Simple multi SSID per VLAN tagging - No internet access
Hello,
I'm trying to set up two wireless networks in two different VLANs, one for the usual devices (pcs, mobile, etc) and another one for IOT.
I bought a TP link switch TL-SG108E which is connected to my ISP router. I'm currently using an Ubiquiti AC LR access point to propagate them.
Here's an idea of my setup:
The Ports 3-8 are currently unused, I will probably make them part of VLAN 2 in the future.
And my TP link config:
The PVIDs: (There are no devices connected apart for the AP yet, so no PVIDs were set here)
In sum, Port 2 (where ubiquiti is connected) is tagged and will forward tagged packets to the AP which should then assign them to the corresponding the network.
The access point already contains the VLAN configuration, however, there is no internet access in any of the networks in VLAN 2 or 3. VLAN 1 (default - no vlan) seems to work just fine!
I also noticed that if I set the PVID of port 1 to either 2 or 3, the corresponding VLAN (2, 3) will start working. However, I don't want to set that because I need both VLANs to be working and not just one of them.
PS: I also tried with a Cisco Meraki AP, no luck, seems like this is actually a routing problem.
Is there something wrong in my configuration?
Best Regards.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
pedrovsky wrote
Considering I wanted to do this exact same setup, but without having as many cables from the router to the switch as VLANs, what would be the best solution? A VLAN aware router (with 802.1q support)?
Definitely. If you want to run a VLAN-based network, it should start at the router and be terminated in the servers and APs. Only client devices usually don't use VLANs (but they can, that's handy for the administrator's laptop to assign different network profiles selecting the appropriate VLAN on the laptop – makes switching between networks easy).
Just see it this way: VLANs are a mechanism to deploy different networks over the same physical device of each type. Since each network has at least a router, a switch and nowadays most often an AP, deploying a VLAN-based network should reduce the two routers to one router only, the two switches to one switch only, the two APs to one AP only and the two cables in between to one cable only.
What's more, every business-class router I know of provides VLANs. Even SOHO devices such as laptops running Linux, MacOS or Windows also support VLANs for their built-in NICs nowadays.
Using a VLAN only in a switch restricts the VLAN capabilities to asymmetric VLANs. Except for this use case (e.g. for an MTU VLAN), if you have only one network, you don't need VLANs at all.
- Copy Link
- Report Inappropriate Content
pedrovsky wrote
Is there something wrong in my configuration?
Yes. You defined an asymmetric VLAN, which requires access ports with membership in two VLANs to work as expected.
But Multi-SSIDs can not be members of more than one VLAN, so asymmetric VLANs won't work with VLAN-mapped Multi-SSIDs.
Are you using a WRT54GL as a router or is this a symbol picture only? If the latter: is your router VLAN-aware? What OS does it run?
- Copy Link
- Report Inappropriate Content
No, that is just a reference image, my router is not VLAN aware, it is the ISP default GR241AG.
But isn't my access port 2 already member of the two vlans? Should I connect two ports to the router and label them (PVID) according to the VLAN?
- Copy Link
- Report Inappropriate Content
pedrovsky wrote
But isn't my access port 2 already member of the two vlans?
Yes, but the VLAN is not terminated at the switch, it's terminated in the virutal interfaces assigned to the appropriate SSID in your UBNT AP.
To make an asymmetric VLAN work with an AP, you would make port 2 a trunk (tagged member of all VLANs 1, 2 and 3). Next, the SSID »Main« would need to be member of VLAN 1 and 2 with PVID=2 and the second SSID »IoT« would need to be a member of VLAN 1 and 3 with PVID=3.
But a SSID can't be a member of two VLANs and SSIDs have no PVID.
If you would connect two VLAN-unaware devices on ports 2 and 3 and make those ports access ports (untagged), you could use the scheme outlined above to isolate both devices against each other (they use different VLANs 2 and 3) and the router port as member of all VLANs could receive the traffic over those VLANs, too. Replies from the router would use VLAN 1, so they could reach the device connected to port 2 as well as the device connected to port 3.
Should I connect two ports to the router and label them (PVID) according to the VLAN?
That wouldn't help either, since your router does LAN-to-LAN routing between ports (if the LAN ports are separate interfaces) or switching (if the LAN ports are a built-in switch), thus no isolation between the VLANs.
Does your router have a guest network function?
- Copy Link
- Report Inappropriate Content
Thank you for the clear explanation.
