how to manage APs and various ESSIDs

  • I am currently scratching my head because I don't get how to design the following setup:

    A customer runs a pfsense with a few VLANs already.

    Now a bunch of Wifi-APs running OpenWRT have to be added, he wants to manage them via OpenWISP.

    He wants the APs to managed within a management VLAN (ok, I know how to add them to pfsense and the 2 switches) and the APs should then run multiple Wifi ESSIDs for separate VLANs like "guest", "kids", etc

    Now I fail to wrap my head around how to set that up.
    While I write this (writing and explaining a situation always helps to understand ;-)) I think it's not as complicated as I assumed:

    that management vlan will be just plain "LAN" for the APs, right? Because they will get it untagged.

    The switch ports for the APs will have to be:

    • management VLAN: untagged member
    • WIFI-VLANs: tagged


    I'd appreciate any helpful link to some howto or a quick explanation.
    thanks in advance.

    My confusion basically is: how do the APs get the WIFI-VLAN-packages if they are located in the Management-VLAN?

  • Can those APs have a separate management interface? Some can, some can't. Assuming they can, you normally use a VLAN for management and secondary SSIDs and native LAN for the main network. Several years ago, I set up a network in a seniors residence. There was the main LAN for regular office network and VLANs for VoIP, residents and management. The office and residents had different SSIDs.

  • @jknott I have to look at the webgui of those APs, I have no current experience with OpenWRT.

    I also wonder if I should tinker with the (P)VID of the APs, so that the APs "run on tagged" natively or not. You see: I mix up things and get lost in several topics ;-)

  • @sgw

    I also haven't done anything with OpenWRT. However, you should always break down what you're trying to do into pieces. Decide what needs to have VLAN tags and what doesn't. The purpose of VLANs is to allow multiple virtual networks to share one physical network. Typically, you have the main LAN on the native LAN and use VLANs for everything else. Of course, anything that uses a VLAN has to support them, or be behind a managed switch (or AP) that does. So, determine your requirements and go from there.

  • @jknott Sure.

    Would it make sense (and work) to:

    • create a VLAN (say ID 20) on pfsense
    • choose some ports on the switch(es) for the APs and make them untagged members of VLAN20 (so the APs are in that subnet and manageable there)
    • then also output the VLANs for the Wifi-networks on these switch-ports, but tagged
    • and configure the ESSIDs to "match"/use these VLANs


  • @sgw

    So far it looks OK. Anything on the native LAN?

  • @jknott

    What do you mean with "native LAN" ? The standard LAN on pfsense?
    That one currently contains most of the devices:

    PCs, laptops, switches, an ESXi-host, various IoT-devices ...

    the infrastructure stuff should be moved step by step, into some kind of management VLAN. For sure without breaking things. The new APs will be the test dummies.

  • @sgw said in how to manage APs and various ESSIDs:

    What do you mean with "native LAN" ? The standard LAN on pfsense?

    "Native LAN" refers to the network without any VLANs. For example, with pfsense, you have an interface for your LAN. You can run all sorts of traffic over it, but there is no separation into virtual LANs. Anything beyond that basic network, is carried over VLANs on the same basic network. Of course, you could use a managed switch to remove the VLAN tag and place the packets on another physical network. Any traffic on that network would be "native", even though it would be VLAN elsewhere. On my system, I my native LAN interface is bge0. I also have bge0.3, which is VLAN3 on my native LAN. If you were to watch the traffic on that physical interface, you would see frames both with and without VLAN tags.

    While many devices can handle VLANs and work directly with tagged frames, others can't, which means they can only be on the native LAN or be behind a managed switch that has a port dedicated to that VLAN.

    My VLAN is used for my guest WiFi. So, I have pfsense, my AP and my switch configured for that VLAN. Both native LAN and VLAN 3 are on the switch ports connected to pfsense and the AP. All other ports are native LAN only.