VLAN setup with router/switch/AP

[Johnny2713]

Hey SNB community !

I've been following things around here for a few months now, and I finally decided to upgrade my network from an old wireless router to a router + switch + Wifi AP combination !

I just received an EdgeRouter Lite (Ubiquiti) router, the TL-SG1024DE (TP-link) switch and the EAP900H (Engenius) wifi AP.

I provide internet access to both my apartment and my neighbours, so the config I'm trying to create is a bit weird :
My neighbours only need Wi-fi, whereas I need both wifi+wired access.

With that in mind, I was trying to achieve the following setup :
Create 2 VLAN's, one for me and the other for my neighbours. They only need Wifi, and I bought this AP to use the SSID to VLAN mapping.

most ports on the switch would be mapped to my VLAN (even though I'm also trying to have a few on the neighbour's VLAN just to debug the whole thing)

With that, I'd like to map each VLAN to a different subnet (I'd get 192.168.20.0/24 while the neighbours get 192.168.30.0/24) for example.

On the router :
eth0 : WAN
eth1 : LAN (switch+wifi)
eth2 : secondary LAN (mostly for managing the router at the moment?)

On the switch:
1-4 : "trunk" ports (switch, wifi AP, 2 empty ports in case I need them)
5-8 : neighbour VLAN
9-24 : personal VLAN

I set the 802.1Q assignments on the switch (see screenshots) and created 3 VLAN interfaces on eth1 on the ERLite. I've got all the associated DHCP servers as well (Do I really need to have all those DHCP ?)

Now the problem is that no matter where I plug an ethernet cable on the switch, I'm getting the IP in the subnet of the eth1 interface, not the VLAN interfaces...

I haven't even unboxed the WIFI AP, I'm pretty sure that it's not going to help me right now if I don't get those VLAN right ^^

Here's my ERLite config : http://pastebin.com/9XXXgPJ8
I've got screenshots of the switch config attached.

I guess right now I'm just stuck with the VLAN setup, I'd greatly appreciate some help there.
One thing I can't figure out is whether I need to setup a "management" VLAN (VLAN10 in this case) to put the switch on ? Also, I can't edit the VLAN1 on the switch, it's got ports 1-24 as untagged... Is this an issue ?

Thanks a lot for any help

Cheers !

 

[Johnny2713]

And here are screenshots from the interfaces + DHCP settings of the ERLite if that helps

Thanks again

 

[coxhaus]

A couple of things to think about is your switch is a layer 2 switch so the IP mapping will have to happen in the router. If you had a layer 3 switch you could map the IP addresses in the switch. The Edgerouter light has some examples for a guest network. This might be the easy way. Use one network for your neighbors and one for yourself. This will require 2 wireless devices. Mapping SSIDs to different VLANS is going to require you to setup a trunk port on the Edgerouter light which may be easy to difficult. I don’t know the Edgerouter light.

 

[Johnny2713]

Hi coxhaus,

Thanks for your answer !
I was indeed thinking of re-purposing my older wifi router and attaching it directly to the Edgerouter, on one subnet.
I could then use the switch + new wifi AP on a second subnet and isolate the two.
The problem with that is that it does not really scale... What if for whatever obscure reason I wanted to add a another isolated wifi ?
Also, I bought a nice wifi AP, my neighbours are pretty cool so it would be selfish of me not to give them a good wifi experience

Last but not least, I wanted to learn about VLAN and advanced networking in general, which is why I went that route. I'm a curious guy !

I'm aware of the Layer 2 vs 3 switch, but it should support 802.1Q VLANs which is I believe exactly what I need ? By creating one VLAN per tenant, and then naturally assigning different subnets to the VLANs, I end up isolating them.

My problem is that I can't quite figure out how to organize the network architecture here. The switch is managed and has its IP : should I use DHCP from the router to assign that or do I manually assign it from the switch ? Where should this IP go (which subnet ? which VLAN if that applies ?)

