VLAN configuration on a "smart" switch for a guest WiFi network

[+Fahim S. MVC]

So I finally got round to buying a proper access point (Unifi nanoHD), which is capable of having multiple SSIDs, mapped to VLANs.  I have a "smart" switch (TP-Link TL-SG2008), and a PFSense based firewall (SG2220).

 

Assuming that:

1) The AP is connected to the switch on port 1

2) The firewall is connected to port 8

3) There a bunch of other "trusted" devices on the other 6 ports.

4) I want my "trusted" network to run on VLAN 11.

5) I want my "untrusted" network to run on VLAN 99.

 

Is it right that I?

Set up a "trusted" SSID on the AP, which is on VLAN 11.

Set up an "untrusted" SSID on the AP, which is on VLAN 99.

Set up port 1 on my switch to preserve VLANs

Set up port 8 on my switch to preserve VLANs

Set up ports 2 through 6 to tag packets on entry with VLAN 11 and strip VLANs on the way out

 

Does anyone know how to achieve the configuration on my particular switch?

Also what changes do I need to make to pfSense to treat the VLANs as logical interfaces, each with their own subnet, DHCP ranges, internet access and prevent any routing between them?

 

Is there a specific sequence I need to do this all in so I don't lose connectivity to the various components whilst I make the changes?

[sc302 Veteran]

In your pfsense config, you will want to create your vlans.  What you will do is create a rule to block traffic coming from your guest vlan to your private vlan, it will be able to communicate with all other networks.  

 

You will trunk your vlans on a port (usually you just have to enable trunking, but you can tell it to include those vlans on that trunk port) to the switch.  You will probably have to configure the switch port that is coming from pfsense to trunk.  You will have to configure the switch with the vlan id's that are coming from the pfsense router.  Then you can assign those vlans to ports.  

 

If you have a AP that is vlan capable (**cough** ubiquiti **cough**), you would trunk all of the vlans to that and make your AP default to the private vlan or a management vlan of some sort (so add another vlan for management of devices that can only have source traffic come from your private vlan, another pfsense access control list) to manage networking devices.  Then you can have your AP host both the Guest VLan via a Guest SSID and your Private vlan via Private SSID.

 

 

Draw it out on paper first on how you want things to work.  It will then become clear to you what you have to do and if you will or will not experience an outage.  Understand that you will probably have 1 lan  for internet traffic to go across, 1 lan for house, 1 lan for guest, if any guest or house will need to share devices like printers, another for printers/shared devices, and maybe for the hell of it one for IoT devices.  (fyi, I don't see a way to not have an outage of some sort...you can create the networks and test, but when you move devices over to the new LANs they may have to reboot).

 

[+BudMan MVC]

On 5/24/2019 at 2:33 PM, sc302 said:

Draw it out on paper first on how you want things to work.

This is very good advice... This will allow you to understand exactly what has to be done, and where.

[+Fahim S. MVC]

Here, if you'll excuse my artist's rendition...

 

[sc302 Veteran]

And vlan 2 (or whatever vlan....could be vlan1 but that is just lazy) going between modem and router. Internet traffic isolated on its own vlan to not mix secured from unsecured devices. 

[+Fahim S. MVC]

1 minute ago, sc302 said:

And vlan 2 (or whatever vlan....could be vlan1 but that is just lazy) going between modem and router. Internet traffic isolated on its own vlan to not mix secured from unsecured devices. 

Can you explain that?  Given that the modem is ISP provided, with no control whatsoever in terms of VLANs, how would I achieve this?

[sc302 Veteran]

The isp goes into the router. Whatever that is it is a Vlan or untrusted network.  This would be an untagged port. If we are treating this as an outside/untrusted network on a firewall/router nothing else is needed to be done.  

[+BudMan MVC]

Your drawing is fine.. So both of those vlans are tagged or is one native (untagged) and the other tagged?  At the switch and router? Either way works.

[+Fahim S. MVC]

31 minutes ago, BudMan said:

So both of those vlans are tagged or is one native (untagged) and the other tagged? 

Is one of these choices better than the other? If I choose to leave one untagged, would it be the trusted or guest one?

 

32 minutes ago, BudMan said:

At the switch and router? 

Don't understand this question.

 

The picture is meant to be of what I want to end up with, not what I have right now (single SSID, no tagging at all anywhere)

[sc302 Veteran]

16 minutes ago, Fahim S. said:

The picture is meant to be of what I want to end up with, not what I have right now (single SSID, no tagging at all anywhere)

tagging/untagging is how switches work.  an untagged port is an access port.  An access port is an endpoint port where a device on the other end is essentially dumb and doesn't know the difference between tagged and untagged traffic.

