• April 05, 2020, 05:22:23 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: VLAN Setup  (Read 490 times)

Networkwise

  • Level 1 Member
  • *
  • Posts: 4
VLAN Setup
« on: February 03, 2020, 11:23:02 PM »

Guys I'm looking for a bit of help if possible, please.

Here's the scenario. I have a site with 4 DGS-1210-28P switches and at the moment they are all flat out of the box with a single VLAN. What I want to do is share a second VLAN across all ports. The reason being I use UniFi on-site and I want to put guest WiFi on a separate VLAN so I can filter the traffic on the Firewall. The snag is I cannot connect the APs to a single VLAN as then the private WiFi won't be able to get to the LAN where the Servers reside so somehow I need to have both VLANs visible on all ports unless of course, someone knows better  :D
Logged

Networkwise

  • Level 1 Member
  • *
  • Posts: 4
Re: VLAN Setup
« Reply #1 on: February 04, 2020, 01:16:22 AM »

So I "think" if I add the second VLAN on all 4 switches and leave all access ports untagged and then tag the uplink ports on each switch this should pass the VLAN information and allow a device on the second VLAN get to the first? So this way my UniFi APs can serve both networks while the VLAN carrying the Guest traffic is secured by the UniFi controller by applying the Guest policies.

Reference - https://www.thomas-krenn.com/en/wiki/VLAN_Basics
Logged

Networkwise

  • Level 1 Member
  • *
  • Posts: 4
Re: VLAN Setup
« Reply #2 on: February 06, 2020, 05:35:32 AM »

So this is still not working and I found a reference that confirmed what I thought regarding the setup but still, it doesn't pass DHCP traffic to the Guest WiFi for clients to be able to connect.

https://community.spiceworks.com/topic/1080225-isolate-guest-network-by-vlan

We have the following configuration.

1) Fortigate Firewall with LAN2 on a 10.10.10.0/24 network. DHCP enabled and using VLAN5.
2) VLAN5 added to all switches.
3) Only the ports connecting either uplinks to other switches or to UniFi APs are "TAGGED"
4) Only the port that LAN2 on the FG connects to is on VLAN5, this port is left "UNTAGGED"

Any thoughts please?
 
Logged

deliciouslink

  • Level 1 Member
  • *
  • Posts: 1
  • WELCOME TO THE THUNDERDOME
    • http://www.jackiechan.com/news/
Re: VLAN Setup
« Reply #3 on: February 06, 2020, 11:57:16 AM »

Try making sure that the VLANs on the switch are working correctly before installing the AP, by making an untagged/access member port on the switch for the guest VLAN the AP will be using and plugging in a laptop to ensure it's getting the correct IP address that a device in that VLAN should be receiving.


Can you post some screenshots of your current VLAN configuration on the switch?
Logged
STR8 UP BROTHER!

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 434
Re: VLAN Setup
« Reply #4 on: February 06, 2020, 01:06:15 PM »

Hi,

after having read this description of how to configure and use Guest Access with UniFi APs I'm in doubt that these APs are capable of dealing with two VLANs at the physical switch ports they are connected to. If they could, it would be quite simple to direct them to bridge corparate WiFi-SSID to a first VLAN and guest WiFi-SSID to a second one.

Instead it looks like they are completely VLAN-unaware (they don't support SSID to VLAN mappings) and can only be connected to switch access ports, that is to a single VLAN. Hence, guests are attached to the corporate network either - there are only "post authorization access restrictions" configurable into the APs via the controller (kind of IP filter or ACL) that prevent access of guests to IP destinations, you don't want them to have access to.

With this WiFi solution you could create a guest WiFi by not using the builtin guest access function but b(u)y adding a second set of APs + controller operating on a different SSID, Wifi channel and VLAN (and IP network) instead. In this case you would connect 'guest' APs and 'guest' controller to switch access ports configured for a guest vlan. Your Fortigate could be connected to corporate and guest vlan by either two physical ports connected to two switch access ports configured for corprorate and guest vlan respectively, or, using IP subinterfaces, by a single physical port connected to a switch port that is configured as a vlan trunk port encompassing corporate and guest VLAN. Any switch-to-switch connections would be configured as vlan trunk ports either.

Or, even better, change to a WiFi solution that supports SSID to VLAN mapping.

PT 
« Last Edit: February 06, 2020, 02:10:57 PM by PacketTracer »
Logged

Networkwise

  • Level 1 Member
  • *
  • Posts: 4
Re: VLAN Setup
« Reply #5 on: February 06, 2020, 11:46:59 PM »

Hi,

after having read this description of how to configure and use Guest Access with UniFi APs I'm in doubt that these APs are capable of dealing with two VLANs at the physical switch ports they are connected to. If they could, it would be quite simple to direct them to bridge corparate WiFi-SSID to a first VLAN and guest WiFi-SSID to a second one.

Instead it looks like they are completely VLAN-unaware (they don't support SSID to VLAN mappings) and can only be connected to switch access ports, that is to a single VLAN. Hence, guests are attached to the corporate network either - there are only "post authorization access restrictions" configurable into the APs via the controller (kind of IP filter or ACL) that prevent access of guests to IP destinations, you don't want them to have access to.

With this WiFi solution you could create a guest WiFi by not using the builtin guest access function but b(u)y adding a second set of APs + controller operating on a different SSID, Wifi channel and VLAN (and IP network) instead. In this case you would connect 'guest' APs and 'guest' controller to switch access ports configured for a guest vlan. Your Fortigate could be connected to corporate and guest vlan by either two physical ports connected to two switch access ports configured for corprorate and guest vlan respectively, or, using IP subinterfaces, by a single physical port connected to a switch port that is configured as a vlan trunk port encompassing corporate and guest VLAN. Any switch-to-switch connections would be configured as vlan trunk ports either.

Or, even better, change to a WiFi solution that supports SSID to VLAN mapping.

PT

I have confirmed with Ubiquiti that these do indeed work in this way but they wont assist as we aren't using Ubiquiti switches or USG.

Secondly, I am aware of the GUEST policy option in the controller but I actually want to filter the guest traffic on the firewall as we want to block all social media etc.
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 434
Re: VLAN Setup
« Reply #6 on: February 07, 2020, 02:20:18 PM »

Quote
I have confirmed with Ubiquiti that these do indeed work in this way
In which way? Do or don't they support SSID to VLAN mapping?

If not:
Quote
but I actually want to filter the guest traffic on the firewall as we want to block all social media etc

Create a DHCP-Pool, say 10.10.10.10 - 10.10.10.250, where all corporate devices get reserved addresses via their MAC addresses (say 10.10.10.10 - 10.10.10.24 for 15 corp. devices). Then the range 10.10.10.25 - 10.10.10.250 will be used by guests. In your Fortigate you can use this guest range to filter guest traffic to the internet. Ok, not really a nice solution for a varying number of corporate devices, but a simple one.
« Last Edit: February 07, 2020, 03:48:48 PM by PacketTracer »
Logged