Wifi and LAN Bridging

tludikar

I've search the forums but I'm still confused.

My current setup allows me to have the following:
WAN  -> em0
LAN    -> VLAN10(em1)  - 192.168.10.x
WIFI  -> VLAN20(em1)  - 192.168.20.x
MEDIA -> VLAN30(em1)  - 192.168.30.x
NAS    -> VLAN40(em1)  - 192.168.40.x

Currently we use all LAN for wired and WIFI for wireless.  I have now been put into a situation where I will have both wired and wireless traffic on WIFI, and I need to separate them out.  I am using a Captive Portal for the WIFI VLAN, and I will know the MAC address for all wired devices connected to WIFI.  I want all known wired devices to pass-through and register the LAN under 192.168.10.x, and all authenticated wireless devices to register under WIFI under 192.168.20.x.  LAN is allowed to see WIFI, but WIFI isn't allowed to see LAN.  At the moment all VLANs are running a DHCP service.

I am running a Netgear Prosafe JGS524E switch, and the APs are just simple DLink wireless routers with the DHCP disabled.  I have tried bridging the two ports under OPT2, but doesn't seem to work.

Is this possible?  If so, can someone give me some instructions?  I've been scouring the forums, but I haven't found any instructions that seem to work for my situation.

Thanks in advanced.

wallabybob

@tludikar:

I have now been put into a situation where I will have both wired and wireless traffic on WIFI, and I need to separate them out.

I'm not sure what this means. I suspect it might mean something like "We now have to locate some computers that belong in our 'LAN' group near one or more wireless Access Points and we want to use existing cables to connect them to the network and still maintain the distinction between "LAN" and "WiFi" clients." If so, then VLANs (Virtual LANs) are the obvious solution. If I haven't understood your request then please clarify.

@tludikar:

I have tried bridging the two ports under OPT2, but doesn't seem to work.

Without more details of how you configured it, what you did to test it and what you saw that lead you to "doesn't seem to work" it is difficult to be helpful.

tludikar

Thanks for your reply!

@wallabybob:

@tludikar:

I have now been put into a situation where I will have both wired and wireless traffic on WIFI, and I need to separate them out.

I'm not sure what this means. I suspect it might mean something like "We now have to locate some computers that belong in our 'LAN' group near one or more wireless Access Points and we want to use existing cables to connect them to the network and still maintain the distinction between "LAN" and "WiFi" clients." If so, then VLANs (Virtual LANs) are the obvious solution. If I haven't understood your request then please clarify.

That's exactly what we are looking at, but our WiFi APs don't give any VLAN options.  I don't know how to change my VLANs to work in that manner.

@wallabybob:

@tludikar:

I have tried bridging the two ports under OPT2, but doesn't seem to work.

Without more details of how you configured it, what you did to test it and what you saw that lead you to "doesn't seem to work" it is difficult to be helpful.

Well, I bridged LAN and WIFI into Bridge0.  Setup Bridge0 as an Interface (OPT2), and changed the values.
WAN  -> em0
LAN    -> VLAN10(em1)
WIFI  -> VLAN20(em1)
MEDIA -> VLAN30(em1)
NAS    -> VLAN40(em1)
OPT2  -> Bridge0

OPT2 was setup with a Static IP of 192.168.50.1 and no DHCP service.
The following "System Tunables" flags were updated:
net.link.bridge.pfil_member  0
net.link.bridge.pfil_bridge    1

When all the settings were in place.  Any device connected to LAN would not get an IP.  I was not able to Statically Set any IPs based on MAC addresses to either LAN or WIFI.  I lost access to the GUI from LAN, but could still get an IP and the GUI from WIFI.

Not sure where I went wrong.

wallabybob

@tludikar:

That's exactly what we are looking at, but our WiFi APs don't give any VLAN options.  I don't know how to change my VLANs to work in that manner.

Colocate a VLAN capable switch with the AP. Plug the AP into a VLAN 20 port on the switch. Plus the "wired" computer(s) into VLAN 10 ports on the switch. Configure one switch port as a "trunk" port. Connect that port to the cable connected to your "main" VLAN capable switch.  Configure the corresponding port on the main VLAN capable switch as a "trunk" port. If necessary, reboot switches so the configuration changes take effect.

No need for bridging!

@wallabybob:

@tludikar:

I have tried bridging the two ports under OPT2, but doesn't seem to work.

Without more details of how you configured it, what you did to test it and what you saw that lead you to "doesn't seem to work" it is difficult to be helpful.

