Problem With VLAN Setup

R

rosco

Gawd
Joined
Jun 22, 2000
Messages
722
As some of you know, I have been working on a wireless project.

I want to have one AP provide two wireless networks, one open for guests and one secured. I am using Unifi APs as they support VLANs and then have a mikrotik router to route between my open network and my secured network for the internet traffic to get to our Untangle firewall.

So, I have my HP switch with all 24 ports set as untagged VLAN1. Everything seems to be working fine with the secured network. My problem is with VLAN2 the open network. I have ports 1 - 10 tagged as VLAN2 in addition to be untagged VLAN1.

I then have my Unifi AP set to use VLAN ID 2 for the Guest wireless network. I am able to associate to the Guest wireless network but that is as far as I can get. I cannot ping the mikrotik, access the internet etc.

If I set the ports my mikrotik and Unifi AP are plugged into as untagged members of VLAN2, then then can communicate. Even after tagging those ports as VLAN1 though the secured wireless still cannot communicate.

So, it seems to me like I'm not setting up my VLANs right on my HP 2520G - 24 switch but I'm not sure what I'm doing wrong.

I'm sure I'll have to work with my mikrotik setup as well but it doesn't seem like that is the issue at this point as I can get them to communicate when the ports are untagged VLAN2.

Thanks for the help.
 
The port going to the Unifi needs to be assigned to both VLANs. It doesn't need to be tagged with anything, just assigned to both VLANs. You shouldn't need to tag any ports, just put them in the proper VLANs and set the correct PVID. YOU DO NOT NEED TO TAG ANY PORTS to get it to work.

If you even want to go as far as remote help, let me know.
 
Last edited:
/usr/home said:
The port going to the Unifi needs to be assigned to both VLANs. It doesn't need to be tagged with anything, just assigned to both VLANs. You shouldn't need to tag any ports, just put them in the proper VLANs and set the correct PVID. YOU DO NOT NEED TO TAG ANY PORTS to get it to work.

If you even want to go as far as remote help, let me know.
Click to expand...

+1 to this, AP needs to be on a trunk port.
 
On a Procurve, tagging a port is synonymous with trunking....your initial setup sounds correct, that's how we have our AP VLANs setup.

How does your subnet and dhcp look? Are you using two different ones for the different vlans? Is the AP given a static address or is it trying to pickup an address from the router?
 
timberdoodle said:
On a Procurve, tagging a port is synonymous with trunking....your initial setup sounds correct, that's how we have our AP VLANs setup.

How does your subnet and dhcp look? Are you using two different ones for the different vlans? Is the AP given a static address or is it trying to pickup an address from the router?
Click to expand...

Just to add to this about tagging a port with trunking on procurves. When you trunk a port on a Cisco device, by default it passes all vlans unless you specify which vlans to pass. You can pass all or just a few.

On ProCurve stuff...they don't use the term trunking (because that's a cisco term). If you want to pass multiple vlans, then tag multiple vlans on a port. If you want to pass all vlans....then you tag all vlans on that port.
 
So do I want to have the ports with the APs as TAGGED members of VLAN1 and VLAN2 then?

Because I thought having it untagged VLAN1 and tagged VLAN2 would allow it to pass traffic for both VLANs.
 
rosco said:
So do I want to have the ports with the APs as TAGGED members of VLAN1 and VLAN2 then?

Because I thought having it untagged VLAN1 and tagged VLAN2 would allow it to pass traffic for both VLANs.
Click to expand...

Tag the access points port(s) for VLAN 1 and 2.

Tag the router port for vlan 1 and 2 also.
 
The AP has to communicate to the Unifi Manger over an untagged port. (they are changing this requirement I think)
EX:
Vlan 100 - ap management vlan
Vlan 200 - guest vlan
Vlan 300 - secured vlan

The AP is plugged into port 1 on the switch.
Vlan 100 - untagged
Vlan 200 - tagged
Vlan 300 - tagged

In the Unifi Manger the Guest wifi is set to tagged 200, and secured is set to tagged 300.
 
If you untag a port, that just means that that VLAN will be it's default. Any vlans afterwards that you tag will allow traffic to pass from those vlans as well.

So, if you're needing an IP address on VLAN 100, but want to allow other traffic on different vlans, then UNTAG 100 so the AP will always get the IP address from the range on 100....and then TAG the other vlans you want to see traffic from as well.

(edit: I'm using the VLANs referenced in the post above)
 
Well, it seems like I have it setup right then.

