VLANS and multiple SSIDs - AVS Forum | Home Theater Discussions And Reviews
Forum Jump: 
 
Thread Tools
post #1 of 16 Old 09-18-2018, 08:38 AM - Thread Starter
Senior Member
 
Join Date: Mar 2015
Posts: 208
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 63 Post(s)
Liked: 9
VLANS and multiple SSIDs

Good evening everyone,

I was hoping I might be able to get some guidance on networking here. I’m no IT novice, but at the moment, what I’m aiming to do has me in logic circles in my head!!

I was hoping some more experienced folks could help me out please!

My conundrum is this;

New house. (A) All wired heavily for data and comms.

Another house (B) about 100m away.

House B will soon he used solely as a rental property and overspill for family when visiting.

House A is the primary residence with a lot of connected gear. Servers, cctv, automation system etc.

What I would like to do is stop the broadband service in house B and share the connection from house A, which is faster anyway Via a radio link from ubiquiti. The Nanobeam items.

House A will have a managed network switch (2 actually) and a lot of devices, including an automation system.

I’m going to install ubiquiti WAPs in house A. An ssid for owner. With whole network access. So far, so easy.

After that, I want a second ssid for guests. However, I want guests to be able to access both the Internet, and some of the media renderers in the property, without seeing any of the other items.

In house B, I would like a similar setup. Owner with access to house A, and with all access to house B.

But guests in house B only having access to internet and local devices.

Am I over-thinking this? Or is it straight forward? I know many people in here are seasoned professionals, so please talk slowly for the networking newb.

I am aware of the basic process of setting up a VLAN based on physical ports on a router, and I can set up SSIDs with no problem (ubiquiti essentially makes it idiot proof).

I would very much appreciate some input.

Many thanks in advance,

F



Sent from my iPhone using Tapatalk
Falcon2915 is offline  
Sponsored Links
Advertisement
 
post #2 of 16 Old 09-18-2018, 09:17 AM
AVS Forum Special Member
 
halfelite's Avatar
 
Join Date: Mar 2007
Posts: 2,215
Mentioned: 11 Post(s)
Tagged: 0 Thread(s)
Quoted: 638 Post(s)
Liked: 331
Its as simple as you say. What router are you using the UBI edge? First mistake people always make is you have two switches so you need to setup trunking between them if the vlans sit on different switches. But after that just setup the vlans

01 Admin. In the router you will assign access to the subnets for 02 and 03 and 01 and wan
02 Guest house A. you will give assign access to Wan and whatever local devices you want you need to have them in their own subnet or setup individual rules for each device you want the guest to access
03 Guest house B access to wan and local subnet.

just let it be known that not all home automation and network devices play nice with Vlans if you are looking to send traffic between them as a lot of them use UPNP/SSDP and you get into igmp proxy with multicasting and it does not always work

Last edited by halfelite; 09-18-2018 at 09:20 AM.
halfelite is offline  
post #3 of 16 Old 09-18-2018, 11:37 PM - Thread Starter
Senior Member
 
Join Date: Mar 2015
Posts: 208
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 63 Post(s)
Liked: 9
The me you for your reply.
I think I follow what you mean. I’ll need to read it over a few times to be sure! Haha.

The router is a Draytek Vigor2860


Sent from my iPhone using Tapatalk
Falcon2915 is offline  
Sponsored Links
Advertisement
 
post #4 of 16 Old 10-07-2018, 07:36 AM - Thread Starter
Senior Member
 
Join Date: Mar 2015
Posts: 208
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 63 Post(s)
Liked: 9
Thanks for the above advice.
I spent some time today trying to lay it all out on paper so far I’ve got this;

-DrayTek Vigor takes the WAN in

- configure LAN Port 1 to VLAN 0
- Lan Port 2 to VLAN 1 and 2 for Ubiquiti WAPs + switch 1
- Lan Port 2 to VLAN 1 and 2 for Switch 2
(Note both switches are in house A comms room. 1 in Rack, 1 in wall cabinet
- LAN Port 3 to VLAN 3 for Guest House

If I then go to each switch and configure on a Port to Port basis which VLAN they are part of, can I put a Port on both?

