Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    how to manage APs and various ESSIDs

    L2/Switching/VLANs
    2
    8
    158
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgw last edited by

      I am currently scratching my head because I don't get how to design the following setup:

      A customer runs a pfsense with a few VLANs already.

      Now a bunch of Wifi-APs running OpenWRT have to be added, he wants to manage them via OpenWISP.

      He wants the APs to managed within a management VLAN (ok, I know how to add them to pfsense and the 2 switches) and the APs should then run multiple Wifi ESSIDs for separate VLANs like "guest", "kids", etc

      Now I fail to wrap my head around how to set that up.
      While I write this (writing and explaining a situation always helps to understand ;-)) I think it's not as complicated as I assumed:

      that management vlan will be just plain "LAN" for the APs, right? Because they will get it untagged.

      The switch ports for the APs will have to be:

      • management VLAN: untagged member
      • WIFI-VLANs: tagged

      right?

      I'd appreciate any helpful link to some howto or a quick explanation.
      thanks in advance.

      My confusion basically is: how do the APs get the WIFI-VLAN-packages if they are located in the Management-VLAN?

      1 Reply Last reply Reply Quote 0
      • JKnott
        JKnott last edited by

        Can those APs have a separate management interface? Some can, some can't. Assuming they can, you normally use a VLAN for management and secondary SSIDs and native LAN for the main network. Several years ago, I set up a network in a seniors residence. There was the main LAN for regular office network and VLANs for VoIP, residents and management. The office and residents had different SSIDs.

        S 1 Reply Last reply Reply Quote 0
        • S
          sgw @JKnott last edited by

          @jknott I have to look at the webgui of those APs, I have no current experience with OpenWRT.

          I also wonder if I should tinker with the (P)VID of the APs, so that the APs "run on tagged" natively or not. You see: I mix up things and get lost in several topics ;-)

          JKnott 1 Reply Last reply Reply Quote 0
          • JKnott
            JKnott @sgw last edited by

            @sgw

            I also haven't done anything with OpenWRT. However, you should always break down what you're trying to do into pieces. Decide what needs to have VLAN tags and what doesn't. The purpose of VLANs is to allow multiple virtual networks to share one physical network. Typically, you have the main LAN on the native LAN and use VLANs for everything else. Of course, anything that uses a VLAN has to support them, or be behind a managed switch (or AP) that does. So, determine your requirements and go from there.

            S 1 Reply Last reply Reply Quote 0
            • S
              sgw @JKnott last edited by

              @jknott Sure.

              Would it make sense (and work) to:

              • create a VLAN (say ID 20) on pfsense
              • choose some ports on the switch(es) for the APs and make them untagged members of VLAN20 (so the APs are in that subnet and manageable there)
              • then also output the VLANs for the Wifi-networks on these switch-ports, but tagged
              • and configure the ESSIDs to "match"/use these VLANs

              ?

              JKnott 1 Reply Last reply Reply Quote 0
              • JKnott
                JKnott @sgw last edited by

                @sgw

                So far it looks OK. Anything on the native LAN?

                S 1 Reply Last reply Reply Quote 0
                • S
                  sgw @JKnott last edited by

                  @jknott

                  What do you mean with "native LAN" ? The standard LAN on pfsense?
                  That one currently contains most of the devices:

                  PCs, laptops, switches, an ESXi-host, various IoT-devices ...

                  the infrastructure stuff should be moved step by step, into some kind of management VLAN. For sure without breaking things. The new APs will be the test dummies.

                  JKnott 1 Reply Last reply Reply Quote 0
                  • JKnott
                    JKnott @sgw last edited by JKnott

                    @sgw said in how to manage APs and various ESSIDs:

                    What do you mean with "native LAN" ? The standard LAN on pfsense?

                    "Native LAN" refers to the network without any VLANs. For example, with pfsense, you have an interface for your LAN. You can run all sorts of traffic over it, but there is no separation into virtual LANs. Anything beyond that basic network, is carried over VLANs on the same basic network. Of course, you could use a managed switch to remove the VLAN tag and place the packets on another physical network. Any traffic on that network would be "native", even though it would be VLAN elsewhere. On my system, I my native LAN interface is bge0. I also have bge0.3, which is VLAN3 on my native LAN. If you were to watch the traffic on that physical interface, you would see frames both with and without VLAN tags.

                    While many devices can handle VLANs and work directly with tagged frames, others can't, which means they can only be on the native LAN or be behind a managed switch that has a port dedicated to that VLAN.

                    My VLAN is used for my guest WiFi. So, I have pfsense, my AP and my switch configured for that VLAN. Both native LAN and VLAN 3 are on the switch ports connected to pfsense and the AP. All other ports are native LAN only.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense Plus
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy