VLAN for AP and other ports

rtenenbown
Member
 
Posts: 7
Joined: Thu Jan 07, 2021 11:30 am
Has thanked: 2 times
Been thanked: 1 time

VLAN for AP and other ports

Tue Mar 02, 2021 10:09 pm

Hi All,

Setting up my VLAN config on my WS-6-MINI and although I've seen many tutorials and searched the forum, I'm feeling a bit out of my comfort zone in terms of config. pfSense has defined my LAN/VLANs and is upstream of the switch. Assuming the LAN traffic is tagged as VLAN1, I'd like to configure the WS-6
ports to:

1. uplink to pfSense
2. VLAN1
3. VLAN52
4. VLAN52
5. VLAN1, VLAN51, VLAN52 (this is my Wifi AP1)
6. VLAN1, VLAN51, VLAN52 (this is my Wifi AP2)

My questions are:
1. Does the LAN in fact get labeled as VLAN1?
2. Devices on VLAN1 may need to speak to VLAN51/52 from time to time but these rules will be established in pfSense. Should ports 3/4 get tagged for VLAN1?
3. Should port 1 be trunk flag be checked?

Picture attached of current config. Everything of course gets allocated to the LAN IP subnet (VLAN1).

Screenshot 2021-03-02 200819.jpg
Last edited by rtenenbown on Fri Mar 05, 2021 12:48 am, edited 1 time in total.

rtenenbown
Member
 
Posts: 7
Joined: Thu Jan 07, 2021 11:30 am
Has thanked: 2 times
Been thanked: 1 time

Re: VLAN for AP and other ports

Wed Mar 03, 2021 8:53 pm

Just commenting, with hope to boost my comment up. I took the time to watch Netonix: The Movie today but my questions remain!

User avatar
mike99
Associate
Associate
 
Posts: 837
Joined: Tue Nov 25, 2014 10:53 am
Location: Quebec, Canada
Has thanked: 95 times
Been thanked: 245 times

Re: VLAN for AP and other ports

Thu Mar 04, 2021 12:30 pm

It would be easier to help you with a schema of what your trying to do.

rtenenbown
Member
 
Posts: 7
Joined: Thu Jan 07, 2021 11:30 am
Has thanked: 2 times
Been thanked: 1 time

Re: VLAN for AP and other ports

Thu Mar 04, 2021 2:17 pm

Hope this clears up what I'm trying to do. Please excuse the power point art...

unnamed.png

User avatar
Stephen
Employee
Employee
 
Posts: 1030
Joined: Sun Dec 24, 2017 8:56 pm
Has thanked: 85 times
Been thanked: 181 times

Re: VLAN for AP and other ports

Fri Mar 05, 2021 4:48 pm

rtenenbown wrote:1. Does the LAN in fact get labeled as VLAN1?


I'm not sure what an answer to this question would do to help you honestly. The number for the VLAN set in the config will be appended to frames on ports that are tagged when they egress, ingress frames that do not have the correct tag for that VLAN will be dropped, because they do not belong to that VLAN.
And of course ports labeled untagged will strip the tag from egressing frames for that VLAN and will only accept ingressing frames that do not have a tag, which why only one untagged port is allowed per port for any number of VLANs and why multiple VLANs may exist on one port only if they are tagged.

rtenenbown wrote:2. Devices on VLAN1 may need to speak to VLAN51/52 from time to time but these rules will be established in pfSense. Should ports 3/4 get tagged for VLAN1?


Whether or not ports are tagged in vlan 1 or not is irrelevant if you want devices on vlan1 to talk to devices on vlan 51/52, to do this requires routing, which you will have to establish on the pfsense router like you mentioned. I don't work with pfsense though, this isn't really the right forum to ask if you need help with setting that up.

rtenenbown wrote:3. Should port 1 be trunk flag be checked?


Based on your diagram, probably, you could potentially carry all vlans defined on the ws-6-mini over port 1 to the pfsense router via trunking if you want to establish routes with just one cable.

I hope that helps a little.

rtenenbown
Member
 
Posts: 7
Joined: Thu Jan 07, 2021 11:30 am
Has thanked: 2 times
Been thanked: 1 time

Re: VLAN for AP and other ports

Fri Mar 05, 2021 9:53 pm

Thanks for your feedback, Stephen. Some trial and error got the above config working with the following setup. Exception being that I chose to only broadcast one of the VLANs on each WAP. This was done only because the area of placement only requires those specific VLANs, not due to any technical limitations.

Screenshot 2021-03-05 194510.jpg

User avatar
mike99
Associate
Associate
 
Posts: 837
Joined: Tue Nov 25, 2014 10:53 am
Location: Quebec, Canada
Has thanked: 95 times
Been thanked: 245 times

Re: VLAN for AP and other ports

Sat Mar 06, 2021 10:52 am

I see that you use vlan 1 for management (unifi untag on vlan 1) and this vlan is also uses by devices (port 2, over wifi, etc).

It's security best practice, that end device shouldn't be in the management vlan. By exemple, if you keep vlan 1 for management, you should move every end device to an other vlan like 50. Something like:

Port 2 untag vlan 50 and vlan 1 exclude
Port 5 and 6 add tagged vlan 50 and move wifi ssid currently on vlan 1 to vlan 50,

In PFSense, drop everything from (in) vlan 50 to (out) vlan 1 to make sure end devices can't reach management.

rtenenbown
Member
 
Posts: 7
Joined: Thu Jan 07, 2021 11:30 am
Has thanked: 2 times
Been thanked: 1 time

Re: VLAN for AP and other ports

Sat Mar 06, 2021 4:01 pm

Thanks Mike for the excellent advise. Certainly measures I will take as my network becomes more stable and mature.

Return to General Discussion

Who is online

Users browsing this forum: Google [Bot] and 16 guests