011 Mikrotik
port 1 WAN
port 2 WAN
port 6 (trunk vlans)
port 7 (oc200) (IP200) VID: 1
(IP10) 10.10.10.1/24 (Offices)
(IP20) 10.10.20.1/24 (Students)
(IP30) 10.10.30.1/24 (Rooms)
(IP200) 10.10.200.1/24 (exclusive to manage EAP and oc200 nodes)
CRS326 Mikrotik switch
V10U-V20T-V30T-V200T (Port 1-8)
V10T-V20U-V30T-V200T (Port 9-16)
V10T-V20T-V30U-V200T (Port 17-22)
Port23 reserved (empty)
Port24 (trunk vlans)
------------------------------
V = VLAN
nº = ID
U = untagged
T = tagged
------------------------
I have
1 EAP 115 office sector
1 EAP 225 office sector
2 EAP 115 student sector
2 EAP 115 room sector
*(It is impossible to place UTP for each eap individually, so existing wiring is used, computers and switch 5port on sectors)
my idea is that all eap have 3 SSIDs
Office (IP10)
Students (IP20)
Rooms (IP30)
From any sector, get the Wi-Fi range that belongs to you. Their respective limitations of bandwidth, quota, voucher or login.
Thank you
- Copy Link
- Report Inappropriate Content
BruMa wrote
RB3011 Mikrotik
port 1 WAN
port 2 WAN
port 6 (trunk vlans)
port 7 (oc200) (IP200) VID: 1
That's even better (a separated management network for OC200: VLAN 200).
But why then VID: 1? Port to OC200 must be an untagged member of VLAN 200 and needs to have PVID 200 to make it work.
CRS326 Mikrotik switch
V10U-V20T-V30T-V200T (Port 1-8)
V10T-V20U-V30T-V200T (Port 9-16)
V10T-V20T-V30U-V200T (Port 17-22)
Port23 reserved (empty)
Port24 (trunk vlans)
No. Ports for EAPs with VLANs 10, 20, 30 and 200 must be all tagged (trunk ports). No untagged traffic to EAPs, this will not work with VLAN-aware Multi-SSIDs! Only OC200 needs to transmit untagged (management) traffic.
Of course, if you want to distribute a single VLAN, say 10, only to an EAP group (say, the two in Office space) you need to assign those EAP's ports only membership of VLAN 10 and 200, both tagged, but not VLAN 20 and 30. The port's PVID should be 200 then. But I think it's better to feed them all VLANs and enable/disable the SSID-VLAN per EAP where needed.
This is the topology:
- Copy Link
- Report Inappropriate Content
HI
I'm back after some tests.
----------------------------------------------
I set:
LAN10 (office)
10.10.0.1/16 (DHCP 10.10.0.10 - 10.10.255.200)
LAN20 (Students)
10.20.0.1/16 (DHCP 10.20.0.10 - 10.20.255.200).
LAN30 (Rooms)
10.30.0.1/16 (DHCP 10.30.0.10 - 10.30.255.200)
LAN 200 (only OC200)
10.200.0.1/16 (DHCP 10.200.0.10 - 10.200.255.200)
--------------------------------------------------
Mikrotik RB3011
Port 1. WAN1
Port 2. WAN2 (reserved)
Port 3. LAN 10 (test)
Port 4. LAN 20 (test)
Port 5. LAN 30 (test)
Port 6. ALL VLAN TAGGED (TRUNK to Switch CRS326)
Port 7. LAN200 to OC200, only.
Port 8. LAN200 (tagged 10,20,30,200) (initial test and configuration EAP)
Port 9. Empty
Port 10. Empty
------------------------------------------------
CRS326-24g-2s + rm (Swos)
Port 9 LAN10 untagged and (VLAN 10, 20, 30, 200 all tagged)
Port 10 LAN20 untagged and (VLAN 10, 20, 30, 200 all tagged)
Port 11 LAN30 untagged and (VLAN 10, 20, 30, 200 all tagged)
Port 16 (trunk to MK3011, port 6, receive only vlans)
* Only some ports configured for the test.
--------------------------------------------------
My concept of laboratory and current problem.
I need each EAP to be connected to a different untagged network, but to read Vlan200 to communicate with OC200. Example:
CRS326-24g-2s + rm (Swos)
Port 9 LAN10 untagged + EAP245 vlan200
Port 10 LAN20 untagged + EAP245 vlan200
Port 11 LAN30 untagged + EAP245 vlan200
*I want them to communicate with oc200 and it is not possible.
*EAPs take the untagged ip of their ports and do not take tagged VLAN200.
*If I place the EAPs one at a time on port 8 (test) of the MK3011, they work correctly in the Omada console.
*The tests are difficult with OC200 is very slow in the detection and configuration of the EAP, (disconected, configuring, conected). Sometimes I wait 5 minutes to know what happens, refreshing panel.
----------------------------------
summary.
I want that each EAP can take any ip, and communicate with oc200, to be able to read all tagged VLANS, and provide WIFI on each one of them.
If I could enter each EAP and have it read only VLAN 200 to communicate with OC200, everything would be easier.
Thanks for your help, I hope to have everything well configured.
- Copy Link
- Report Inappropriate Content
@BruMa, first of all, OC200 always sends untagged traffic.
