How to do vlans with physical nic's to AP's?

NogBadTheBad

@JKnott said in How to do vlans with physical nic's to AP's?:

@NogBadTheBad

Then you're going to need 3 cables to the switch, which funnel into 1 between the switch and AP. In the process, you've wasted 2 ports on the switch and 2 NICs on pfSense. It's just as easy to connect a VLAN to allow access only to the internet as it is to do the same with a NIC.

The OP has two access-points, so effectively you could have more than 1 Gbps flowing over the Wi-Fi if there are clients on both access-points if you LAG.

JKnott

@johnpoz said in How to do vlans with physical nic's to AP's?:

This NOT wasting ports.. its using them - which is the whole freaking port of having them.

Does he have a LAG AP? I got the impression he might be using a switch to combine the 3 into 1. I also get the impression the OP is a bit weak on VLANs. Is he familiar with LAG?

johnpoz

^ exactly... I have 3 AP all at gig.. And multiple clients on different vlans across different AP... So why should I bottleneck them by only uplinking those vlans via 1 gig interface.

NogBadTheBad

@JKnott said in How to do vlans with physical nic's to AP's?:

@johnpoz said in How to do vlans with physical nic's to AP's?:

This NOT wasting ports.. its using them - which is the whole freaking port of having them.

Does he have a LAG AP? I got the impression he might be using a switch to combine the 3 into 1. I also get the impression the OP is a bit weak on VLANs. Is he familiar with LAG?

You can't LAG the Ubiquity AC-PRO the second LAN port is for daisy chaining additional APs.

johnpoz

Lagg was brought up as an OPTION for uplinking to from his switch to router if he wanted to go that route, nothing more - it was a discussion point.

N0_Klu3

Thanks all.
Think I'll use the NICs for each vlan. No point having them if I never use them. Might as well make use of what is already there and available to me.

Also my APs are already using LAGG just fyi

johnpoz

What exact access points do you have.. I was not aware that the Pro's for example that do have 2 interface could leverage them as a lagg.

Derelict

You should not even sweat it until the single gig link to your switching is like 500Mbit sustained when you're busy.

When that happens make a 2x1G lagg to your switching. When you are at about 1200Mb sustained make a 3x1G lagg to your switching.

My guess is you will never even get close to 500Mb sustained.

You want to be able to put any wireless network (VLAN) on any AP so attaching the APs directly to router ports makes zero sense. LAGG to your switches and connect your APs to those.

johnpoz

As already stated lagg is another way to skin the cat, but sometime $40 smart switches that do vlans don't support lagg ;) Also with lagg your never sure which physical path traffic will take. So it is possible for intervlan traffic to hairpin over the same physical path. Which is not possible when you split your vlans across multiple uplinks.

Again you prob not have to worry about it and you could just use the single uplink with your vlans on it.

Derelicts lagg solution is common practice yes.

JKnott

@johnpoz

One other point that seems to be missing is how much bandwidth is actually needed. If most of the WiFi traffic goes out to the Internet, then all that bandwidth between the AP and router won't do much good, if the Internet connection is only 100 Mb or so.

N0_Klu3

@johnpoz I have the Unifi AP HD's.
They have 2 ports for LAGG and I've already set this up with my Unifi switches.

https://unifi-hd.ui.com/ - For reference.
Devices > UAP HD > Config > Network > Port aggregation

johnpoz

Ah yeah those do, but the older models do not.. Those inwall ones actually have 5 ports. Yeah I would love one of the shd models to play with.

Completely off topic, but since wifi 6 official now, has anyone heard anything from unifi on what AP will support it?
edit: While yes interested in when they will release AP that supports 802.11ax, I was more interested in news about wpa3, which was answered below.

N0_Klu3

Unfortunately not. Hopefully the HD's will get it :D

NogBadTheBad

Not sure about WiFi6 but WPA3 is on the way.

Noticed this on Reddit the other day:-

https://www.reddit.com/r/Ubiquiti/comments/d51997/wpa3_support_coming_soon_for_gen2_and_gen3_uaps/

https://help.ubnt.com/hc/en-us/articles/360012192813-UniFi-Getting-Started#3

N0_Klu3

So I made the switch this morning.
Was the most painless thing I've ever done on a network.
I can see IoT traffic going specifically through the IoT ports on both router and switch.
Same with Guest traffic.

Nice to see individual stats now too... Thanks all

johnpoz

Yeah that was a typo on my part.. Oh course you would need hardware to support 802.11ax, what I meant was wpa3 support which should be able to be done in software.. My understanding when ios 13 drops (soon) it should be supported.. So looking forward to when this is enabled with unifi.. So that link is good news - curious how long, have not seen it mentioned, and running latest beta firmware and controller - and always read through the release notes..

I had wifi 6 in the brain, since had just read an article.. But with wpa3 should be able to just enabled it on a specific SSID..

NogBadTheBad

@johnpoz said in How to do vlans with physical nic's to AP's?:
My understanding when ios 13 drops (soon) it should be supported.. So looking forward to when this is enabled with unifi.

Yesterday

johnpoz

Yup you are corrected, already dropped for iphone, I believe ipads are next week.. Which is where I am most likely to test it from.. Wife old iphone doesn't support it, and my iphone is works - so can not move to 13 until they give the ok.

JKnott

@johnpoz said in How to do vlans with physical nic's to AP's?:

But with wpa3 should be able to just enabled it on a specific SSID.

???

Don't you mean on a device? I've never heard of WiFi security being implemented by SSID.

johnpoz

Did you not have your coffee this morning??

If the ssid on the AP is set for wpa2-psk for wifi network SSID-X, how and the F could the client use wpa3 on it???

So you could have SSID-A yes on the AP (device) set wpa2-psk, and SSID-B set for wpa3, yes this assumes you have an actual AP that can do more than one wireless network, not some soho wifi router shit box.