Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[jester14]

Hello All. 

I have done basic IT for several years but am trying now to implement a VLAN implementation for a friends brewpub. 
Here is the equipment of relevance:
Engenius EAP-600 dual band wifi access point
Dlink DGS-1100-8 EasySmart switch
Netgear 16 port unmanaged switch
Pfsense firewall running V2.15 - Intel Atom based
AT&T U-verse modem

What I want to accomplish is to create a WiFi guest network that is Vlan'd separate from a wifi admin network.  Pretty straight forward stuff, really.

I then want to send WiFi guest traffic to the Pfsense firewall on the optional interface for future Captive Portal use.  That will be Step 2.

For Step 1, I just want to segregate the traffic for the guest network from the admin network.

So far, I have created Vlan's on the access point as follows:
SSID wifiguest2.4 is assigned to VID 3
SSID wifiguest5 is also assigned to VID 3
SSID wifiadmin2.4 is assigned to VID2
SSID wifiadmin5 is assigned also assigned to VID2

I stayed off the default VID 1 as the AP didn't seem to like messing with it.

The cable from the access point is then connected to port 1 on the Dlink switch
Port 2 on the switch is then connected to the Optional interface on the Pfsense router
Port 3 on the Dlink switch is then connected to the Netgear 16 port unmanaged switch which then has a cable connected to the LAN interface on the Pfsense router.  The rest of the ports on this switch are typical printers, servers etc.

The WAN interface on the router then connects to the U-verse modem.

I would also like to provide for one or two more access points as the business grows, so perhaps two or three ports may need to be tagged for future expansion.

I think where I am getting lost is in the tagging and what relevance, if any, the "PVID" tagging becomes involved.  What has resulted in my attempts so far is that both the admin AND the guest traffic is receiving the ip addresses from the optional interface on the router.  So in other words, it seems that the traffic is not getting segregated properly in the Dlink switch.

Like most things, I think once I have the basics done it will all become more clear.

Thanks for all the help anyone can provide.

Dave

Image link:

http://www.gliffy.com/go/publish/7092323

[PacketTracer]

According to your description your scenario translates to the following VLAN configuration for your DGS-1100-8 EasySmart:

• Port 1: Has to send and receive only frames tagged with VID 2 (Admin VLAN) or VID 3 (Guest VLAN); a PVID isn't required, but if the device wants to have one configured, you have to assign a PVID different from VID 2 or VID 3, so use use/leave PVID=1
• Port 2: Has to send and receive only frames untagged, where the port has to be assigned VID=PVID=3 (Guest VLAN)
• Port 3: Has to send and receive only frames untagged, where the port has to be assigned VID=PVID=2 (Admin VLAN)

A port X (X>=4) that is connected to any additional future wifi access point has to be configured the same way as port 1 above.

Both the LAN and OPT1 port of your Pfsense firewall must send and receive frames untagged where the LAN port has to be assigned VID 2 and the OPT1 port has to be assigned VID 3.

<EDIT>Inside your Pfsense firewall you don't have to use VID 2 and VID 3 explicitely, instead you can use any two VIDs to segregate traffic and map them to the LAN and OPT1 port respectively. The only important thing is that both ports must send and receive frames untagged in order to match the configuration of your DGS's switchports 2 and 3 they are (directly or indirectly via the VLAN unaware Netgear switch) connected to.</EDIT>

According to the manual and because of your configuration needs for port 1 you have to enable 802.1Q VLAN and add

• VID=3, VID Name=wifiguest, Port 1 tagged, Port 2 untagged, Port X>2=Not Member
• VID=2, VID Name=wifiadmin, Port 1 tagged, Port 2=Not Member, Port 3 untagged, Port X>3=Not Member

In 'PVID Settings' the following settings should be set (if not already set automatically due to the above configuration):
Port 1: PVID=1
Port 2: PVID=3
Port 3: PVID=2
Port X>3: PVID=1

You should enable the Management VLAN and set it to VID 3 (Admin VLAN) if you want to have management access to the DGS-1100-8 EasySmart from your Admin VLAN via port 3, otherwise management were only possible via one of the ports 4-8.

[jester14]

Thanks very much for the pointers.  I'll try it today and let you know.

[jester14]

Worked like a charm!  Thanks again packetracer for the help.  I think I now have a better understand the vlan tagging function.

[jcroy727]

What mode is set on the VLAN's? Access, Hybrid or Trunk?

[PacketTracer]

Hi

What mode is set on the VLAN's? Access, Hybrid or Trunk?

D-Link switches don't use terms like 'Access', 'Hybrid' or 'Trunk' with respect to the VLAN configuration of ports (D-Link uses the term 'Trunk' for link aggregation).

Unfortunately when talking about VLANs any switch vendor seems to use its own terminology which may cause confusion. Hence when asking about specific terms you always have to mention the switch or vendor you refer to.

For example if you have asked your question with a Cisco switch running IOS in mind, the following configuration would correspond to the D-Link configuration example above, and maybe this is an answer to your question:

interface gi0/1
 switchport mode trunk
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-3
 switchport trunk native vlan 1
 
interface gi0/2
 switchport mode access
 switchport access vlan 3
 
interface gi0/3
 switchport mode access
 switchport access vlan 2
 
interface gi0/4
 switchport mode access
 switchport access vlan 1

interface gi0/5
 switchport mode access
 switchport access vlan 1

interface gi0/6
 switchport mode access
 switchport access vlan 1

interface gi0/7
 switchport mode access
 switchport access vlan 1

interface gi0/8
 switchport mode access
 switchport access vlan 1

PT