Well, I bridged LAN and WIFI into Bridge0.  Setup Bridge0 as an Interface (OPT2), and changed the values.
WAN   -> em0
LAN    -> VLAN10(em1)
WIFI   -> VLAN20(em1)
MEDIA -> VLAN30(em1)
NAS    -> VLAN40(em1)
OPT2  -> Bridge0

OPT2 was setup with a Static IP of 192.168.50.1 and no DHCP service.
The following "System Tunables" flags were updated:
net.link.bridge.pfil_member   0
net.link.bridge.pfil_bridge     1

When all the settings were in place.  Any device connected to LAN would not get an IP.  I was not able to Statically Set any IPs based on MAC addresses to either LAN or WIFI.  I lost access to the GUI from LAN, but could still get an IP and the GUI from WIFI.

Not sure where I went wrong.

You should have only one DHCP server on a broadcast network. When you bridged the two interfaces you had multiple DHCP servers.

Your OPT2 interface will have default firewall rules: block everything!

Simple changes for bridging would probably have been to set WiFI address type to None, disable DHCP server and assign bridge0 to LAN. That in itself would not have done what you want in that it could have been a challenge then to keep LAN and WiFi separate. But you really need to use VLANs as described above to do that.

tludikar

@wallabybob:

@tludikar:

That's exactly what we are looking at, but our WiFi APs don't give any VLAN options.  I don't know how to change my VLANs to work in that manner.

Colocate a VLAN capable switch with the AP. Plug the AP into a VLAN 20 port on the switch. Plus the "wired" computer(s) into VLAN 10 ports on the switch. Configure one switch port as a "trunk" port. Connect that port to the cable connected to your "main" VLAN capable switch.  Configure the corresponding port on the main VLAN capable switch as a "trunk" port. If necessary, reboot switches so the configuration changes take effect.

No need for bridging!

@tludikar:

@wallabybob:

@tludikar:

I have tried bridging the two ports under OPT2, but doesn't seem to work.

Without more details of how you configured it, what you did to test it and what you saw that lead you to "doesn't seem to work" it is difficult to be helpful.

Well, I bridged LAN and WIFI into Bridge0.  Setup Bridge0 as an Interface (OPT2), and changed the values.
WAN   -> em0
LAN    -> VLAN10(em1)
WIFI   -> VLAN20(em1)
MEDIA -> VLAN30(em1)
NAS    -> VLAN40(em1)
OPT2  -> Bridge0

OPT2 was setup with a Static IP of 192.168.50.1 and no DHCP service.
The following "System Tunables" flags were updated:
net.link.bridge.pfil_member   0
net.link.bridge.pfil_bridge     1

When all the settings were in place.  Any device connected to LAN would not get an IP.  I was not able to Statically Set any IPs based on MAC addresses to either LAN or WIFI.  I lost access to the GUI from LAN, but could still get an IP and the GUI from WIFI.

Not sure where I went wrong.

You should have only one DHCP server on a broadcast network. When you bridged the two interfaces you had multiple DHCP servers.

Your OPT2 interface will have default firewall rules: block everything!

Simple changes for bridging would probably have been to set WiFI address type to None, disable DHCP server and assign bridge0 to LAN. That in itself would not have done what you want in that it could have been a challenge then to keep LAN and WiFi separate. But you really need to use VLANs as described above to do that.

Thank you wallabybob!  Unfortunately, I don't have access to any VLAN capable switches at the moment.  Would there be any other solution for a temporary fix?  If I went with bridging, could I just assign the MAC addresses of the LAN computers to the LAN VLAN?

wallabybob

@tludikar:

Thank you wallabybob!  Unfortunately, I don't have access to any VLAN capable switches at the moment.  Would there be any other solution for a temporary fix?

I can't yet think of one that would give you any real security and meet your requirements for separate IP subnets for "wired" and "wireless" computers.

@tludikar:

If I went with bridging, could I just assign the MAC addresses of the LAN computers to the LAN VLAN?

I can't think of a way of doing what I suspect you might be asking.

Where I live its possible to buy a 5 port VLAN capable switch (Microtik RB250GS) for the local equivalent of about US$55. Spend the money and get yourself a real solution rather than spend time on a poor hack that won't really do what you want.

stephenw10

What model are your D-Link wifi access points?
You may be able to replace their firmware with one that supports VLAN tagging such as OpenWRT.
That would be free but potentially complicated if you've not done that sort of thing before.  ;)

Steve

GruensFroeschli

Depending on the OS you use on these additional PCs you might be able to configure them to use VLANs directly.
–> The PCs would communicate via tagged frames only.

Of course this only works if they aren't dynamically comming and going and aren't managed by you.