Need VLAN Assistance

[bradfwd]

I thought I had a fairly decent grasp of how VLANs are supposed to work, but I am running into a wall and would appreciate some advice. I help manage the network for a church in my area. Every service is streamed live online via Facebook Live and other similar sources. We only have a 25mbps internet connection with Comcast, so I'm trying to split the network up into VLANs for the purpose of bandwidth management, content filtering, etc.

All traffic in/out of the network goes through our Comcast cable modem, which is connected to the WAN port of our SonicWALL TZ400 firewall. The LAN port of SonicWALL connects to port 1 of a TP-Link T1600G-52TS (TL-SG2452) switch. From there we have a fiber connection (port 52) to another identical switch on the other side of the campus. Switch 2 has a Linux server on port 3 running DHCP, DNS, and the UniFi controller software. The UniFi access points are connected to various ports on both switches. The WiFi network has two SSIDs: one for staff, and one for members/guest access.

What I would like to do is isolate the guest SSID onto its own VLAN (with separate DHCP scope). I created the VLANs on both switches (ID 10 for wired/wireless staff, ID 20 for guest), tagged both VLANs on the fiber uplink ports, and untagged the AP ports.

Everything seemed to be working fine at first. All devices could pull DHCP addresses from their respective subnets with no problem, the staff devices could all communicate with each other, and the guest wireless clients were all isolated. However, nothing could get out to the Internet. It seems like I may have a routing issue somewhere, because I can't ping outside the network from any device. I just can't seem to track down where my issue is. Since I don't really have a "router" in place so to speak, do I need to configure the VLANs on the SonicWALL so that it can act as a router? I would greatly appreciate any assistance you guys can offer.

Thanks in advance!

 

[Samir]

If your Internet vlan is outside of the scopes for the vlans, this could happen. I've seen vlans work differently on different devices, so you might have to read up on the sonicwall and tplink documentations as well as just play with it and see what works/doesn't work before you get the setup you want.

 

[coxhaus]

Once you divide your network into separate network VLANs They can not talk to each other unless they are routed. So your SonicWALL will need all VLANs defined on it so it can route them. Port 1 on your TP-Link switch will need to be a trunk port so it can pass all the VLANs as well as the port on the SonicWALL which it connects to. Sounds like you have DHCP setup for all the network scopes correctly.

If you have more than one switch connect all other switches together with trunk ports if they have more than one VLAN defined on the other switches. Since your WiFi WAPs support multiple VLANs they will need to be connected with trunk ports. Assign a different VLAN to each SSID.

I hope this puts you on the right track.

PS
I assume your TP-Link switch does not have layer 3 capability.

Use tagged VLANs for all VLANs except your default VLAN. Your guess network needs to be a tagged VLAN for security reasons.

There should not be a problem isolating your guess network. Once you have routing working then you need to create an access list to block the guess network from accessing the other networks.