I need a trunk between the router and switch, and between the switch and the wifi AP but this is where I'm stuck.

This is frustrating, I have a rough idea of where to go but can't seem to figure out the details of it

Cheers !

 

[abailey]

I have an Edgerouter lite at home and TP-Link managed switches so Maybe I can help. At first glance the problem I see is that you have a default VLAN on the switch that includes all ports untagged. This matches up with the default VLAN on the ERL on Port1. I assume your getting a 192.168.1 address handed out on all ports of the switch?

EDIT: Actually after looking at if further it really should not matter about the default VLAN since you have your PVID's set to what appears to be correct for their VLAN. I will look into it more.

 

[Johnny2713]

Hi Abailey,

Glad I'm not the only one in this situation

Yes, all ports on the switch are getting a 192.168.1.xxx IP. I did manage to get a 192.168.20.xxx IP twice, but every time, when changing ports (to test all ports), it reverted to 192.168.1.xxx. I never got a 192.168.30.xxx IP.

I'm wondering if the switch's IP matters ? Shall I assign it to 192.168.1.2 directly or should I let it get an IP from the ERLite's DHCP ?
This is a more generic question I guess : when you setup VLANs in your network, where do you put (VLAN/subnet) your VLAN-aware equipment ?

At first glance the problem I see is that you have a default VLAN on the switch that includes all ports untagged.

I'm also wondering if this is an issue ? I hope it shouldn't, because I can't edit that VLAN (it's there by default)...

Thanks for your help

 

[abailey]

If you don't figure it out by tonight I will try to replicate your setup when I get home. I am currently not using my ERL so I can use it to test, and I just got in a small 5port TP-Link easy smart switch I can use to test with. My other TP-link switches are the Smart Switch series where you are able to change the default VLAN (though I really think that is not the problem). Anyway the little 5 port Easy Smart should work fine for testing.

 

[Johnny2713]

Thanks a lot !
When I get home I'll also try to reset the ERLite to its default and add VLANs progressively.

I'm wondering if the switch's IP matters ? Shall I assign it to 192.168.1.2 directly or should I let it get an IP from the ERLite's DHCP ?
This is a more generic question I guess : when you setup VLANs in your network, where do you put (VLAN/subnet) your VLAN-aware equipment ?

Any chance you'd have some insight on that ? This resource basically states to put everything on a "Management" VLAN : http://www.rockwellautomation.com/rockwellautomation/news/the-journal/exclusive/2014/march6.page

So basically, I'd have on the ERLite
eth0 : ISP-provided IP/gateway/DNS

eth1 :
VLAN10 : Management, 192.168.10.XXX : the switch (and later the WIFI AP) should be there. Do I manually put the switch there ? I have a feeling that just assigning it to an 192.168.10.XXX IP is not enough to put it in a VLAN... VLANs are a layer 2 thing while subnets are a layer 3 thing, right ?
VLAN20 : Personal , 192.168.20.XXX : all my wired, VLAN-unaware equipment + my wifi SSID
VLAN30: Neighbours, 192.168.30.XXX : the neighbours' SSID ( + a few ports on the switch just to debug/config)

Do I still need to assign an 192.168.1.XXX IP to the interface ?DO I create the associated DHCP ?

eth2 :
No VLAN, 192.168.2.XXX : just if I want to directly connect to the router, pretty handy when doing configuration

I've got so many questions it's embarrassing

 

[Jeff Ridgel]

If you don't figure it out by tonight I will try to replicate your setup when I get home. I am currently not using my ERL so I can use it to test, and I just got in a small 5port TP-Link easy smart switch I can use to test with. My other TP-link switches are the Smart Switch series where you are able to change the default VLAN (though I really think that is not the problem). Anyway the little 5 port Easy Smart should work fine for testing.

