Cisco dual band AP541N + vlan

bastardz

Hi.
I have problem with configuring guest wifi access and vlan.
This is my current architecture

I have three VLAN 100,200,300 configured on cisco slm2008
100 - adsl1
200 - adsl2
300 - work-guest

I have there VLAN added in pfsense on fxp0

AP541N is setup to two wifi network:
work-guest VLAN id 300
work VLAN id 1
default ip of AP541N is 192.168.168.200

My LAN network is 192.168.168.0
VLAN300 has ip 10.10.10.1 and dhcp turned on

If I disconnect LAN SWITCH from port 8 then I do not see LAN network from AP541N
But if I connect LAN SWITCH with SLM2008 then every "work" users get wrong DHCP ip 10.10.10.X instead 192.168.168.X

I want allow user to connect to wifi work and work-guest.
Users "work-guest" should not see "work".
Users "work" should have ip 192.168.168.X
Users "work-guest" should have ip 10.10.10.X

stephenw10

Hard to diagnose without knowing:
How the ports on the SLM2008 are configured with respect to VLANs
How the AP541N is configured with respect to VLANs and IP. Is it static at 192.168.168.200?

The device 'LAN Switch' is that a non-smart/VLAN switch?

If the pfSense LAN interface is only connected to the 'LAN Switch' (not a VLAN) then it's not surprising that the AP541N can't see it when its not connected to anything!
If you have somehow bridged the two networks such that clients are receiving the wrong IP it seems very likely that the SLM2008 ports are configured incorrectly.

Steve

kejianshi

My favourite part of the drawing is the connection coming from SLM208 > pfsense > Switch and then back > SLM2008.

Seems like a recipe for disaster, but soon as I say it someone will tell me its perfectly legit.

But the SLM2008 is VLAN so I suppose it could be configured to work.

stephenw10

Exactly. But as you say if VLANs are configured correctly it should be fine. That's the first place I'd look.
I'm assuming that the 'work' users are also connected to the 'LAN Switch'.

Steve

bastardz

Hi.

stephenw10 and kejianshi thanks for reply
find my comments below

@stephenw10:

Hard to diagnose without knowing:
How the ports on the SLM2008 are configured with respect to VLANs

g1 - pfsense
g4 - AP541N
g5 - adsl1
g6 - adsl2
g8 - LAN/SWITCH NOT SMART

@stephenw10:

How the AP541N is configured with respect to VLANs and IP. Is it static at 192.168.168.200?

IP 192.168.168.200 is static

@stephenw10:

The device 'LAN Switch' is that a non-smart/VLAN switch?

non-smart switch

@stephenw10:

If the pfSense LAN interface is only connected to the 'LAN Switch' (not a VLAN) then it's not surprising that the AP541N can't see it when its not connected to anything!

AP541N cant see fxp0_vlan300, if I connect my mac with static ip 10.10.10.10  to work-guest I cant ping 10.10.10.1 and tcpdump -i fxp0_vlan300 -e -n -v shows nothing
If I set mac ip to 192.168.168.111 I can see whole LAN.
If I enable DHCP on fxp0_vlan300 all "work" and LAN users get wrong IP but "work-guest" get NO ip.

stephenw10

It looks like the reason the AP541N can't see fxp0_vlan300 is because it's talking VLANs into an untagged port.
SLM2008 port 4 should be tagged for VLAN 300 and set as, probably, 'general'. I'm not really that familiar with Ciscos VLAN terminology, there always seems to be several ways of configuring the same thing!
Port 8 you have set as untagged for vlan 300 but as type trunk. I'm unsure quite how that would work. However I don't see why you'd want that anyway. With the connection in place this connects the work_guest network to the work network.

Steve

bastardz

@stephenw10:

I'm unsure quite how that would work. However I don't see why you'd want that anyway. With the connection in place this connects the work_guest network to the work network.

I do not want work_guest to access work network. I try to configure AP541N as a access point for employees and guest.
Employees should have access to work network and guest should have separate network with temporary access (web gui). 
I will try use your hints in SLM2008 configuration.

mikeisfly

Please don't take this the wrong way but If I were you I would re-this whole thing for a number of reasons:

1. The first device that should be in line from your ADSL modems should be pfSense not sure how many nics you have in your box? Can you add
   nics? If not then look at my additional steps
2. Coming out of your pfsense box I would hit your SLM2008 with a tagged VLAN port that has every member of all the vlans that you created
   for example port 8. I always like to use my last ports as trunk ports
3. Make Port 7 a Tagged port as well with all the vlans as a member and connect that to your AP541N and make sure that is a tagged port on the
   access point. Then you can make your SSIDs and put them in what ever VLAN you like
4. Make port 1 on your SLM2008 a member of your LAN vlan and keep it untagged.
5. Connect port 1 from your SLM2008 to the last port of your un-managed lan switch
6. Connect all your lan computers to your un-managed switch
7. Enjoy!

