Guest VLAN setup

weap0nx

Master Member
Joined
Sep 13, 2000
Messages
4,391
Reaction score
0
hi guys,

I'm planning to set up a proper L2 VLAN for my Guest Wifi, I've drawn up a diagram which I hope makes sense. Could someone tell me if there are any issues with this set up?

I'd like all untagged traffic to be default to VLAN 10 while guest traffic will be tagged VLAN 20. I've never used an Edgerouter Lite before so I'm not sure if there are any issues with setting up the VLAN in this way; given that it's an L3 device

0018_150126164434_001.jpg
 

zoneguard

Senior Member
Joined
Jun 2, 2000
Messages
1,961
Reaction score
399
Good luck....mixing different vendors - Mikrotik switches, Ubiquiti ERL and UAP.

They all have their own versions of networking terms and implementation of VLAN. I did it once. I don't think I want to try again pulling my hair. I retired all the Mikrotik switches and the ERL too.
 

liangtam

High Supremacy Member
Joined
Aug 20, 2002
Messages
38,771
Reaction score
85
UAP Controller allows you to isolate Guest directly without implementing the above under Restricted subnet in guest control. Unless you want it for other purposes.

Also, by default, ER will route all subnets if you don't apply fw but do the subnet method.
 

weap0nx

Master Member
Joined
Sep 13, 2000
Messages
4,391
Reaction score
0
UAP Controller allows you to isolate Guest directly without implementing the above under Restricted subnet in guest control. Unless you want it for other purposes.

Also, by default, ER will route all subnets if you don't apply fw but do the subnet method.

Thanks for the advice, yeah I'm using restricted subnet at the moment. Was looking at the firewall rules for it on the controller and it allows for DHCP, DNS and ARP broadcast through the restricted subnet.
A guest can easily resolve all computers on the network which is something I don't particularly like... I'd like real L2 isolation.

Yes I know that it is necessary for the router to be set up to prevent routing between the two subnets since by default it routes through all networks. There is no isolation by design.

I'm just wondering if it's possible to set up the ERL such that untagged packets on port 1 and 2 are set to default VLAN 10, and likewise on egress, it's not tagged for VLAN 10. I'm not sure if this functionality is unique to an L2 smart switch.
 

weap0nx

Master Member
Joined
Sep 13, 2000
Messages
4,391
Reaction score
0
Sorry have free time and back to thinking about this

I'm thinking that I would need to add a VLAN capable switch between my non vlan capable switch and the router?

Then clearly tag all normal traffic in transit around the network as VLAN10. Will it make any difference vs telling all switches to treat untagged traffic as VLAN10 (i.e. a default VLAN) ? Can the router do this as well? i.e. treat untagged traffic as VLAN10

Any advice, in terms of security how good is my isolation
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top