How to do vlans with physical nic's to AP's?

johnpoz

Trunk port is just a term from cisco that means the interface carries tagged vlans. Vs an access port that only has 1 vlan on it and untagged.

So a port or uplink to another device that understands vlans would be trunk port... Ie to your AP or another switch, or a router that will handle the traffic based on the tags.

But say a host devices, say you PC that is only in 1 vlan - would be connected to an access port.

N0_Klu3

Umm I might just stick to making it a bit simpler.
Do the 3 NICs with 3 different tags and see how I get on.

Appreciate all the options tho.

Is there a specific way that is best/better?

JKnott

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

Ok I need to look into Trunk Ports now. I've heard it said before, but never looked into it or what it is/does.

As johnpoz mentioned, trunk ports are used to carry VLANs. Access ports generally carry only one network, which may be native or connected to a VLAN as required. However, there are some switches that can recognize, by the MAC prefix, certain devices such as VoIP phones, connected to that access port and put them on a VLAN.

BTW, if you use VLANs, stay away from TP-Link gear. A lot of it doesn't handle VLANs properly.

johnpoz

No not really - all comes down to your wants/needs and how you like to do things.

I for example use a native and then vlans on top of that, while others like to only use tagged on a vlan interface with no native network..

So the interface will always have an untagged vlan on it.. If it will carry other vlans then those would be tagged. But one of the vlans would be untagged.. But nothing saying you have to do it one way or the other, there are no rules against either option..

I can make the discussion point that if there native network on the interface, I can always access that interface if need be and don't have to tag traffic. While others might say that if a vlan carry interface they should all be tagged, etc. Derelict I believe a fan of vlan interfaces all tagged, no native network.

Just be sure you understand that you can never have more than 1 untagged vlan on any interface - since there is no way to isolate traffic then..

You can make discussion points about either way, for example if there is no untagged traffic on the interface then any untagged traffic by pretty much default would be blocked, if you didn't set a valid pvid on the interface..

Another point in favor of native is say for example the unifi AP, until recently it was not possible to have management on a tagged vlan... it had to be native... So if you run native on your interface you could connect such devices directly to that interface on your router. And then any tagged on top of that.

JKnott

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

Do the 3 NICs with 3 different tags and see how I get on.

That would be a waste of 2 NICs. Configuring VLANs is little different from configuring individual NICs.

N0_Klu3

@JKnott said in How to do vlans with physical nic's to AP's?:

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

Do the 3 NICs with 3 different tags and see how I get on.

That would be a waste of 2 NICs. Configuring VLANs is little different from configuring individual NICs.

Thought that was the whole point of this thread?
3 NICs with 3 LANs...

NogBadTheBad

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

@JKnott said in How to do vlans with physical nic's to AP's?:

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

Do the 3 NICs with 3 different tags and see how I get on.

That would be a waste of 2 NICs. Configuring VLANs is little different from configuring individual NICs.

Thought that was the whole point of this thread?
3 NICs with 3 LANs...

All connecting to a single lan port on the AP, just wasting lan ports IMO.

JKnott

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

Thought that was the whole point of this thread?
3 NICs with 3 LANs...

As I mentioned, if he used 3 separate NICs, he'd have to use a managed switch to combine the 3 into native & 2 VLANs over the same cable. Why not let pfSense do that? I've never heard of an AP with separate connectors for each SSID.

johnpoz

@JKnott said in How to do vlans with physical nic's to AP's?:

I've never heard of an AP with separate connectors for each SSID.

They don't

JKnott

@johnpoz said in How to do vlans with physical nic's to AP's?:

They don't

I guess that's why I've never heard of them.

The only other thing is some APs support LAG.

johnpoz

@NogBadTheBad said in How to do vlans with physical nic's to AP's?:

All connecting to a single lan port on the AP, just wasting lan ports IMO.

And what else is on these vlans other than wireless.. If you do not understand the traffic flow, nor the amount of data then you can not say that it would be wasting ports..

I already went over 1 example where it was just AP and wifi clients and you could have a bottleneck with hairpinning your intervlan traffic down the same physical interface.

edit: they don't, change that to normally your typical AP they don't. But you might be able to have specific interfaces for specific vlans in this AP
https://inwall-hd.ui.com/

edit2: Here is easy example to see where just couple of clients and 1 server could be a bottle neck on a hairpinned shared interface with vlans on it..