*this assumes that you have all the vlans created and added to your nic on your PfSense Box.

additional steps - If you don't have the ability to add any more nics

8. create a additional VLAN on your SLM2008 for example vlan10
9. add that vlan untagged to your port 6 on your SLM2008
10. create vlan10 on pfsense box and added it to the appropriate nic
11. add vlan 10 member to your port 8 on your SLM2008
12. Call new interface WAN2 and setup DHCP or Static which ever applies
13. Enjoy!

This way your firewall is the first thing that the internet sees. Below I have a proposed diagram.

Hope this helps.

Your can prevent the guest Vlan from access the LAN by using firewall rules in the PfSense box. Try using a block rule with source being the network were the guest located and the destination being the LAN IP and apply that to the lan were the guest are located. I like to apply a access-list as close to the user as possible that way your firewall doesn't process the packets it doesn't have to.

kejianshi

Ohhh.  Thats pretty.  Very logical.
I also like the way it doesn't loop into its self like a snake with rabis eating its own tail. :D

Its a simple and straight forward layout.

doktornotor

@mikeisfly:

Please don't take this the wrong way but If I were you I would re-this whole thing for a number of reasons:

Oh, wonderful… Finally a network that makes sense.

bastardz

@mikeisfly:

Please don't take this the wrong way but If I were you I would re-this whole thing for a number of reasons:

additional steps - If you don't have the ability to add any more nics

Thanks very much for you reply. This look great.
However I have more WAN than I showed on my diagram.

I have 3 WAN: 2 ADSL an 1 WIMAX.
I skipped  WiMAX because it uses a separate network card.
I have only 3 NIC in pfsense: one is for SLM2008, one for LAN SWITCH and one for WIMAX.

What do you think about this architecture:

ADSL
ADLS      VLAN->SLM2008 -> PFSENSE -> SLM2008 -> LAN SWITCH
WIMAX                                                      |
                                                                | VLAN
                                                            AP541N

mikeisfly

Okay here is how it can be done:

1. Make VLAN 20 on Pfsense box
2. Make interface and attach it to VLAN 20 (This is called a VLAN Interface)
3. Make VLAN 20 on your SLM2008 switch and add it to your tagged port 8
4. Add VLAN 20 untagged to your port 5 of your SLM2008 switch
5. Connect 3rd Wan connection to your port 5 of your SLM2008
6. Enjoy!

I guess you could use a switch as a WAN aggregate, as long as you make a new VLAN and VLAN interface for ever connection. I know some ISP's DHCP servers don't like to see the same MAC address across multiple connections, if this is the case for you then you can manually change the mac-address of your NICs (VLAN interface). Remember that every VLAN Interface is going to have the same MAC address if tied to the same physical NIC. Just go up a bit in the address of the last byte. For example if your last byte is :3F then make the next NIC (VLAN interface) :40 and you should be good. Just make sure that the port connected to your modems are untagged and the port going to Pfsense is tagged with all the VLAN members. If you follow the steps above you don't have to change anything in my drawling just add the new VLAN and VLAN Interface; connect your additional WAN and you will be good to go.

Please report back with your results.

mikeisfly

One thing I forgot to mention (I assumed it), you should remove vlan 1 off the ports where you don't want it after you assign the new VLAN to it that way your WANs are on their own LAN.

bastardz

Thanks a lot.
I considered buying another SLM2008 but I'll do it on one based on your description.

bastardz

Works perfectly.
Thanky you all.

mikeisfly

Cool, good stuff.

bastardz

Hi. I have one more question.
I have two AP541 in cluster. Guest access works ok on first floor because AP541 is connected to SLM 2008 (exactly as you described).
Guest access doesn't work on 3rd floor because AP541 is connected to LAN SWITCH right now and it is obvious.
Before I will buy another SLM2008 I want to ask you if following architecure is correct.

There is only one cable from first floor to third floor. There is no option to add another.
I wonder if tagged guest network will work and guest network will see pfsense interface.

kejianshi

If the points that the AP541 are attached to are all VIPD set to a single VLAN they will all see each other fine as you have drawn it, as far as I can tell.

mikeisfly

Yes you will be good to go. Just make sure that the SLM2008 are Tagged ports with all vlan members needed to the 3rd floor. Also not sure how far apart the Access points are but remember the only channels that don't interfere with each other are 1, 6, and 11 @ 2.4 GHz. If your switch is not MDI-X capable then you will need a cross-over cable from switchport to switchport.