Interface and VLAN config for TP-LINK TL-WA801ND

lewis32

I plan on connecting an access point (TP-LINK TL-WA801ND) to pfSense and setting up two SSIDs tagged with VLANs to create a trusted network and a guest network.

igb0 - WAN (DHCP)
igb1 - LAN (192.168.1.0/24)

igb2
VLAN 20 (192.168.20.0/24) - assigned as interface PrimaryWiFi
VLAN 30 (192.168.30.0/24) - assigned as interface GuestWiFi

When the access point operates in multi SSID mode it expects a VLAN tag for each SSID created. With a UNIFI system you can assign the device as an interface and it will be untagged. Then you can create a VLAN interface with a tag.

The TP-LINK TL-WA801ND in multi SSID mode assigns VLANs to everything, there is no default untagged stream.

I'm trying to figure how exactly what static IP address I should give the access point and what network format to use.

Do I need to add another interface for the access point itself even if it will not be used in rules?

For example:

igb2
WLAN1 (192.168.10.0/24) with a static IP of 192.168.10.1
VLAN 20 (192.168.20.0/24) - assigned as interface PrimaryWiFi
VLAN 30 (192.168.30.0/24) - assigned as interface GuestWiFi

Or is there a way to achieve my goals without adding the WLAN1 interface which will never be used in rules?

JKnott

@lewis32

My advice is to stay away from TP-Link, if you're planning on using VLANs. I have a different TP-Link access point and can't use a 2nd SSID & VLAN, as they seem to think multicasts should pass between the VLAN and main LAN.

stephenw10

Impossible to say without actually testing it. If it allows management over a VLAN though I would do that anyway. Better to avoid tagged and untagged traffic on the same physical interface because of unexpected leaks. I have a TP-Link switch that does that. However I also have TP-Link switch from their 'enterprise' style range and I've had no problems with it at all.

That AP does not look 'enterprise'.

Just to give you options you can probably put OpenWRT on it and then set it up however you want. It's more complex and carries some inherent risk.
https://openwrt.org/toh/tp-link/tl-wa801nd

Steve

JKnott

@stephenw10 said in Interface and VLAN config for TP-LINK TL-WA801ND:

Better to avoid tagged and untagged traffic on the same physical interface because of unexpected leaks. I have a TP-Link switch that does that.

With TP-Link, leaks are expected.

Also, tagged and untagged on an interface are common in the real world. Take a look at all the VoIP phones, with a computer connected through them.

With my TP-Link access point, it is possible to have untagged and tagged traffic for the appropriate SSID.

lewis32

OpenWRT looks like a decent workaround if the factory firmware is not sufficient. Thank you both for the updates on this.