So if I have say a AP express on say Port 16 tagged with both VLANS, it will appear in both?
Likewise, if I connect each WAP x3 to switch 1, and tag it as belonging to both VLAN 1+2, I can configure different SSIDs on the controller?

If I then connect any client devices to the respective ports on the switches they will be visible?




Sent from my iPhone using Tapatalk
Falcon2915 is offline  
post #5 of 16 Old 10-07-2018, 05:51 PM
AVS Forum Special Member
 
halfelite's Avatar
 
Join Date: Mar 2007
Posts: 2,215
Mentioned: 11 Post(s)
Tagged: 0 Thread(s)
Quoted: 638 Post(s)
Liked: 331
You are thinking of this in a physical way to much. You want to tag your VLAN wireless traffic on the AP itself.

Basically when you setup the SSID you will also assign the vlan tag. If you have 3 SSID's on one AP you can tag them Vlan01 ,02, 03 and such. The physical switch port that the AP is connected to becomes a trunk port it pays attention to traffic tagged for VLAN and routes it were it needs to go.

Look at this image to get an idea. Notice how port 1 and port 4 are trunks they handle multiple VLANS by the tag the port itself is not tagged. You will notice they have 4 vlans on the AP going over 1 trunk to the switch. The they have one or two tagged ports on the switch going to the computer and printer. So Vlan100 on the AP can talk to Vlan100 on the switch ports. Then they have a trunk from the switch to the router to handle all the tagged traffic.

If you want a device to have access to multiple Vlans you set that up on the router side not the switch side. You would trunk to the router and tell the router Vlan0 can talk to Vlan3 but Vlan3 cant talk to Vlan2


Last edited by halfelite; 10-07-2018 at 05:59 PM.
halfelite is offline  
post #6 of 16 Old 10-09-2018, 06:49 AM - Thread Starter
Senior Member
 
Join Date: Mar 2015
Posts: 208
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 63 Post(s)
Liked: 9
I think I get this now.

You were right about the above. I was thinking of it in a too physical way.

Looking at the image also, it makes sense:

So the trunk carries all traffic from the router to the physical switch.
But in the router also, the port is configured as a trunk.
Then, on the switch side, I can tag each individual port based on which VLANs it is allowed to talk to, thus segregating traffic.

I’m using 2 switches, which are NetGear stackable switches, is it best to connect these individually to the router? Or daisy chain them?

I would think for the sake of availability, in case one goes down up stream if you will, I should connect them individually?


Sent from my iPhone using Tapatalk
Falcon2915 is offline  
post #7 of 16 Old 10-09-2018, 12:27 PM
Senior Member
 
usurpers26's Avatar
 
Join Date: Sep 2003
Location: CT
Posts: 395
Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quoted: 124 Post(s)
Liked: 97
Quote:
Originally Posted by Falcon2915 View Post
I think I get this now.

You were right about the above. I was thinking of it in a too physical way.

Looking at the image also, it makes sense:

So the trunk carries all traffic from the router to the physical switch.
But in the router also, the port is configured as a trunk.
Then, on the switch side, I can tag each individual port based on which VLANs it is allowed to talk to, thus segregating traffic.

I’m using 2 switches, which are NetGear stackable switches, is it best to connect these individually to the router? Or daisy chain them?

I would think for the sake of availability, in case one goes down up stream if you will, I should connect them individually?


Sent from my iPhone using Tapatalk
To put it simply, a trunk allows all VLANs to get routed between appliances.

You would config your trunk port/group on the switch. It is inferred the physical connection from that switch port is plugged into the router port where you did not tag.

Make sure you define the VLANs on both router and switches.

You can connect them either way, if HA is more important to you then connect them individually. Make sure you configure (define) a second physical port on your router to act as a trunk if you hook it up this way. If you don't have enough available ports on the router then you may have to chain your switches.