Hello abailey & Johnny:
This is an old thread... but I don't see a conclusion. It is nearly identical to what I am presently attempting (mine is a bit more simple):
I have a single VLAN (eth2.30); eth0 is WAN, eth1 is dedicated and isolated to VOIP; eth2 is for data. I have a "smart" TL-SB108E switch... and I have configured the VLAN configuration for isolating ports 1 and 2 as a "Guest_VLAN", port 8 as the conncection to the ERL, and ports 3-7 as "Computer_VLAN". I have 2 questions similar to those postd above: 1) how do I assign the sitch VLAN ports (1&2) to the ERL VLAN eth2.30? 2) Am I ok with not having a second VLAN identified on the ERL (just use eth2) for the other isolated port traffic (swtich ports 3-7)? I appreciate the advise and recommendations.

 

[abailey]

Hello abailey & Johnny:
This is an old thread... but I don't see a conclusion. It is nearly identical to what I am presently attempting (mine is a bit more simple):
I have a single VLAN (eth2.30); eth0 is WAN, eth1 is dedicated and isolated to VOIP; eth2 is for data. I have a "smart" TL-SB108E switch... and I have configured the VLAN configuration for isolating ports 1 and 2 as a "Guest_VLAN", port 8 as the conncection to the ERL, and ports 3-7 as "Computer_VLAN". I have 2 questions similar to those postd above: 1) how do I assign the sitch VLAN ports (1&2) to the ERL VLAN eth2.30? 2) Am I ok with not having a second VLAN identified on the ERL (just use eth2) for the other isolated port traffic (swtich ports 3-7)? I appreciate the advise and recommendations.

Hey Jeff maybe I can help. It looks like you also have posted over on the TP-Link forum but have not got an answer there yet either.
Ok first it would help if you could post screen shots of your 802.1q setup from your switch. Since I don't have those screen shots I will do the best I can to try to explain (at least how I would do it).

Ok so the first thing is your VLAN id must be the same on the switch and on the ERL. So if you use VLAN ID 30 on the ERL then you need VLAN ID 30 on your switch for your guest network. Your 1&2 ports would be untagged members of VLAN 30 with a PVID of 30. Ports 3-7 could stay in the default VLAN with a PVID of 1. Port 8 needs to be a Tagged member of both the default VLAN and VLAN 30. The PVID on port 8 can be 1.
Now over on the TP-Link forum you mentioned (if that is indeed you) something about LAG on ports 1&2. I cannot see what your guest network is connecting to so I can't see why you need LAG. LAG and VLANs are seperate things with different purposes. LAG is used if you are going to try to combine the bandwidth of two ports. If your not trying to combine them then turn LAG off.

 

[Jeff Ridgel]

Hello abailey!!
I very much appreciate your advice and feedback. Yes, that was my post over at the TP-Link forum also... thank you!

SO, I have followed your advice explicitely: TL-SG108E switch set with a VLAN 30 and PVID 30 with ports 1-2, 8 with 8 tagged and 1-2 untagged.
Problem: the default VLAN 1 will not allow me to adjust the tagged/untagged ports. It has default 1-8 as untagged. So I am unable to change it to a tagged port 8. ??? Recommendation?

Yes, removed all LAG. PVID 1-7 is at 1; PVID 8 is at 30.

 

[Jeff Ridgel]

Hello abailey!!
I very much appreciate your advice and feedback. Yes, that was my post over at the TP-Link forum also... thank you!

SO, I have followed your advice explicitely: TL-SG108E switch set with a VLAN 30 and PVID 30 with ports 1-2, 8 with 8 tagged and 1-2 untagged.
Problem: the default VLAN 1 will not allow me to adjust the tagged/untagged ports. It has default 1-8 as untagged. So I am unable to change it to a tagged port 8. ??? Recommendation?

Yes, removed all LAG. PVID 1-7 is at 1; PVID 8 is at 30.

View attachment 5561 View attachment 5562

 

[abailey]

Ok I have one of the exact same switches you are using. I see that it won't let you change anything on the default VLAN. Have you tried it as is? Because it is the default VLAN port 8 should pass the traffic to the ERL's default VLAN on Eth2. In other words I think it should work like you want without having port 8 Tagged in VLAN1, with just the changes you have already made.

