How to do vlans with physical nic's to AP's?

N0_Klu3

So long story short, I have 2 AP's and my pfSense box has 4 NICs.
In total I have 3 LANs and 1 WAN.
But the 3 LANs (1x LAN and 2x VLANs) run on a single NIC.

I was wondering how or what is the best practice for this?
Mainly regarding how do the AP's work.

Long story:
I have a SuperMicro 5019A-FT4N as my pfSense router which has 4 Intel NICs.
I have 2 Unifi switches and 2 Unifi AP's.

Currently my setup is a follows. ix0 = WAN, ix1 = LAN and 2 VLANs.
Unifi is setup and has the VLANs added and the AP's have 3 networks, Main Lan, Guest, IoT.
Guest and IoT use VLANs, 69 and 101 to be exact.

What I've been thinking is why does I use the 2 available NICs to drive the traffic for these 2 VLANs?
But what I cannot get my head around is, it'll be 3 separate networks. IE lets say I use ix2 for Guest VLAN 69, do I just plug this into the Unifi managed switch, set that port to only Guest 69 and the AP's will auto know to send the VLAN traffic to that port?
Is this the correct setup to split the traffic across the 3 NICs? Or is it still better to use VLANs all off the same NIC?

johnpoz

So the single physical connection to your AP will have carry all the network, be them all tagged or 1 native and others tagged. But once that is into your switch you can do whatever you want with the traffic you can uplink that into router via physical connection untagged, or via any sort of split you want if you have 3 different networks.

So all 3 could have their own physical uplinks, or you could have 1 native on physical, then another native and 1 tagged on physical uplink. Or both tagged on 1 physical with all tagged or 2 tagged and 1 native.

Lots of things you can do once you bring the traffic into your switching infrastructure.. How you handle it via uplinks to your router would depend on what sort of intervlan traffic you have to handle.. For example if there is lots of intervlan traffic you prob don't want to put the vlans that do a lot of talking between each other on the same physical uplink. So any traffic between those will have to hairpin on the physical nic.

With AP and their limited throughput prob doesn't matter as much as with physical networks But say you have a client connected to AP1 on vlanX and he was talking to client on AP2 on vlanY - if those vlans are routed over the same physical interface via uplink to the router you have just put a restriction on the overall available traffic due to hairpin, and any other traffic flowing over that physical interface that could in theory be a bottle neck.

N0_Klu3

Ok thanks for the reply, really appreciate it.
So if I'm reading this right.

Have the 3 NICs, 1 untagged, 2 VLAN tagged.
Then on the switch the 3 ports where I plug in they will mimic the tags or untagged.

The APs would just remain with all 3 networks (1 untagged, 2 tagged) off the same cables.

This make more sense I think. I'll get playing tonight and report back.
I am using the Unifi AP HD's so they have 2 physical connections to the APs. But these are for teaming, so not too worried about bandwidth issues with the APs

johnpoz

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

Have the 3 NICs, 1 untagged, 2 VLAN tagged.

You don't have to do it that way you could have all native to your 3 nics.. There are multiple ways to uplink your 3 networks into your router.. How you do it would be up to you, since you are the only one that would have any idea on the amount of traffic and if its intervlan or just out to the net... And how to best utilize your physical connections you have available.

example... My management network for my AP is untagged, this is on its own uplink to pfsense. While I have 4 ssids on my AP.. 1 of which is also the same as my management network.. This is my trusted wifi network, and clients have to have eap-tls to get on it. While 3 other ssids (vlans) share a different uplink to pfsense on different physical nic.. They really would never have any vlan traffic between them, so the uplink they have to pfsense is 1 native network and 2 tagged networks. I also have some minor other vlans that use that interface as its uplink.

JKnott

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

The APs would just remain with all 3 networks (1 untagged, 2 tagged) off the same cables.

That's typical. Multiple SSIDs on an access port requires VLANs. Use the native LAN for the main SSID and VLANs for guests, etc..

N0_Klu3

Ok thanks guys.
Makes a bit more sense in my head now. Will try it out tonight if I get the time.

johnpoz

As another way to skin the cat, maybe you put your physical interfaces into a lagg, and then use the lagg as your uplink from the switch to router.. Where all your vlans ride the lag tagged, or 1 could be native, etc.

Depend on how much control you might want over what specific physical interfaces a specific vlan rides on.. Since once you put the traffic on a lagg you really don't know which vlan will be riding which specific physical interface at any given time... It just becomes a shared pipe, with multiple lanes on it..

Kind of like a 4 lane highway vs a 2 lan.. But you don't know which lane a specific car will take at any given time.

N0_Klu3

No @johnpoz dont make me think too hard!!!
Yes I suppose that is another option, I think tho just separating the network LANs should be fine for my needs.
Its just a household and I've been using the same NIC for all 3 LANs for a few months without issue :)

johnpoz

Hehe.. Yeah your prob overthink it to be honest... As long as the physical interface does not become a bottleneck it doesn't really matter.

