Just so I can understand, this switch would all the AP to have two VLANs running?

edit: BTW that AP is poe, and your switch is POE.. So why would it be plugged into a port on the 2100 that is not poe? You would then have to use a injector for power.. So that AP should plug into one of the switch poe ports.

edit2: My bad you are plugging the AP into the switch - doh!

edit3: You could leverage more of the ports on the 2100 for uplinks for different vlans, etc.

@prtonguy77 said in VLAN question with EnGenius Switch:

It's an internal DNS routing tool

Huh? pihole is dns sure - has nothing to do with routing.. But sure you can have some or all of devices on your network use the pihole for their dns.

If the AP is on port 23, what VLAN should that be set up as if it will have both internal wifi and guest?

This port would carry multiple vlans then, if your going to have multiple vlans via wireless. In cisco terms this would be a trunk port..

You're correct, I did not mean to put routing in there.

The switch I linked to says it supports "Port Trunking"; is that what you're referring to?

It's an internal DNS routing tool

Huh? pihole is dns sure - has nothing to do with routing.. But sure you can have some or all of devices on your network use the pihole for their dns.

If the AP is on port 23, what VLAN should that be set up as if it will have both internal wifi and guest?

This port would carry multiple vlans then, if your going to have multiple vlans via wireless. In cisco terms this would be a trunk port..

When you have everything setup you should be aware that the default management page of both the switch and pFsense are in the standard untagged network (so not in vlan 1 where the systems are) If tou need to program something and you can't connect to the switch and or the firewall you could be in trouble.

So thats why I usually leave one port of the switch on the untagged network. So you can plugin your notebook.

When you say another port to manage, are you talking about managing the switch or pfsense?

In the switch you need to program port 24 to alsow accept taged vlan 1, tagged vlan 2, tagged vlan 3. Port 23 (AP) you sould ONLY have vlan 2 setup (untagged) and it shoud be setup als preferred vlan (not sure EnGenius uses this, never used them, but a lot of other switches have this.)

For the other ports you can select vlan1 (untagged again) for normal users and vlan3 (untagged) for the security devices.

This will setup the basis configuration, I woud make one port like port 24 so you can connect your management system to this port and connect to the lan interface of the pfsense setup and the configuration page of the switch.

For rules you need setup vlan2 (block all traffic to the other subnets) and vlan3 (block all ipv4 and ipv6 traffic to anywhere).

Vlan1 will still be able to connect to all the devices on vlan2 and or vlan3.

Did this help you a bit ?