VLAN beginner, any help?
-
Hey everyone,
So I'm tasked with setting up a VLAN to separate our wireless guest network from our actual network, and haven't been able to find much information on the topic regarding my set up. Please bare with me as I am completely new to this.
We have a pfsense firewall up and running. Modem is connected to pfsense, and pfsense is connected to a Cisco Catalyst 3500lx switch. The 3500xl individual ports are connected to the corresponding patch panel ports. We have 3x Cisco WAP321 access points throughout the office working in cluster mode providing wireless to our network.
My confusion follows, do I have set the 3 ports on the Cisco switch connected to the access points to vlan, or is this capable with just pfsense? If I do have to set the ports on the switch, how would I go about letting pfsense know which ports are set for vlan.
I might be completely wrong about my idea of setting it up as well.
Thanks
-
You need to let us know what you want the end result to be.
-
You need to let us know what you want the end result to be.
Thanks for responding. The end result would be to have the Cisco access points we are using broadcasting 2 SSIDs, one for our internal network, and a guest network. The guest network in the end would be separated from our internal network being on a different sub-net I believe.
-
pfSense will do all that. Do you have SmartNET to help with configuring the Cisco gear?
To do it right you're going to need to understand VLANs, tagged and untagged ports, etc.
In general you would:
Create VLANs in pfSense on the LAN interface.
Create an OPT1 interface for your guest VLAN.
Assign LAN to eth0_vlanX
Assign OPT1 to eth0_vlanY
Make the switch port to pfSense tagged/trunk with allowed VLANs X and Y
Make the switch ports to the access points tagged with allowed VLANs X and Y
Tell the APs to put the right SSIDs on the right VLANs.
For wired jacks, make the ports access ports with access vlan X or Y depending on what VLAN you want them on.
And you're done.
I would also add a management VLAN for talking to all the gear but you can also just use your LAN.
There are about 100 different places where you can kill connectivity to something switching from tagged to untagged, etc, so you're going to have to know what you're doing.
-
Thanks for the help! We don't have SmartNET unfortunately. If I'm understanding correctly, the Cisco switch will need to be configured, correct? It's not something that is done via pfsense only, right?
-
Yes. Most of the VLAN configs are in the switch.
Typical switchport config for a tagged port:
int eth 1
switchport mode trunk
switchport trunk allowed vlan add 100,200And for an untagged (end user) port:
int eth 2
switchport mode access
switchport access vlan 100You might need to create the vlans first:
vlan database
vlan 100
vlan 200Or something like that.
-
Thanks for great info Derelict!
How does this change if I only have one AP? Once I configure the VLAN's on the AP can I plug it directly into the OPT port of the pfSense rather than going through a switch with vlans setup?
Is is safe to assume that I would just add the vlan's set up on for the SSID's to the OPT port, then setup my rules, or is there more to it? I feel like there is because the LAN port wouldn't be in the vlan's, but I'm new to pfSense so I'm not sure.
Or would it be easier to just get a managed switch to run it all through?
I have a 3 port VK-T40E that's going in as a new network with this 321, but not other hardware has been spec'd so we are open
Thanks in advance!
-
So I'm tasked with setting up a VLAN to separate our wireless guest network from our actual network,
Please bare with me as I am completely new to this.I am really confused by these sorts of questions.. If you don't have clue one about vlans - why in the world would you be given the task?? Are you an intern or something, and the network guys gave you the task and told you to figure it out?
Not sure I would allow person that doesn't know anything about vlans touch a production switch??
Confused and Curious..