If you want to use wireless networks in different subnets, you need to use Multi-SSIDs assigned to the corresponding VLAN. Why? Because you need a wireless network per subnet (that means if you have 3 subnets, you need 3 different WiFi subnets, too). Thus, you must use tagged traffic on the EAP's interface.
Even if you assign SSIDs to VLANs, the EAP itself will not use a VLAN for management. That's what the »Management VLAN« setting in OC200 is for. If you set the management VLAN in OC200, only the EAP itself will send tagged traffic, but not the OC200.
This means the switch port for the EAP needs to be tagged and needs to be a member of all subnet VLANs as well as of the management VLAN. The switch port for the OC200 needs to be untagged and it needs to be member of the management VLAN only.
If you need portal functions for clients, you must use Inter-VLAN routing. The clients in VLANs 10, 20, 30 need access to OC200 to be able to reach the portal.
So, if you have VLANs 10, 20, 30 for the students and VLAN 200 for management, set up:
- three SSIDs, one assigned to VLAN 10, 20 and 30 respectively,
- »Management VLAN« setting in OC200 to VLAN 200,
- switch port to the EAP tagged as a member of VLANs 10, 20, 30 and 200 (PVID doesn't matter, but should be 200, see note below),
- switch port to the OC200 untagged as member of VLAN 200 only, PVID does matter, needs to be 200,
- Inter-VLAN (host) routing to OC200 for VLANs 10, 20 and 30 if (and only if) you use portals, not needed for basic WPA2 authentication.
Note also that if you have set a management VLAN in OC200 the switch port to the EAP needs to be an untagged member of VLAN 200 with PVID 200 during the discovery process for the initial connection of a new EAP to the OC200 (while its status is »Pending«), but you will need to change the switch port to be a tagged member of VLAN 200/PVID 200 immediately after you have adopted the EAP to allow for provisioning / configuring the EAP, now through the management VLAN. This is somewhat tricky.
- Copy Link
- Report Inappropriate Content
Make a diagram to make me understand.
concept: any eap in any subnet has to emit all ranges of wifi.
I think the problem may be in firewall or ports of the RB3011.
When I set up any EAP on the ETH8 port of RB3011 it worked, then remove it and place it in another range it worked too, but OC200 stopped seeing it. But all the configured Wi-Fi worked correctly in a Wi-Fi test.
If OC200 is able to function in that way, I am obviously doing something wrong. I hope you understand that I am not an expert in networks.
Stop using "managment Vlan 200" on oc200.
I think that if I could have an option in each EAP, which says that VLAN is going to work, it would be easier for me.
thks for your time.
- Copy Link
- Report Inappropriate Content
@BruMa, can't work this way.
All EAPs need an IP in the mgmt VLAN 200 (10.200.0.0/16).
You need to enable »Site Settings → Management VLAN« in OC200 and set its VLAN ID to 200.
The port to which the OC200 is connected must not be a member of any other VLAN except 200/PVID 200 (access port). As I wrote, the OC200 only sends untagged traffic. The Management setting of OC200 only sets EAPs to use VLAN ID 200 in their (tagged) traffic, but not the OC200 itself. Therefore it makes no sense to have the switch port for OC200 in any other VLAN except 200.
All trunks to TL-SG105E must be tagged members of VLANs 10, 20, 30 and 200. I don't understand what you mean with »LAN20 (untagged)«.
When adopting an EAP the first time, you need to set the trunk port of the TL-SG105E to the EAP as an untagged member of VLAN 200 temporarily (PVID 200), so it can reach the OC200. After adopting the EAP, the OC200 will provision the EAP and set the EAP's mgmt VLAN ID to 200, thus you need to change the port back to be a tagged member of VLAN 200 to allow communication between OC200 and EAP again (now via VLAN 200).
If you want to use portal functions of OC200, you need Inter-VLAN (host) routing from all VLANs 10, 20 and 30 to the OC200. Just open the RB3011 firewall for HTTP/HTTPS traffic from clients in all VLANs to the IP of OC200.
- Copy Link
- Report Inappropriate Content
Finally I could make it work correctly.
According to the previous graph, port 6 is a “trunk” with all vlans sent to the CRS326 switch.
Switch
port 1 to 10 untagged LAN10
port11 to 20 untagged LAN20
port21 to 23 untagged LAN30
port 24 TRUNK
I always send all VLANS 10-20-30-40-200 to all ports
RB3011 Mikrotik
I use the ethernet port 6 for LAN200 on the OC200.
When I want to adopt a new EAP I use the ether7 port with the same LAN200
Managment Vlan ID: 200 in OC 200, it will stop seeing it when adopting it.
But then when connected to any of the networks it starts working correctly.
I have about 9 EAP225. Through all LANS and I can broadcast all VLANs over Wi-Fi correctly.
THANKS!
- Copy Link
- Report Inappropriate Content
@BruMa, great that you could solve the issue! Have fun with your WiFi network!
- Copy Link
- Report Inappropriate Content
Hi, I'm here with a new technical problem.
Turns out I need to send vlan 10, 20, 30 with eaps on different networks
so an eap can be on a 10.10.0.1 LAN, with wifi vlan10
I think it's a collision.
also for an eap on LAN 10.20.0.1 with VLAN20
So how can I do?
If I create several WLAN GROUP for untagged VLAN 10 (example1), I think it would be the solution.
But if I have a voucher or captive portal, will I have a problem when using it in several WLAN Groups?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 9358
Replies: 10
Voters 0
No one has voted for it yet.