I am guessing that is more of a home office router - it could be a little annoying if the setup is all GUI driven. I would check their website as they most likely have step by step guides on setting up VLANs/tagging, etc.
usurpers26 is offline  
post #8 of 16 Old 10-09-2018, 12:46 PM - Thread Starter
Senior Member
 
Join Date: Mar 2015
Posts: 208
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 63 Post(s)
Liked: 9
Thank you for the response.

It’s sort of a pro-sumer router. A DrayTek router. It’s got a lot of configurability in it.


Sent from my iPhone using Tapatalk
Falcon2915 is offline  
post #9 of 16 Old 10-09-2018, 01:04 PM
Senior Member
 
usurpers26's Avatar
 
Join Date: Sep 2003
Location: CT
Posts: 395
Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quoted: 124 Post(s)
Liked: 97
This should help! It appears it is all GUI based...and while it references Draytek switches, the Netgears will be pretty close (and I am sure they have their own guide floating around on the interwebs )

https://www.draytek.com/en/faq/faq-c...ag-based-vlan/



Quote:
Originally Posted by Falcon2915 View Post
Thank you for the response.

It’s sort of a pro-sumer router. A DrayTek router. It’s got a lot of configurability in it.


Sent from my iPhone using Tapatalk
usurpers26 is offline  
post #10 of 16 Old 10-10-2018, 04:04 AM - Thread Starter
Senior Member
 
Join Date: Mar 2015
Posts: 208
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 63 Post(s)
Liked: 9
Hi usurpers26,

This is exactly what I was looking for.

Thank you very much!

F


Sent from my iPhone using Tapatalk
Falcon2915 is offline  
post #11 of 16 Old 10-10-2018, 09:38 AM - Thread Starter
Senior Member
 
Join Date: Mar 2015
Posts: 208
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 63 Post(s)
Liked: 9
So from what you are saying, I should do the following;

Set up my VLANs in the Draytek router on whichever ports I want.

In this case,

Port 1 - untagged
Port 2 - trunk (VLAN 1+2) to switch 1 (say VLAN 1 is tagged as 10 and VLAN 2 is tagged as 20)
Port 3 - trunk (VLAN 1+2) to switch 2 (same tag as above)
Port 4 - VLAN 1+3 - to guest house interlink (tag 10 + 30)
Port 5 - untagged
Port 6 - untagged

Switch 1 - configure on a port by port basis which VLANs it can talk to by tagging it

Switch 2 - same as above

-

From this, I will end up with 3 separate subnets.

-

I connect WAPs to one of the switches, and within their config software, I create in this case 3 SSIDs.

1 - owner - VLAN 1
2- guest - VLAN 2
3 - guest house - VLAN 1+3

In the guest house (physical), I can broadcast both the owner network and the guest house network here.

Am I getting this right?

Y’know it’s fun learning new things, but I need to get this solid before I go and actually do it!


Sent from my iPhone using Tapatalk
Falcon2915 is offline  
post #12 of 16 Old 10-11-2018, 07:31 AM
Senior Member
 
usurpers26's Avatar
 
Join Date: Sep 2003
Location: CT
Posts: 395
Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quoted: 124 Post(s)
Liked: 97
Your layout looks good.

On the router, you may want to make sure your native/default VLAN includes all physical ports and remains untagged. Or at least include your default vlan in your port 2 and 3 setup below. All of your appliances should be IPd within the default vlan.

Remember to connect your WAPs to a trunk port on the switch as well so all your tags get forwarded. Also again, always a good idea to IP your WAPs from the native/default untagged VLAN.



Quote:
Originally Posted by Falcon2915 View Post
So from what you are saying, I should do the following;

Set up my VLANs in the Draytek router on whichever ports I want.

In this case,

Port 1 - untagged
Port 2 - trunk (VLAN 1+2) to switch 1 (say VLAN 1 is tagged as 10 and VLAN 2 is tagged as 20)
Port 3 - trunk (VLAN 1+2) to switch 2 (same tag as above)
Port 4 - VLAN 1+3 - to guest house interlink (tag 10 + 30)
Port 5 - untagged
Port 6 - untagged

Switch 1 - configure on a port by port basis which VLANs it can talk to by tagging it

Switch 2 - same as above

-

From this, I will end up with 3 separate subnets.