R1D2 wrote
But a SSID can't be a member of two VLANs and SSIDs have no PVID.
That makes sense, I would expect each wireless network to tag all the frames with the VLAN I selected, but that goes against making it part two VLANs.
If you would connect two VLAN-unaware devices on ports 2 and 3 and make those ports access ports (untagged), you could use the scheme outlined above to isolate both devices against each other (they use different VLANs 2 and 3) and the router port as member of all VLANs could receive the traffic over those VLANs, too. Replies from the router would use VLAN 1, so they could reach the device connected to port 2 as well as the device connected to port 3.
Exactly, I think I've tested that before.
That wouldn't help either, since your router does LAN-to-LAN routing between ports (if the LAN ports are separate interfaces) or switching (if the LAN ports are a built-in switch), thus no isolation between the VLANs.
Does your router have a guest network function?
I've just witnessed this problem. The wireless networks work just fine, but the router defeats the purpose, I can ping devices across VLANs.
Yes, guest network! Does that help? I thought this would be simpler 😰!
Does this mean, assuming my router can't guarantee the isolation, it can't be done?
- Copy Link
- Report Inappropriate Content
pedrovsky wrote
Yes, guest network! Does that help? I thought this would be simpler 😰!
If your router offers a guest network, you have two isolated networks (say, LAN and GUEST, the latter use for IoT) in the router. You could use two access ports to connect those two networks to the switch:
- Connect LAN port of router to switch port 1, untagged member of VLAN 2, PVID=2. Remove this port from VLAN 1.
- Connect GUEST port of router to switch port 2, untagged member of VLAN 3, PVID=3. Also remove this port from VLAN 1.
- Connect your AP to switch port 3, tagged member of VLANs 2 and 3. Set PVID=2, remove from VLAN 1.
- Leave all unused ports 4-8 in VLAN 1.
As far as I know UBNT APs use untagged traffic for management of the AP itself. PVID=2 of the trunk port 3 assigns this traffic to the LAN network. But you could manage the AP itself through another VLAN, e.g. 1 or 10 or 50 if you want to remove it from the LAN and from IoT (GUEST).
To learn how isolation can be achieved with TP-Link EAPs (two methods: any easy one-click method and a professional VLAN-based method) see this HowTo.
Does this mean, assuming my router can't guarantee the isolation, it can't be done?
Usually, a GUEST network is a separate network, so the router can guarantee isolation (it uses VLANs internally to do so, even if you can't configure VLANs in the router's web UI).
If you want to play with VLANs like shown in the HowTo linked above and you have a cheap, old WiFi router laying around somewhere, consider to install OpenWrt Linux on this WiFi router. This gives you a full-fledged Linux system with VLANs, firewall and many other useful capabilities.
Hope this helps!
- Copy Link
- Report Inappropriate Content
@R1D2 Thank you, that surely helps!
I just don't think my router provides an access port for the guest network, I think all the four ports refer to the main LAN.
Thanks for the link. I will look into using a different router since guest mode also only scales up to having two networks (normal and guest).
For future reference, I just have on more question.
Considering I wanted to do this exact same setup, but without having as many cables from the router to the switch as VLANs, what would be the best solution? A VLAN aware router (with 802.1q support)?
- Copy Link
- Report Inappropriate Content
pedrovsky wrote
Considering I wanted to do this exact same setup, but without having as many cables from the router to the switch as VLANs, what would be the best solution? A VLAN aware router (with 802.1q support)?
Definitely. If you want to run a VLAN-based network, it should start at the router and be terminated in the servers and APs. Only client devices usually don't use VLANs (but they can, that's handy for the administrator's laptop to assign different network profiles selecting the appropriate VLAN on the laptop – makes switching between networks easy).
Just see it this way: VLANs are a mechanism to deploy different networks over the same physical device of each type. Since each network has at least a router, a switch and nowadays most often an AP, deploying a VLAN-based network should reduce the two routers to one router only, the two switches to one switch only, the two APs to one AP only and the two cables in between to one cable only.
What's more, every business-class router I know of provides VLANs. Even SOHO devices such as laptops running Linux, MacOS or Windows also support VLANs for their built-in NICs nowadays.
Using a VLAN only in a switch restricts the VLAN capabilities to asymmetric VLANs. Except for this use case (e.g. for an MTU VLAN), if you have only one network, you don't need VLANs at all.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 4142
Replies: 7
Voters 0
No one has voted for it yet.