Hi All,
Setting up my VLAN config on my WS-6-MINI and although I've seen many tutorials and searched the forum, I'm feeling a bit out of my comfort zone in terms of config. pfSense has defined my LAN/VLANs and is upstream of the switch. Assuming the LAN traffic is tagged as VLAN1, I'd like to configure the WS-6
ports to:
1. uplink to pfSense
2. VLAN1
3. VLAN52
4. VLAN52
5. VLAN1, VLAN51, VLAN52 (this is my Wifi AP1)
6. VLAN1, VLAN51, VLAN52 (this is my Wifi AP2)
My questions are:
1. Does the LAN in fact get labeled as VLAN1?
2. Devices on VLAN1 may need to speak to VLAN51/52 from time to time but these rules will be established in pfSense. Should ports 3/4 get tagged for VLAN1?
3. Should port 1 be trunk flag be checked?
Picture attached of current config. Everything of course gets allocated to the LAN IP subnet (VLAN1).
VLAN for AP and other ports
- rtenenbown
- Member
- Posts: 7
- Joined: Thu Jan 07, 2021 11:30 am
- Has thanked: 2 times
- Been thanked: 1 time
VLAN for AP and other ports
Last edited by rtenenbown on Fri Mar 05, 2021 12:48 am, edited 1 time in total.
- rtenenbown
- Member
- Posts: 7
- Joined: Thu Jan 07, 2021 11:30 am
- Has thanked: 2 times
- Been thanked: 1 time
Re: VLAN for AP and other ports
Just commenting, with hope to boost my comment up. I took the time to watch Netonix: The Movie today but my questions remain!
-
mike99 - Associate
- Posts: 837
- Joined: Tue Nov 25, 2014 10:53 am
- Location: Quebec, Canada
- Has thanked: 95 times
- Been thanked: 245 times
Re: VLAN for AP and other ports
It would be easier to help you with a schema of what your trying to do.
- rtenenbown
- Member
- Posts: 7
- Joined: Thu Jan 07, 2021 11:30 am
- Has thanked: 2 times
- Been thanked: 1 time
Re: VLAN for AP and other ports
Hope this clears up what I'm trying to do. Please excuse the power point art...
-
Stephen - Employee
- Posts: 1030
- Joined: Sun Dec 24, 2017 8:56 pm
- Has thanked: 85 times
- Been thanked: 181 times
Re: VLAN for AP and other ports
rtenenbown wrote:1. Does the LAN in fact get labeled as VLAN1?
I'm not sure what an answer to this question would do to help you honestly. The number for the VLAN set in the config will be appended to frames on ports that are tagged when they egress, ingress frames that do not have the correct tag for that VLAN will be dropped, because they do not belong to that VLAN.
And of course ports labeled untagged will strip the tag from egressing frames for that VLAN and will only accept ingressing frames that do not have a tag, which why only one untagged port is allowed per port for any number of VLANs and why multiple VLANs may exist on one port only if they are tagged.
rtenenbown wrote:2. Devices on VLAN1 may need to speak to VLAN51/52 from time to time but these rules will be established in pfSense. Should ports 3/4 get tagged for VLAN1?
Whether or not ports are tagged in vlan 1 or not is irrelevant if you want devices on vlan1 to talk to devices on vlan 51/52, to do this requires routing, which you will have to establish on the pfsense router like you mentioned. I don't work with pfsense though, this isn't really the right forum to ask if you need help with setting that up.
rtenenbown wrote:3. Should port 1 be trunk flag be checked?
Based on your diagram, probably, you could potentially carry all vlans defined on the ws-6-mini over port 1 to the pfsense router via trunking if you want to establish routes with just one cable.
I hope that helps a little.
- rtenenbown
- Member
- Posts: 7
- Joined: Thu Jan 07, 2021 11:30 am
- Has thanked: 2 times
- Been thanked: 1 time
Re: VLAN for AP and other ports
Thanks for your feedback, Stephen. Some trial and error got the above config working with the following setup. Exception being that I chose to only broadcast one of the VLANs on each WAP. This was done only because the area of placement only requires those specific VLANs, not due to any technical limitations.
-
mike99 - Associate
- Posts: 837
- Joined: Tue Nov 25, 2014 10:53 am
- Location: Quebec, Canada
- Has thanked: 95 times
- Been thanked: 245 times
Re: VLAN for AP and other ports
I see that you use vlan 1 for management (unifi untag on vlan 1) and this vlan is also uses by devices (port 2, over wifi, etc).
It's security best practice, that end device shouldn't be in the management vlan. By exemple, if you keep vlan 1 for management, you should move every end device to an other vlan like 50. Something like:
Port 2 untag vlan 50 and vlan 1 exclude
Port 5 and 6 add tagged vlan 50 and move wifi ssid currently on vlan 1 to vlan 50,
In PFSense, drop everything from (in) vlan 50 to (out) vlan 1 to make sure end devices can't reach management.
It's security best practice, that end device shouldn't be in the management vlan. By exemple, if you keep vlan 1 for management, you should move every end device to an other vlan like 50. Something like:
Port 2 untag vlan 50 and vlan 1 exclude
Port 5 and 6 add tagged vlan 50 and move wifi ssid currently on vlan 1 to vlan 50,
In PFSense, drop everything from (in) vlan 50 to (out) vlan 1 to make sure end devices can't reach management.
- rtenenbown
- Member
- Posts: 7
- Joined: Thu Jan 07, 2021 11:30 am
- Has thanked: 2 times
- Been thanked: 1 time
Re: VLAN for AP and other ports
Thanks Mike for the excellent advise. Certainly measures I will take as my network becomes more stable and mature.
8 posts
Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 16 guests