segment wifi traffic (guest, IoT, trusted)
-
My controller is running on my main Linux desktop system. This computer is up 24/7.
-
My controller is running on my main Linux desktop system. This computer is up 24/7.
I'm on Arch and would have to install via AUR, so prefer the debian pkg on a debian based distro.
-
D-Link just released a new 1100-08V2
I just purchased two of these to connect to a netgear smart switch (5 years running), but unable to get the d-link switches to be recognized by pfsense (I enabled DHCP for both d-link switches via default 10.90.90.90 web UI). I suspect it is a configuration / trunk port issue in connecting the d-links to the netgear.
On netgear, I set Ports 1,7,8 as 'T' (1 is pfsense, 7.8 are dlink connection ports). I also set the switchport connections on the d-links to 'T'. Mgmt. vlan is enabled and set to '1' for all devices. I'm sure i'm missing something simple but flying blind (I've never connected two switches together before) and d-link manual is only for one switch-to-router use case.modem | pfsense | netgear_GS108Tv2 | | dlink1 dlink2 ||| ||| -
I have the 1100-08 (Rev1)
Sidenote:
When i installed i saw an issue w. DHCP (for management) seemed like they forgot to "renew" at times. So i just gave them a static ip.When you say unable to be reckognized by pfSense , do you mean the management IF ? - Or don't the ports work ??
Re: Vlan
Vlan (Tagging) has to be enabled along the "Full path" , meaning on all units ít passes.
So if you want pfSense Vlan 1 + 7 + 8 to be "seen" on the D-links , you need to enable those Vlans on (Vlan 1 is probably already enabled , as the native Vlan (untagged)) :
1: pfSense
2: Netgear
3: Dlink/Bingo
-
On switches you typically have to define the Vlans before you can use them
Packages/Frames to any Vlan not defined on the switch , will be dropped on entry.On my 1100-08 I add a vlan like this
Click on Add (VID = Vlan ID)
Enter Vlan Number
Enter Vlan Name (For your own sanity, use the same Vlan name on all units)
Here we are defining Vlan 7 , with a name of VL8-Name (i goofed)
And in the Port selection boxes below , you see 3 port member types (per port)Untagged :
If this port should behave as a Std. ethernet port (end device) in Vlan 7 , you would tick that.Tagged:
If this port should transport Vlan 7 as tagged frames (typically used if connected to another vlan capable device) - Ie. a switch , you would tick that.Not Member:
If this port has nothing to do with Vlan7 you would tick that.A switchport can ONLY transport (be member of) 1 Untagged Vlan , but can transport many tagged vlans.
Often a switch comes from the factory with a default setting of all ports are "member of Untagged Vlan 1" , that will drive you crazy when you want ie. port 2 , to be a member of untagged Vlan 7 instead. You are NOT allowed to do that !!!!.
Solution:
Go to the Vlan 1 definition , and make Port 2 "Not Member" of Vlan 1.
Now you can make it an Untagged member of Vlan 7./Bingo
-
I have made a dia drawing of what i think you want.
I recommend dia (when you don't have visio) , or are running linux like me.
Get dia here
http://dia-installer.de/And the shapes (symbols) here
http://dia-installer.de/diashapes/index.html.enOn my linux mint (ubuntu) they are in the std pkg repos.
Edit: I have no Netgears - So no idea about how2 configure that one.
Edit2: I made a super short vlan intro here.
https://forum.netgate.com/post/944383 -
@bingo600 said in segment wifi traffic (guest, IoT, trusted):
Everything seems to be working - thanks to your images and explanations. I like the dlink web UI more than the netgear, but the netgear GS108Tv2 was released many years ago.
So i just gave them a static ip.
is working for the moment - hopefully will be persistent.
Get dia here
I'll will try it as soon as my head stops hurting - thanks for making everything clear.
-
Glad you got it working ....
Now when you get the AP AC Pro's - You might have a bit of initial trouble.
Until recently the mgmt net of the AP AC Pro had to be "untagged" , and the Wifi-Vlans could be tagged. That's how i run mine.
But @johnpoz mentioned that with a recent firmware it would be possible to run mgmt as a tagged vlan too.
If/when you get them and have "challenges" give us a "ping" ....
/Bingo
If you find my answer useful - Please give the post a 👍 - "thumbs up"
pfSense+ 23.05.1 (ZFS)QOTOM-Q355G4 Quad Lan.
CPU : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
LAN : 4 x Intel 211, Disk : 240G SAMSUNG MZ7L3240HCHQ SSD -
@bingo600 said in segment wifi traffic (guest, IoT, trusted):
mentioned that with a recent firmware it would be possible to run mgmt as a tagged vlan too.
I have set up networks, with Adtran gear, where the management interface was on a VLAN. Not having that option is dumb for business installs.
-
@bingo600 said in segment wifi traffic (guest, IoT, trusted):
with a recent firmware it
Wasn't all that recent - quite some time ago that feature was added. I don't recall the min required firmware or controller software. But if your running the current version you can yes run tagged management...
Here you go
https://help.ui.com/hc/en-us/articles/360046773733-UniFi-Using-VLANs-with-UniFi-WirelessYou have to adopt via untagged.. But
"As of Controller software version 5.8, access points and switches can be set to tagged VLANs"While I concur it should be a requirement for equipment to support if expected to be use in a true enterprise.. Running a vlan untagged is not really an issue where unifi stuff would be most used, small business, small offices, homes, etc. It mostly would be a concern where some sort of company security policy required tags..
I have not bothered to change my home setup. While I have multiple tagged vlans, the vlan that my APs are on for managment is untagged for the connection to the APs
5.8.X was released stable over 3 years ago.