-

I connect WAPs to one of the switches, and within their config software, I create in this case 3 SSIDs.

1 - owner - VLAN 1
2- guest - VLAN 2
3 - guest house - VLAN 1+3

In the guest house (physical), I can broadcast both the owner network and the guest house network here.

Am I getting this right?

Y’know it’s fun learning new things, but I need to get this solid before I go and actually do it!


Sent from my iPhone using Tapatalk
usurpers26 is offline  
post #13 of 16 Old 10-11-2018, 12:02 PM - Thread Starter
Senior Member
 
Join Date: Mar 2015
Posts: 208
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 63 Post(s)
Liked: 9
Cheers!

So what you are saying is I should have another VLAN (VLAN 0), which is on all ports and untagged?

What do you mean by IP the WAPs from the native VLAN?

I’m still trying to understand.

Thanks


Sent from my iPhone using Tapatalk
Falcon2915 is offline  
post #14 of 16 Old 10-11-2018, 01:41 PM - Thread Starter
Senior Member
 
Join Date: Mar 2015
Posts: 208
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 63 Post(s)
Liked: 9
I’m also guessing that I should put the automation system on its own VLAN.

It uses its own protocols for comms directly from the cpu. So, if I put that on a trunk port with the owner we should be all good??


Sent from my iPhone using Tapatalk
Falcon2915 is offline  
post #15 of 16 Old 10-12-2018, 08:31 AM
Senior Member
 
usurpers26's Avatar
 
Join Date: Sep 2003
Location: CT
Posts: 395
Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quoted: 124 Post(s)
Liked: 97
Yeah, native VLAN is just the VLAN that is not tagged in your trunk.

You have to statically assign IPs to all your network appliances (for management, etc.). WAPs for example, you want the SSIDs to be tagged but the actual IP of the WAP should be in the native VLAN - this way if you need to manage the WAP you can, from anywhere since the packets are flowing untagged and since you included your native vlan in your trunks, they can reach the destination. This doesn't mean you must do it this way...

You can go as crazy as you want with VLANs to me the question is, what needs to be segregated? It seems like you "need" to only segregate the SSIDs - so maybe start there and put the automation gear on the native VLAN as well?

Let's assume:
192.168.10.0/24 is your native vlan --> all your appliances management interfaces get IPd from this subnet
192.168.20.0/24 is VLAN20 --> SSID 1
192.168.30.0/24 is VLAN30 --> SSID 2
192.168.40.0/24 is VLAN40 --> SSID 3

In this scenario all 3 SSIDs are coming from the WAP - so that's your trunk port group from WAP to switch (include native). Same trunk port group from switch to switch and/or switch to router. Then on your switches, go crazy defining all the physical ports VLAN memberships - this shouldn't literally be crazy though - because again, it seems like you just want to segregate wifi, which will be done in the WAPs.

At this point, test, test, test...connect a device to each SSID - see what you can and cannot talk to and adjust as needed






Quote:
Originally Posted by Falcon2915 View Post
Cheers!

So what you are saying is I should have another VLAN (VLAN 0), which is on all ports and untagged?

What do you mean by IP the WAPs from the native VLAN?

I’m still trying to understand.

Thanks


Sent from my iPhone using Tapatalk
usurpers26 is offline  
post #16 of 16 Old 10-14-2018, 07:25 AM - Thread Starter
Senior Member
 
Join Date: Mar 2015
Posts: 208
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 63 Post(s)
Liked: 9
That all makes sense.

Do I absolutely have to set static IPs on all the devices?
Can’t I leave the DHCP to assign them?


Sent from my iPhone using Tapatalk
Falcon2915 is offline  
Sponsored Links
Advertisement
 
Reply Networking, Media Servers & Content Streaming

Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off