Single device vlan
-
I always thought AP simply meant a wireless access point.
Yes, that link shows how to set up the wifi device to be bridged or separate from the LAN using another interface but I'm trying to learn about VLANs.
I'm already using multiple interfaces and know (basics) how to do that.Sure, here is an image of how the switch it set up now.
-
@lewis said in Single device vlan:
I always thought AP simply meant a wireless access point.
True that is what it means... But what the soho wifi routers are more than just AP, they have one.. But they also have switch ports and routing/firewall engine.. They do NAT, etc. So while your device does have an AP as part of it. Its not just an AP, unless you just use it as that. If you are letting it nat, and provide a different L3 network to devices behind it on wifi or via its switch ports its not really an AP.. Its still in wifi router mode..
If what you want to do is play with vlans and such.. You need to put it in AP mode, so that now you just bridge wifi to the wire at L2.. Since your device can not do tagging or understand tagging for vlans. Then you can only ever put your wifi or wired clients on the device in 1 vlan.. But sure you can then play with vlans on pfsense. And you can handle multiple vlans on your network via your switch that does understand vlans. Its just your wifi device is going to be limited to just 1.. If you want to be able to put wifi clients on different vlans, you would need more wifi routers to use as AP. or get a true AP that supports vlans - the unifi AP are very popular around here. I have 3 of them, and they handle vlans quite easy, I have 4 different SSIDs all on different vlans for example.
-
Ok, I see what you're saying now.
I thought there might be a way of achievning VLAN by using a tagged port and pfsense knowing about it.
Thank you everyone for the clarification. Now I need to find something that does handle VLAN so I can continue with my quest :).
-
@lewis again you can do vlans with that device as an AP... Its just that all clients will be on the same vlan. This would be a different network than your lan.. That is all quite easy to setup and the instructions I gave first would accomplish that.
But if what you want is multiple vlans via different SSIDs - then yeah your going to need AP that does that, any of the unifi AP would.
Or you would need a wifi router that supports 3rd party software, like ddwrt or openwrt that can add vlan support depending on the specific hardware your actually running it on. DDwrt and Openwrt do support vlans, and works on most all hardware that will run it - but if I recall correctly there is some hardware it will run on that vlans don't actually work.. But maybe your hardware will run those, or some other third party firmware? Merlin is another, etc.
But best option is to get an actual AP meant to handle vlans..
What is really ironic if you ask me - is the hardware does vlans. That is how they isolate the wan from the lan, and how they allow for creation of a "guest" network.. The problem is they have no way for the user to adjust what tags are used, and for the device to actual put the tags on the traffic that leaves it physical ports. They are all just internal used vlans.. So simple change in the code running on the hardware would all that is needed for clients to be able to actually do vlans and used on the rest of their network or the different switch ports the are included with all of these devices.
My take is they believe the users of their products are too stupid to want or need vlans ;) What other reason could there be not to provide a feature their hardware supports? Maybe they believe such a feature would cause too many help requests ;) That is why if you device can run 3rd party you can normally do vlans.
Here is like a typical basic block diagram of pretty much any wifi router.
-
In addition to having port 2 set as tagged in VLAN 2 you will need to have whichever port is connected to the wifi AP/router set as untagged. If your AP also supported VLANs you could tag VLAN 2 straight it (trunk it) but since it doesn't you need to untag it on a separate port at the switch.
I don't think you said what the wifi device is but it may be possible to enable VLANs on it by reflashing it's firmware. Most SOHO routers do actually support VLANs it's just not exposed by the factory firmware. However I wouldn't attempt that until you get it working as it is.
Steve
-
Lot's of great info, thank you very much.
For now, I just set up the wifi as an AP based on the link that was shared. I did that because it was never really secured.
Works great and I like how I can see the wifi connections on pfsense now.Maybe the reason the wifi device doesn't have VLAN is because it's around 8 years old and version two of five since then. I could flash it to openwrt but in this configuration, it will be fine.
Now I'll fire up a little mini router running openwrt on it to keep trying to learn about vlans :).
Thanks again.
-
@lewis said in Single device vlan:
Maybe the reason the wifi device doesn't have VLAN is because it's around 8 years old and version two of five since then
No that is not it - even the lastest and greatest soho wifi routers that cost $300 don't have vlan support in native firmware.. Look yourself for one.. They don't support it because they don't want to because they don't think their user base wants it or needs it.
I have played with a lot of soho routers - I have never seen one that supports vlans in native firmware. If you want that option you need a AP designed for business use, or what they call prosumer - the unfi stuff does it.. But I will admit its a bit overkill for your typical home user. Its designed for small business or very budget enterprise setups, home networking enthusiasts, etc. Not all business want to spend the $$ for a cisco wireless deployment ;)
If you want vlans on your soho type wifi router you need to use 3rd party firmware on them. Or get a device that does it on purpose.. Unifi, Omada are 2 lower cost options. As you move up the food chain to cisco ;)
There are many other choices as well - enterprise AP via 2nd hand market, ebay etc also very common options for someone wanting to do wifi vlans on a budget.. Rukus very popular AP to get 2nd hand at good price, etc.
I personally don't get it - You would think that these companies that put out their so called "high end" mesh wifi devices. Designed for the home user would see that adding vlan support could be a differentiator from their competitors and add such support.. Once one of them would do it, sure they would all jump on the band wagon and it would be great for the end user..
Maybe the other problem is - just vlans, without the ability to firewall between them is kind of pointless.. So now verse just adding the ability to vlan, they would also need to allow for firewall between the vlans, etc. So it gets a bit more difficult.. So these systems that are your router and wired and wifi all in one become a bit more difficult to support.
-
Maybe most questions in these forums are from home users rather than business and a lot of that hardware doesn't support anything too elaborate?
I turned my wifi device into an AP as you suggested. I love that everything is in one place now, meaning, pfsense is the central place to do everything including DHCP IPs for wifi clients and management of the wifi device itself.
I have a cisco PoE switch I use to connect wired and wireless cameras. I thought about separating that off to a VLAN but that won't change the amount of traffic on the LAN and wifi network. The only way to improve LAN and wifi speeds speeds would be to add another NIC into pfsense to play with. I still need to find a reason to use VLAN to learn about it but my setup is much nicer now thanks to the input in this post.
-
@lewis said in Single device vlan:
Now I need to find something that does handle VLAN so I can continue with my quest :).
I was in the same situation with my old Netgear R7000 using it as AP only... frustrating. If you want wifi VLANs, get a VLAN capable AP.
-
@lewis said in Single device vlan:
I still need to find a reason to use VLAN to learn about it but my setup is much nicer now thanks to the input in this post.
If you put your wifi on a different network than your lan - your already doing vlans ;)