 

[abailey]

Also remember on the ERL I believe it automatically routes between VLANs. If you don't want the guest VLAN to see the other VLANs you may have to change the firewall rule a little. It has been a while since I have used the ERL so I can't remember exactly. Just remember to test to see if the guest VLAN can see your other VLANs.

 

[abailey]

Yes, removed all LAG. PVID 1-7 is at 1; PVID 8 is at 30.

I just saw this. Make sure PVID on ports 1 and 2 is set to 30. Use PVID 1 on 3-8
(Which is what your picture shows, just not what your statement said)

 

[Jeff Ridgel]

Sorry for the typo... Yes, PVID 8 is at 1.; yes, I have tested the system as is... all works with one exception:
ERL: WAN is on eth0, eth1 is an isolated LAN for VOIP; has priority. eth2 has one VLAN 30 established (eth2.30).
TL-SG108E: as above. VLAN 30 set with PVID 30. Yes, this works, communications with PC on switch with Port 1&2 go to ERL eth2.30 (as seen by tests and observation on the ERL desktop bandwidth usage. Yes, VLAN 30 is isolated from all other LANS and YS, it has access to the WAN (internet).

Remaining problem: I do not have internet connectivity from ports 3-7 on the switch... I attempted to create another VLAN "8" on the switch, and have it tagged... but this did not resolve the internet capability problem on the ports 3-7. SO, I am led to question the ERL configuration:

AS envisioned, this 3-7 switch ports are NOT assigned to a VLAN; and should use the ERL eth2 LAN... perhaps this is a misunderstanding as to how the ERL works... I have created one VLAN (30) and isolated it... (and successfully directed swich ports 1&2) to use this ERL VLAN. Do I need a second VLAN (say 20) in order to use the "rest" of the eth2?? Asked another way: if One creates a VLAN on the ERL, is it a misconception that one can still use the LAN "outside" of the VLAN? .... SO, do I need to go back the the ERL, establish a second VLAN, and then set the switch ports 3-7 onto this VLAN?

... as for the TL-SG108E, I don't see any other mechanism for change to solve the immediate port 3-7 internet connectivity...

 

[abailey]

Thats a good question. In theory you should be able to use Eth2 without specifying a VLAN as the ERL should put all non tagged traffic into the default VLAN for that interface. Since your port 8 is carrying both tagged and untagged packets, one would think the Tagged packets for VLAN30 would go there and the untagged packets would simply go to the default VLAN on Eth2 as if you were using it without any other VLANs. But theory and practice are not always the same. So the answer is I really don't know. For that answer you may have to go over to the Ubiquiti forum and ask it there (under the Edgemax section).
It will work if you created another VLAN on the ERL, like VLAN id 20 on Eth2 and then created VLAN id 20 on the switch. After that assign 3-7 as untagged on VLAN20 (PVID20) and 8 as Tagged on VLAN 20.
But I really think it should work without that, I am just not sure how to get the ERL to do it.

 

[Jeff Ridgel]

OK, my problem is resolved by brute force technique: I simply made a seperate VLAN 20 on the ERL as per your comment... everything is isolated, everything has access to the internet... I am good. (I don't know the answer to the basic ERL question regarding the eth2 outside of the VLAN... but I have a working solution.
Thanks abailey for you assistance! I greatly appreciate your time and clarification.

 

[Jeff Ridgel]

OK, I thought I was out of the woods... now I get this error from the switch...
Any ideas???
(It won't go away!!)

 

[abailey]

It almost sounds like you locked yourself out of your switch. When you created your VLAN 20 did you create a new subnet? One that is different than the subnet your switch is in? Since you have changed all your PVID's away from the default VLAN1, you will not be able to see your switch if the IP address of your switch is in a different subnet. Does this make sense? Your switch needs to have an IP address in the same subnet as VLAN20. (I think unless it is getting turned around in my mind, lol)