But I deal with this sort of stuff all the time trying to optimize data flow in the data center with lots and lots of traffic and hundreds of different vlans, etc. etc.

JKnott

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

Its just a household and I've been using the same NIC for all 3 LANs for a few months without issue :)

If you used multiple NICs to connect to a single access point, you'd then need to add a managed switch to convert the 3 connections into 1 with VLANs.

johnpoz

Yeah if you want to break out your traffic into different uplinks into your router a vlan capable switch is a requirement.. You can not just plug the AP into the routers interface directly. But I take you have that already because you mentioned 2 AP..

N0_Klu3

@JKnott said in How to do vlans with physical nic's to AP's?:

If you used multiple NICs to connect to a single access point, you'd then need to add a managed switch to convert the 3 connections into 1 with VLANs.

Yeah I have Unifi managed switches that already allow VLAN tagging and specific port tagging, so I should hopefully be OK.
I have 2x Unifi switches, 1x PoE, and 1x Normal managed switch.
And 2 APs that run off the PoE. Other than Unifi its my pfSense router so I should be good.

JKnott

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

Yeah I have Unifi managed switches that already allow VLAN tagging and specific port tagging, so I should hopefully be ok.

You can create the VLANs in pfSense and connect the AP to the switch with a trunk port. Other ports can be access ports connected to the appropriate VLAN. You may have heard the term "router on a stick", where VLANs are used to connect a router to the switch, for routing between VLANs. That is what would happen if you used VLANs on pfSense.

N0_Klu3

@JKnott said in How to do vlans with physical nic's to AP's?:

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

Yeah I have Unifi managed switches that already allow VLAN tagging and specific port tagging, so I should hopefully be ok.

You can create the VLANs in pfSense and connect the AP to the switch with a trunk port. Other ports can be access ports connected to the appropriate VLAN. You may have heard the term "router on a stick", where VLANs are used to connect a router to the switch, for routing between VLANs. That is what would happen if you used VLANs on pfSense.

Ok I need to look into Trunk Ports now. I've heard it said before, but never looked into it or what it is/does.

johnpoz

Trunk port is just a term from cisco that means the interface carries tagged vlans. Vs an access port that only has 1 vlan on it and untagged.

So a port or uplink to another device that understands vlans would be trunk port... Ie to your AP or another switch, or a router that will handle the traffic based on the tags.

But say a host devices, say you PC that is only in 1 vlan - would be connected to an access port.

N0_Klu3

Umm I might just stick to making it a bit simpler.
Do the 3 NICs with 3 different tags and see how I get on.

Appreciate all the options tho.

Is there a specific way that is best/better?

JKnott

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

Ok I need to look into Trunk Ports now. I've heard it said before, but never looked into it or what it is/does.

As johnpoz mentioned, trunk ports are used to carry VLANs. Access ports generally carry only one network, which may be native or connected to a VLAN as required. However, there are some switches that can recognize, by the MAC prefix, certain devices such as VoIP phones, connected to that access port and put them on a VLAN.

BTW, if you use VLANs, stay away from TP-Link gear. A lot of it doesn't handle VLANs properly.

johnpoz

No not really - all comes down to your wants/needs and how you like to do things.

I for example use a native and then vlans on top of that, while others like to only use tagged on a vlan interface with no native network..

So the interface will always have an untagged vlan on it.. If it will carry other vlans then those would be tagged. But one of the vlans would be untagged.. But nothing saying you have to do it one way or the other, there are no rules against either option..

I can make the discussion point that if there native network on the interface, I can always access that interface if need be and don't have to tag traffic. While others might say that if a vlan carry interface they should all be tagged, etc. Derelict I believe a fan of vlan interfaces all tagged, no native network.

Just be sure you understand that you can never have more than 1 untagged vlan on any interface - since there is no way to isolate traffic then..

You can make discussion points about either way, for example if there is no untagged traffic on the interface then any untagged traffic by pretty much default would be blocked, if you didn't set a valid pvid on the interface..

Another point in favor of native is say for example the unifi AP, until recently it was not possible to have management on a tagged vlan... it had to be native... So if you run native on your interface you could connect such devices directly to that interface on your router. And then any tagged on top of that.

JKnott

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

Do the 3 NICs with 3 different tags and see how I get on.

That would be a waste of 2 NICs. Configuring VLANs is little different from configuring individual NICs.

N0_Klu3

@JKnott said in How to do vlans with physical nic's to AP's?:

@N0_Klu3 said in How to do vlans with physical nic's to AP's?:

Do the 3 NICs with 3 different tags and see how I get on.

That would be a waste of 2 NICs. Configuring VLANs is little different from configuring individual NICs.

Thought that was the whole point of this thread?
3 NICs with 3 LANs...