vlan question

Discussion in 'Networking & Security' started by QwertyJuan, Jan 23, 2015.

  1. QwertyJuan

    QwertyJuan [H]ardForum Junkie

    Messages:
    11,287
    Joined:
    Aug 17, 2000
    I am at a place where I would like my guest wifi to receive IP addresses separate from our private wifi users. I only have one DHCP server running and would like that to change. According to what I am reading online this can be done via vlans?? One lan gets DHCP from the server and then the guest users would get IP's from a DHCP on the other vlan.

    Any tips/tricks/info on getting this setup?? :confused:

    Thanks!
     
  2. k1pp3r

    k1pp3r [H]ardness Supreme

    Messages:
    7,929
    Joined:
    Jun 16, 2004
    You can have multiple vlans get IP's from one DHCP server, look into Helper IP's (Cisco)

    You can create a vlan for guest traffic, then an ACL to block all inter-vlan traffic except to the DHCP server.
     
  3. EspoNation

    EspoNation Gawd

    Messages:
    795
    Joined:
    Sep 28, 2011
    If you are running an MS DHCP server you can create a different scope and add the option to tag it for the VLAN, so that it will get an IP from the guest scope.
     
  4. QwertyJuan

    QwertyJuan [H]ardForum Junkie

    Messages:
    11,287
    Joined:
    Aug 17, 2000
    Ok... yes I am running DHCP from my 2008 Server. I know how to make a different scope. Super easy. But... how do "tag it for the VLAN"?? :confused:
     
  5. DragonNOA1

    DragonNOA1 [H]ardness Supreme

    Messages:
    4,302
    Joined:
    Aug 15, 2004
    The router on the other vlan that is forwarding the DHCP request automatically adds the needed info to tell the DHCP server what scope the request is coming from.

    What router are you using? For Cisco you need a helper-address pointing to your DHCP server.
     
  6. firedrow

    firedrow Limp Gawd

    Messages:
    161
    Joined:
    Oct 11, 2013
    Some routers call is DHCP Relay or DHCP Forwarder. Check your Router where the VLAN connects and it should have an option to point the DHCP server at your Windows 2008 box. Just setup a scope with the same network information as your VLAN/Router interface and you're good.
     
  7. EspoNation

    EspoNation Gawd

    Messages:
    795
    Joined:
    Sep 28, 2011
    http://www.ipofficeassistance.com/howto_dhcp_ip_phones/

    This is an example using VOIP. This is how I set up 802.1Q tagging, but it may also work for what you are looking for.

    Also this, you can set up your two scopes, tag the helper addresses on a switch and go from there.
     
  8. Raekwon

    Raekwon [H]ard|Gawd

    Messages:
    2,010
    Joined:
    Nov 29, 2001
    A VLAN separates layer two traffic, meaning anything connected to the same switch in a nutshell. Traffic in separate VLANs need to be routed at a router or a multilayer switch to be switched to another VLAN. Just an FYI, I don't mean to be condescending - only helpful.
     
  9. EspoNation

    EspoNation Gawd

    Messages:
    795
    Joined:
    Sep 28, 2011
    I don't think he is looking for inter-VLAN routing per-say, but yes they will need to be provided a gateway at a router.
     
  10. QwertyJuan

    QwertyJuan [H]ardForum Junkie

    Messages:
    11,287
    Joined:
    Aug 17, 2000
    What is happening....

    I am running a UniFi system.... guest mode is on and works great. HOWEVER the guest network can't access anything else on the network (for obvious reasons) but... what if I have something that I'd like the guests to be able to access like a printer? How does a guest get back into the network? :confused:
     
  11. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    9,771
    Joined:
    Nov 4, 2005
    you don't use guest mode...

    or place those things in an IP range that you can not exclude in the guest client rules...
     
  12. firedrow

    firedrow Limp Gawd

    Messages:
    161
    Joined:
    Oct 11, 2013
    The UniFi guest network is isolated by the WAP so it cannot access other internal resources (printers, servers, NAS, webcams, etc). If you want guest users to use internal resources, they have to be on a non-guest wireless.
     
  13. Nate7311

    Nate7311 2[H]4U

    Messages:
    3,312
    Joined:
    Jan 11, 2001
    You'll need to do the following, loosely in this order:
    1) On the switch ports for your AP's, tag a new VLAN and add this VLAN to any trunks back to your routing device/FW.
    2) On the Router/FW, create a new sub-interface and assign it the VLAN you set up in Step 1
    3) Assign this new sub-interface a new Subnet
    4) Setup DHCP/DNS services on it.
    5) Create FW rules/routing to allow access to desired resources.
    6) Modify your Guest SSID to disable guest mode and assign the VLAN ID from Step 1.
    7) Test. Test. and Test again.
     
  14. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    9,771
    Joined:
    Nov 4, 2005
    i would agree with this, mostly...

    i feel like guest users should still have guest isolation... i would NOT disable guest mode, but instead specify in guest mode setup to unblock the subnet/devices that you want your guests to be able to access...

    this is all, of course, assuming your guests MUST have access to your printers... otherwise i'd just set up another SSID for authenticated users that is not isolated for printing...