Basic VLAN Help Needed

A

aem

Limp Gawd
Joined
Dec 4, 2007
Messages
178
I am trying to figure out some VLAN basics. I have purchased a TP-Link AP (TL-WA901ND), mostly for its inexpensive PoE capability. It supports up to 4 separate SSID/VLANs although we only need 2 isolated subnets through this AP. The AP is in a very small building with two floors, but each floor needs its own subnet. Our router is a WRT54G with DDWRT in another building bridged with NanoStations.

The first thing I need to know is do I need a managed switch between the router and AP, and if so...I can just use another WRT54G with DDWRT set up as a switch? I would prefer not to spend much on a managed switch.

If I don't need a switch, how should the router be configured so it correctly routes traffic through different VLANs? I have a couple different VLANs configured on different ports. Mostly I am not sure what port to plug the AP into and how that port should be configured...but pretty sure I do need the switch which would then send traffic to the right port on the router.

I have no experience with managed switched, but if one is needed, basic steps on how to set this up would be great. But as long as I get the confirmation that I need to switch in between, that will speed my progress up quickly. Probably could figure this out on my own eventually, but really would help if I knew if we need a switch by tomorrow. Thanks!
 
Last edited:
If you have an old computer and 3 NIC's you can put pfsense on it and just set up your 2 subnets that way.
 
Just to clarify I do understand how to set up VLANs by port in the router. What I don't know is how to do is get the new TP-Link AP to work with the router's VLANs. The AP supports VLAN tagging, but how do I get the tagging handled properly at the router.

I think I have to have a managed switch in between to route the tagged traffic to the correct port on the router. But I would like to know if this is correct or if can simply plug the AP into the router and have it separate the traffic to two different VLANs which I have already set up.

I don't have an old computer to use. Right now I just have the WRT54G router and the TP-Link AP to work with. I can purchase a cheap managed switch if needed. I think I could use another WRT54G or it looks like used 10/100 switches go for relatively cheap on eBay.
 
Your router is the switch in this scenario. Setting it up for VLAN properly is all you need to do. Assign AP SSID's to the VLAN's you want to use. But in place of your DD-WRT router you could use a managed switch, but with only 2 LAN's I can't see why you would need to do that. A managed switch would cost more than just buying another router to put DD-WRT on. I'm not sure actually if it matters what port you plug the AP into because it is supposed to tag the traffic with the VLAN then the router should handle it accordingly. A real network guru on here would have to clarify how that is handled. I'm just a geek, don't do this for a living.
 
$trider said:
Your router is the switch in this scenario. Setting it up for VLAN properly is all you need to do. Assign AP SSID's to the VLAN's you want to use. But in place of your DD-WRT router you could use a managed switch, but with only 2 LAN's I can't see why you would need to do that. A managed switch would cost more than just buying another router to put DD-WRT on. I'm not sure actually if it matters what port you plug the AP into because it is supposed to tag the traffic with the VLAN then the router should handle it accordingly. A real network guru on here would have to clarify how that is handled. I'm just a geek, don't do this for a living.
Click to expand...

I think I have determined the problem to be that I have VLANs created by port. I think I need to set up 802.1q VLAN trunking which sounds like it will allow ports to accept traffic to multiple VLANs. I don't believe I can do this with the GUI, but hopefully I can get it working through telnet.
 
Just a note- pfSense 2.0 and later only require a single physical interface- multiple interfaces are created on 802.1q trunks.
Most cheaper switches are not 802.1q capable- support for VLANS != 802.1q
 
I believe I have this figured out now and just posting the results in case anyone is interested. These are just the basic steps, but I can go into more detail on anything on request.

1. (skip this step if using router with gigabit switch) Set LAN ports to a different VLAN as a VLAN with ID 0 will not work with 802.1q tagging.
2. Check tagged for each port with traffic to multiple vlans.
3. Create additional VLANs through telnet
4. Adjust both vlan#ports and port#vlans settings in telnet to open up the vlans on the appropriate ports. Enable tagging where needed by putting a t after the port number.
5. Back in DDWRT GUI...put each vlan on its own subnet and add them all under Multiple DHCP Server.
6. Set up firewall rules to prevent devices from communicating with devices on other VLANs

The only thing I think I failed to do was allow easy remote access to all AP admin pages. The issue was I would need to enable the primary VLAN on APs that others have access to. Someone who knows what they are doing could access devices on the primary VLAN which I don't want to happen. My solution was to make a separate VLAN for AP configuration. I have left a port open on the router and a laptop plugged into that port can access all the APs.

Full remote access to the APs without a separate admin VLAN would probably be possible with a better knowledge of firewall rules.
 
Last edited:
You must log in or register to reply here.
Back
Top