The UAP-AC-PRO is rated at 5ghz 1300 and 2.4ghz 450.. So lets cut that in half of the phy your at 650+225, for a total of 875... Which what a gig connection can carry... But now you hairpin it and now your bottleneck is your vlans sharing a uplink.

clients are in say vlan X, this rides uplink A, but so does vlan Y which is where the server they are moving data to and from... So now XY both flow over your single uplink reducing your overall bandwidth so now a bottleneck to what the wireless can actually do.

NogBadTheBad

@johnpoz said in How to do vlans with physical nic's to AP's?:

@NogBadTheBad said in How to do vlans with physical nic's to AP's?:

All connecting to a single lan port on the AP, just wasting lan ports IMO.

And what else is on these vlans other than wireless.. If you do not understand the traffic flow, nor the amount of data then you can not say that it would be wasting ports..

Yup agreed but I was going from the subject of the post "How to do vlans with physical nic's to AP's?" and the fact the OP stated "3 networks, Main Lan, Guest, IoT. Guest and IoT use VLANs, 69 and 101 to be exact."

If there's a huge amount of data I'd LAG the 3 lan ports.

JKnott

@NogBadTheBad said in How to do vlans with physical nic's to AP's?:

If there's a huge amount of data I'd LAG the 3 lan ports.

To what??? If the AP has only 1 port, how are you going to connect 3 to it. Are there APs with 3 or more ports that can be used with LAG? I've seen 2 ports. Of course, with Gb Ethernet, it won't take much to overwhelm what the WiFi side is capable of.

johnpoz

@NogBadTheBad said in How to do vlans with physical nic's to AP's?:

If there's a huge amount of data I'd LAG the 3 lan ports.

Suggested that as one way to skin cat yes, but using different interfaces as different uplinks for the different vlans is also an option.

Also jknott see my link there is a AP with 5 ports out by unifi..

Keep in mind that some of these AP will have 10ge, the highend AP from unifi have that as an option, or support 802.3bz etc... So then yeah your going to need multiple gig uplinks to your router to not be a bottleneck, etc.

NogBadTheBad

@JKnott said in How to do vlans with physical nic's to AP's?:

To what??? If the AP has only 1 port, how are you going to connect 3 to it. Are there APs with 3 or more ports that can be used with LAG? I've seen 2 ports. Of course, with Gb Ethernet, it won't take much to overwhelm what the WiFi side is capable of.

To the LAN switch assuming that quite a bit of the traffic is non Wi-Fi.

Also if you think about it two of the vlans ( Guest & IoT ) should only be accessing the internet.

JKnott

@NogBadTheBad

Then you're going to need 3 cables to the switch, which funnel into 1 between the switch and AP. In the process, you've wasted 2 ports on the switch and 2 NICs on pfSense. It's just as easy to connect a VLAN to allow access only to the internet as it is to do the same with a NIC.

johnpoz

What - dude yeah your going to have to connect multiple nics to the switch and possible nics to the AP that support more than 1, or have a higher one..

This NOT wasting ports.. its using them - which is the whole freaking port of having them..

Splitting vlans across multiple physical interface is not rocket science or new.. Not sure what your not understanding..

should only be accessing the internet.

Says who? And what does that have to do with anything, maybe he has 10ge internet.. the OP asked a simple question.. He already got the answer he was looking for... If you think using more than 1 physical interface is wasting them... Then sure you use 1.. And run your 27 different vlans over that 1 interface..

NogBadTheBad

@JKnott said in How to do vlans with physical nic's to AP's?:

@NogBadTheBad

Then you're going to need 3 cables to the switch, which funnel into 1 between the switch and AP. In the process, you've wasted 2 ports on the switch and 2 NICs on pfSense. It's just as easy to connect a VLAN to allow access only to the internet as it is to do the same with a NIC.

The OP has two access-points, so effectively you could have more than 1 Gbps flowing over the Wi-Fi if there are clients on both access-points if you LAG.

JKnott

@johnpoz said in How to do vlans with physical nic's to AP's?:

This NOT wasting ports.. its using them - which is the whole freaking port of having them.

Does he have a LAG AP? I got the impression he might be using a switch to combine the 3 into 1. I also get the impression the OP is a bit weak on VLANs. Is he familiar with LAG?

johnpoz

^ exactly... I have 3 AP all at gig.. And multiple clients on different vlans across different AP... So why should I bottleneck them by only uplinking those vlans via 1 gig interface.