Problems in address distribution in DHCP

Itay1787

@derelict We know that VLANs will be much more secure
But as soon as the network is built, it's the thing we found that will work. We may soon be switching AP. And with that happening, we'll make sure they have VLANs and replace everything with VLANs.

But right now we have a problem with setting up one of the rules as I said above.

johnpoz

You can not stop people on network A from talking to other people on network A... The firewall/router is NOT involved in these discussions.

Why do you think we stated the only way to do this is with vlans.

Derelict

Because DHCP server is not designed to do that. It is designed to serve the interface subnet scope. You will probably have to use a different DHCP server.

johnpoz

You can not build a network with junk ;) you need to either isolate your networks at the physical layer with different switches and AP for each network you want. Or you need switches and AP that support vlans - its that simple = PERIOD!

Itay1787

@johnpoz I thought so.
So can not you just block one subnet from everyone ??
And with not like it sounds we'll move on to VLANs faster than I thought.

Itay1787

@derelict We tried it. Did not work properly at all !!!!

Itay1787

@johnpoz Question: I have one switch which is the main and it supports VLANs Can I take out VLAN tagging. Then from AP (which is after some other "dumb" switches) will it work without affecting the rest of the network ??

JKnott

@itay1787 said in Problems in address distribution in DHCP:

@johnpoz Question: I have one switch which is the main and it supports VLANs Can I take out VLAN tagging. Then from AP (which is after some other "dumb" switches) will it work without affecting the rest of the network ??

If you remove the VLAN tags, you'll not have VLANs. I assume you're asking if you can put the AP on just one VLAN? If so, yes. Assign an access port, on that managed switch to that VLAN and then connect the AP to it. The AP will then only connect to that one VLAN. Those dumb switches, between the AP and managed switch, will also be on that same VLAN. However, that means only one group can use WiFi.

johnpoz

You can downstream dumb switches from a smart switch sure... And all devices connected to that dumb switch will be in vlan X that thet upstream smart switch puts that switch in.

You can then use specific dumb AP and connect them to specific vlans depending on where you plug them in. Or if you want clients that are on different vlans to use the same AP then the AP needs to support vlans, and it needs to be connected to a switch that supports vlans.

This can be done very cheaply depending on how many ports you need and how many wifi clients you have and how spread out you need your network to be. A 8 port smart switch can be had for like 40$ an AP that support AC and Vlans say the unifi AC-Lite model is like 70$

Itay1787

I mean if I can set up VLAN from a switch that supports it and set it in tagging and then take the VLAN tagging from the AP and the AP is connected to the dumb switch and it will not affect the devices that are connected to the other ports in the dumb switch

Right? Because that's what vlan tagging should do.

JKnott

VLAN tagging will pass through dumb switches. However, if your AP doesn't handle VLANs, which is what I thought you said, it wouldn't work. VLANs are just a way to logically separate networks. If you want an AP to support multiple SSIDs, which is necessary to separate users, then it must support VLANs. You'd also need VLAN support on pfSense or a managed switch to handle those VLANs.

johnpoz

While it is possible to pass vlan tags across a dumb switch - since it doesn't understand the tags.. There will be no isolation on that switch... All broadcast will go over all ports no matter the vlan it is suppose it suppose to be in.

Just because a dumb switch might not actually strip a tag, doesn't mean its good idea to run vlans over such a device...

If your going to use vlans than all your devices should support vlans - other than you can leverage dumb switches that are access level switches where only clients in the same vlan will be connected, and the only vlan that will go to that end switch is in a specific vlan... Ie as a downstream switch from a smart switch.. But no other vlans should cross over that switch.

Itay1787

I will tell you what I want to do as best I can explain and you will tell me whether it will work or not. OK?

1. All my AP supports VLANs and multiple SSIDs.
2. I have a smart switch that is the first and the main. The rest are not smart switches.

I want to pass a VLAN tagged from the main switch
Will pass through the non-smart switches to the APs. Then the APs will take the VLAN tagged, without damaging the rest of the network. Will it work?

johnpoz

Why do you have to pass the AP across the dumb switch? Connect it to the smart switch... If you need the switch as an extension for the run - pick up a 40$ smart switch to use and hang your dumb switch off that.

Can you run the vlan tags across the dumb switch - more than likely they will not strip it... But what they will do since they do not understand vlans is all clients on this dumb switch will see all broadcast traffic from every vlan that cross over that switch. And any client on that dumb switch could just add a tag and join any vlan they want.

It is NOT how you run a network!!!

You might get away with this if your order of smart switches got delayed and you had to bring this up NOW or loose money because production is down and all you have is some dumb switch to use.. But this not how anyone who works in IT would do it... you might as well just run 1 flat network if this is how your going to run a network.

Itay1787

@johnpoz I can not replace all the non-smart switches there are too many such a network that literally size more than 300 stationary computers connected to it !!!

JKnott

@itay1787 said in Problems in address distribution in DHCP:

@johnpoz I can not replace all the non-smart switches there are too many such a network that literally size more than 300 stationary computers connected to it !!!

I believe he suggested running a cable from the AP to managed switch. Is that not possible? How many APs are we talking about?

Itay1787

@jknott It really is not possible
There are about 10 to 12 AP

JKnott

@itay1787 said in Problems in address distribution in DHCP:

@jknott It really is not possible
There are about 10 to 12 AP

Any chance you could have just the APs on a dumb switch?

heper

@jknott said in Problems in address distribution in DHCP:

VLAN tagging will pass through dumb switches.

if you are lucky. more often they just vanish, or get corrupted.

JKnott

@heper said in Problems in address distribution in DHCP:

if you are lucky. more often they just vanish, or get corrupted.

Any switch that does that is defective. A switch is supposed to pass any and all valid Ethernet frames. A valid Ethernet frame consists of destination & source MACS, payload and CRC. What distinguishes a VLAN frame from others is the contents of the Ethertype/length field. The VLAN tag is carried in the payload area and should not be touched by a switch. The exception being managed switches configured for VLANs, which create, forward and remove the VLAN frames. There is absolutely no reason why an unmanaged switch would handle a VLAN frame differently than any other. The only exception would be ancient gear that cannot handle Ethernet payloads greater than 1500 bytes. If you run into switches like that, then just reduce MTU to 1496 to avoid the problem.