I have:
VLAN1 - untagged - Unifi Manager PC
VLAN1 - untagged - Unifi AP

VLAN2 - tagged - Unifi AP
VLAN2 - tagged - Mikrotik router

Also on a VLAN1 untagged port are our firewall and DNS servers.

Maybe I'll see if I can post a screen shot as it seems like I have it setup the way you guys are saying.
 
rosco said:
Well, it seems like I have it setup right then.

I have:
VLAN1 - untagged - Unifi Manager PC
VLAN1 - untagged - Unifi AP

VLAN2 - tagged - Unifi AP
VLAN2 - tagged - Mikrotik router

Also on a VLAN1 untagged port are our firewall and DNS servers.

Maybe I'll see if I can post a screen shot as it seems like I have it setup the way you guys are saying.
Click to expand...

I want to say as a side note that using VLAN 1 is not considered best practices. Everything runs on VLAN 1 by default and that just opens you up to security risks that wouldn't be there should you shut down VLAN 1 and move to a different VLAN.

This picture might make some sense to you as well. It's funny I think because it looks like Dell stole the image from Oracle and just colored it.
http://support.dell.com/support/edocs/network/BroadCom/R125875/en/wntopt06.gif
 
corge said:
If you untag a port, that just means that that VLAN will be it's default. Any vlans afterwards that you tag will allow traffic to pass from those vlans as well.

So, if you're needing an IP address on VLAN 100, but want to allow other traffic on different vlans, then UNTAG 100 so the AP will always get the IP address from the range on 100....and then TAG the other vlans you want to see traffic from as well.

(edit: I'm using the VLANs referenced in the post above)
Click to expand...
Doesn't really have anything to do with the "default"....

Tagged VLAN - Packets are sent out that port with 802.1Q VLAN Tagging to identify the VLAN membership to the connected devices. Used when connecting 2 or more 802.1Q (VLAN) aware devices. Tagged ports are called a VLAN Trunk in Cisco-land.

Untagged VLAN - Packets are sent out that port without VLAN Tagging. Used for Access devices (Desktops, etc)

corge said:
I want to say as a side note that using VLAN 1 is not considered best practices. Everything runs on VLAN 1 by default and that just opens you up to security risks that wouldn't be there should you shut down VLAN 1 and move to a different VLAN.
Click to expand...
For access devices that aren't getting tagged packets, why would it matter which VLAN they're on? They wouldn't "know" the difference between being on "VLAN1" and "VLAN987574Alpha-Bravo-Launch-Code-Confirmed"
 
Here are a couple screenshots of the way the VLANs are setup. Let me know if something needs to be changed:
VLANs1.jpg


VLANs2.jpg
 
What is connected to Ports 1-10? Why are they tagged members of VLAN2?

What I'd do (If I understand your scenario)

VLAN1 - Private
VLAN2 - Guest

Port #1 - Plug into Unify AP
Tagged VLAN1, Tagged VLAN2
Configure Unify AP with the same VLAN ID's 1 and 2 (I assume you want to have each associated with their own SSID?)
edit : If the Unify AP actually needs to be on an untagged port, Untag VLAN1 and make sure to associate all untagged traffic with your private SSID

Port #2 - Guest network router
Untagged VLAN2. REMOVE from VLAN1 (set port to "No" in VLAN1)
Plug this port into the "internal" interface on your mikrotik router.

Port # 3 - 24
Untagged VLAN1 (default)
Everything else goes here, including the "external" interface of the mikrotik (unless you're plugged in directly to your untangle).


That's assuming that you have your routing setup properly.
 
Last edited:
Eickst said:
+1 to this, AP needs to be on a trunk port.
Click to expand...

You need a switch or routed port that can do Dot1q for the vlanned frames to move correctly. If you are using a plain jane switch to connect to the AP then the switch is not going to know what the VLAN information is and strip that off thereby making the VLAN non-functional on the AP as you want.
 
Innocence said:
For access devices that aren't getting tagged packets, why would it matter which VLAN they're on? They wouldn't "know" the difference between being on "VLAN1" and "VLAN987574Alpha-Bravo-Launch-Code-Confirmed"
Click to expand...

The reason VLAN 1 became a special VLAN is that L2 devices needed to have a default VLAN to assign to their ports, including their management port(s). In addition to that, many L2 protocols such as CDP, PAgP, and VTP needed to be sent on a specific VLAN on trunk links.

