VLAN: Are wireless clients "the same" as wired?

[BCSteve]

I'm trying to understand vlan. Say I have an 8-port vlan switch. Port 1 has the cable modem (ISP), port 2 is a router, port 3-7 are pcs, server, printer, whatever... and port 8 is a WAP. Connected to the WAP are some untold number of potential clients.

OK, so in the VLAN setup I can define what has access to what based on ports and the router (magically?) handles the traffic. So I say that Port 8 (WAP) has access to the Internet and, for example, the printer... but not anything else. Does that automatically extend to all the clients attached to the WAP?

Now let's extend that further. One of the clients of the WAP is a wireless bridge. On the end of that bridge is another router and it has wired and wireless clients on a different subnet. Do THOSE clients still inherent access to the printer and Internet by virtue that they are "downstream" of the authorized WAP?

Thanks.

 

[coxhaus]

When it comes to vlans and routing there is no magic and no inheritance. It is all setup with detailed configurations.

Think of vlans as separate switches. When you turn on routing with vlans it is like plugging the cable from one switch into another switch. They all then have access to each other on both switches.

Consumer level routers and switches have limited abilities compared to pro model routers and switches. When it comes to consumer level gear you need to check closely at what features you will need.

 

[BCSteve]

Well yeah, equipment-specifics aside though...

If vlans are like separate switches, then why doesn't it inherent? If I had a switch and that switch had internet access then so do all the devices plugged into the switch. So if the vlan that the AP is on has access to (for example) the printer, why wouldn't all the devices attached to the AP?

I'm not arguing... let's be clear. I want to understand.

 

[stevech]

Some consumer WiFi stuff doesn't propagate VLAN/tagging. Beware.

 

[BCSteve]

Yeah, I figured. The AP and bridges I'm looking at specifically mention support for vlan tagging.

 

[stevech]

Yeah you are cent percent right i waist a lot of time on it but all in vain

Just have to read the product specs and user manual before buying. If it doesn't say it supports 802.11Q VLANs, don't buy!

http://en.wikipedia.org/wiki/IEEE_802.1Q

 

[BCSteve]

I have a feeling "Ablion" is a spam-bot. Look at his vague-not-really-constructive posts. I run several forums and have seen many similar types of posters that almost always turn out to be harvesters. I'd report it but I don't see how to do that.

These type are clever as they seem almost believable as humans. But watch this:

Hey Albion... you a human? (not holding my breath)

 

[Dreamslacker]

OK, so in the VLAN setup I can define what has access to what based on ports and the router (magically?) handles the traffic. So I say that Port 8 (WAP) has access to the Internet and, for example, the printer... but not anything else. Does that automatically extend to all the clients attached to the WAP?

The router doesn't magically make a VLAN setup work exactly the way you want it. Most consumer/ prosumer models don't even support VLANs. Assuming the router does support VLANs, then you will need to manually configure the firewall and forwarding/ NAT rules to make everything work especially for inter-subnet routing.

Now let's extend that further. One of the clients of the WAP is a wireless bridge. On the end of that bridge is another router and it has wired and wireless clients on a different subnet. Do THOSE clients still inherent access to the printer and Internet by virtue that they are "downstream" of the authorized WAP?

Yes and no. Yes, the clients behind the router can connect to resources upstream (if not otherwise blocked with firewall rules) but whether it's of any use to them really depends on your wireless router's configuration.
If it's a NAT, some services like CIFS won't work properly (if at all) but a printer may still work if connected via IPP/ WSD.
If it's purely doing inter-subnet routing, then your firewall rules will determine what is accessible and what is not.

It might be easier to state what you actually hope to achieve to get a better answer.
i.e. Are you looking to setup a wireless bridge and hope to allow clients behind it to utilize resources upstream or do you actually wish to block them? Or perhaps you are providing wifi access to guest/ tenants and anticipate that they would utilize a bridge and need to restrict that?

 

[BCSteve]

More than anything, I was just trying to learn. I read about "router on a stick" in several tutorials and, get this, NONE of them say the router has to support vlan. It just said to use a vlan-enabled switch and plug "a router" into one of the ports. That's where the implied "magic" came from in my question. That didn't make a lot of sense, but what do I know? I've since determined that yes, the router does need to support 802.1q... and that's a fairly rare thing in of itself.

I am getting a better picture of it, I think. but still have a lot to go.

To answer your question: what I'm really trying to do is share my Internet access in the main house with several outbuildings on our farm, wirelessly. While at the same time, however, not wanting every building to appear to be on the same network. For example, the guesthouse I would want to behave like their own little world where they can't see other computers on the network (but can surf the web) and I can't see them. Same with the seasonal employees that work/live in another building... they want Internet but I don't want them snooping. On the other hand, some buildings I want to treat as extensions to the network. I was toying with the idea of having a server for [yet unknown uses] that all could make use of. Same with, perhaps, printing.

A lot of it is up in the air, so its hard to give concrete answers. My goals, in other words, may shift with complexity and/or cost. For example: Say its one thing to get everyone Internet access but it becomes the next SETI for sharing a printer... well, ok forget the printer. But if its easy (and controllable over who does and who doesn't) then sure, why not? Get what I'm saying

Anyway, my searching brought me to VLANS and that got me reading a bunch and wanting to know more... so I came/posted here when I hit a gap between what I was reading and what I was understanding.

I *think* I now get that (give appropriate equipment), the clients downstream of the WAP get "tagged" with their vlan info so switches/routers upstream can handle them. Is that the gist?

 

[stevech]

While at the same time, however, not wanting every building to appear to be on the same network. For example, the guesthouse I would want to behave like their own little world where they can't see other computers on the network (but can surf the web) and I can't see them.

I can think of some ways to do this
1. VLANs - using a VLAN capable router and each switch has to be configured for such.
2. independent subnets by building, and put static route table entries in the router to route certain subnets only to the WAN and internet. This is a major PITA.

Doing it within WiFi via AP based things is too hard.

 

[coxhaus]

If you want to setup your system with wireless vlans to separate traffic then you will need wireless APs which support vlans. The APs will assign your users to the appropriate vlan for separation. You will need your switches setup with trunking so they can pass multiple vlan traffic back to the main router. You will need to turn on routing between vlans for server access. Then use access lists to block all intervlan traffic except for the server. I would use Microsoft DHCP with a scope for each vlan network. You will need to turn on DHCP relay for DHCP to pass to all networks.

 

[F5ing]

Three routers in a "Y" configuration?

One router (primary) would be connected to the ISP, the other two routers' WAN ports connected to the primary's LAN ports. Two totally separate networks hassle free (although may be some added cost).

 

[coxhaus]

The beauty of simplicity.

 

[Dreamslacker]

I *think* I now get that (give appropriate equipment), the clients downstream of the WAP get "tagged" with their vlan info so switches/routers upstream can handle them. Is that the gist?

The short of it, yes. That's pretty much the idea if you can afford the equipment to do this.

It's also the method that provides you with a centralized point of management (the upstream router).

Another method would be to have a multi-port router at the upstream segment and use cheap wireless access points or routers downstream.
i.e. Each 'lan' has a Wifi router connected to it and the respective building has another wifi router each connected back to the main via WDS bridging.

This allows you to create several isolated networks on the main router and use cheap wifi routers/ access points simply as 'links' via WDS bridging. Another advantage over an enterprise/ biz grade access point with VLANs would be that the wifi bandwidth isn't shared amongst the buildings.
The disadvantage would be that your own devices that are authorized on the main network would be isolated when you bring them to these locations.