VLAN 1 may sometimes end up unwisely spanning the entire network if not appropriately pruned and, if its diameter is large enough, the risk of instability can increase significantly. Besides the practice of using a potentially omnipresent VLAN for management purposes puts trusted devices to higher risk of security attacks from untrusted devices that by misconfiguration or pure accident gain access to VLAN 1 and try to exploit this unexpected security hole.

As a generic security rule the network administrator should prune any VLAN, and in particular VLAN 1, from all the ports where that VLAN is not strictly needed.

Basically, don't use VLAN 1 for inband management traffic and pick a different, specially dedicated VLAN that keeps management traffic separate from user data and protocol traffic.

Prune VLAN 1 from all the trunks and from all the access ports that don't require it (including not connected and shutdown ports).
 
The reason I had ports 1 - 10 (where my APs will plug into) as untagged members of VLAN1 is so that the private traffic wouldn't have to touch the router.

I was hoping that doing it that way I would only have to have my guest wireless traffic be touched by the mikrotik router.

If that won't work though, I guess I don't have a choice. I'm trying to keep the private traffic as straight forward as possible as I will be using AD integration from Untangle and I want as few barriers to success as possible.
 
rosco said:
The reason I had ports 1 - 10 (where my APs will plug into) as untagged members of VLAN1 is so that the private traffic wouldn't have to touch the router.

I was hoping that doing it that way I would only have to have my guest wireless traffic be touched by the mikrotik router.

If that won't work though, I guess I don't have a choice. I'm trying to keep the private traffic as straight forward as possible as I will be using AD integration from Untangle and I want as few barriers to success as possible.
Click to expand...
Sorry, assumed it was only a single AP. If untagged is required for management, then it should work as you've configured it - Again assuming that the APs and all routing is correctly set up. Which it sounds like they aren't.
 
So are you guys thinking it's something with the mikrotik setup? I just wanted to eliminate my VLANs as being the problem before I start in on the mikrotik.

There isn't much on the Unifi AP I could screw up. Made the guest wireless network a member of VLAN2. However, I could have screwed up the Mikrotik setup as that is a lot more involved.
 
Is there a reason that you don't want to use two different internal interfaces on the Mikrotik? It makes it a lot easier.
 
/usr/home said:
Is there a reason that you don't want to use two different internal interfaces on the Mikrotik? It makes it a lot easier.
Click to expand...

Probably alot nicer on the throughput too :)

one interface for WAP ( own subnet )
one interface for network ( own subnet )
 
I was going to use two internal interfaces on the mikrotik. One interface was going to by 192.168.88.x and was going to be plugged into port 1 on my switch which is part of VLAN1 and VLAN2.

Then, another interface was going to be 10.10.10.x (same scheme as my internal network) to allow communication back to our firewall for internet.

The tricky thing is I'm using each AP to broadcast two SSIDs/networks. One SSID is wpa2 protected and is part of VLAN1 so that they will have access to network resources without even having to be routed by the mikrotik. The second SSID would be open internet for guests on VLAN2 and their traffic would be routed by the mikrotik to allow internet traffic.

This plan is still a little fuzzy in my head so I hope that all makes sense. The reason I'm doing it this way is that I read it's complicated to setup Untangle with multiple LAN network cards. So, this way, I would still only have one LAN connection.
 
rosco said:
I was going to use two internal interfaces on the mikrotik. One interface was going to by 192.168.88.x and was going to be plugged into port 1 on my switch which is part of VLAN1 and VLAN2.

Then, another interface was going to be 10.10.10.x (same scheme as my internal network) to allow communication back to our firewall for internet.

The tricky thing is I'm using each AP to broadcast two SSIDs/networks. One SSID is wpa2 protected and is part of VLAN1 so that they will have access to network resources without even having to be routed by the mikrotik. The second SSID would be open internet for guests on VLAN2 and their traffic would be routed by the mikrotik to allow internet traffic.

This plan is still a little fuzzy in my head so I hope that all makes sense. The reason I'm doing it this way is that I read it's complicated to setup Untangle with multiple LAN network cards. So, this way, I would still only have one LAN connection.
Click to expand...


Why not use the second lan port on the router, and create your 2 vlans on that with the WAP connected to it. then the first one use for your switch with other vlans.
 
If you didn't have the untangle firewall in there, it would be much easier. Have you thought about just doing the Guest portal method with the unifis? It restricts access to everything on the network that it's on.
 
You must log in or register to reply here.
Back
Top