 

Tagged is how a trunk works, this allows the port to encapsulate all of the vlans you choose on a single port.  You can have a native vlan (untagged) and several encapsulated vlans (tagged) on a single port that connects to a switch that can decipher this type of traffic (known also as 802.1Q).  

 

For your ap to work, it will have one port.  That one port can support all of the vlans you want to send over to the AP.  You can have the AP on both a tagged and untagged port...the tagged vlan will be the guest vlan and the tagged/untagged vlan will be your secured vlan.  just like in your picture.  

 

You need to understand the terminology, that is all.  If you don't know ask, don't assume that you aren't tagging anywhere, you have to tag for vlans to function across a single port.

 

edit: so you don't get confused, and being that budman has more time with helping, I will let him work with you.  If you get stuck or need simpler explanation please ask.

[+BudMan MVC]

As to tagged or untagged doesn't matter which... Its just how you set it up.. Its normally more intuitive on say your router where the actual physical interface network is left untagged.  Vs not putting any network on the physical interface, and only enabling vlans that run on that phy interface.

 

As to switch and router, this is where native or untagged vlan will come in to play. For example out of the box on a switch the vlan 1 is untagged. 

 

On your AP if you do not set a vlan for an SSID, then it would be native untagged... And that would be need to be set on the switch port the AP is connected too.  If you tag both SSIDs on AP with vlan IDs then you would have to set them as tagged on the switch port the AP is connected too.

 

On the interface to the router same thing - if you set both as tagged vlans on your router, then they would both have to be tagged on the switch port that connected to your router.

 

On a port that carries more than 1 vlan, only 1 could be untagged (native) all other vlans would have to be TAGGED... Or all of them could be TAGGED... All depends on the device your connecting to that switch port and how its configured for native or all tagged, etc.

 

To be honest I think tag and untagged is what confuses the most new users to vlans.

[+Fahim S. MVC]

11 minutes ago, sc302 said:

edit: so you don't get confused, and being that budman has more time with helping, I will let him work with you.  If you get stuck or need simpler explanation please ask.

Thanks for the offer (I genuinely am grateful), but with the very greatest respect I never find your explanations very "simple".

 

[sc302 Veteran]

4 minutes ago, Fahim S. said:

Thanks for the offer (I genuinely am grateful), but with the very greatest respect I never find your explanations very "simple".

 

Interesting, but ok.  I do take great pride to simplify things, but completely understandable.  Everyone has different understanding levels, some people require many different approaches until they finally understand (or think they do). 

[+Fahim S. MVC]

21 minutes ago, BudMan said:

As to tagged or untagged doesn't matter which... Its just how you set it up.. Its normally more intuitive on say your router where the actual physical interface network is left untagged.  Vs not putting any network on the physical interface, and only enabling vlans that run on that phy interface.

 

As to switch and router, this is where native or untagged vlan will come in to play. For example out of the box on a switch the vlan 1 is untagged. 

 

On your AP if you do not set a vlan for an SSID, then it would be native untagged... And that would be need to be set on the switch port the AP is connected too.  If you tag both SSIDs on AP with vlan IDs then you would have to set them as tagged on the switch port the AP is connected too.

 

On the interface to the router same thing - if you set both as tagged vlans on your router, then they would both have to be tagged on the switch port that connected to your router.

 

On a port that carries more than 1 vlan, only 1 could be untagged (native) all other vlans would have to be TAGGED... Or all of them could be TAGGED... All depends on the device your connecting to that switch port and how its configured for native or all tagged, etc.

 

To be honest I think tag and untagged is what confuses the most new users to vlans.

OK... but in my switch I can set a port (on a per VLAN basis) as Untagged, Tagged, or Not Member. I can also give a port a PVID.  The switch doesn't have an option to set a port as an access port or trunk as such. 

 

I am pretty sure that for VLAN 99 I want to set port 1 and 8 as tagged and the others as Not Member. 

 

But what do I do for VLAN 11? Set them all to Tagged? What PVID should they have?

 

 

[+BudMan MVC]

So if you put a port in vlan 11, and your going to connect a computer to it then that would be untagged 11 with pvid set to 11... This tells the switch when it sees untagged traffic coming into that port that its vlan 11.

 

When you connect say your router that is using untagged (native interface on the router) and you want that as 11, then same thing untagged 11, pvid 11

 

For the vlan 99 which you run on top of that physical interface, on the switch port it would add tagged 99.

 

For your access point same sort of thing.. if you do not put a vlan ID on one of your SSID that would be the untagged and pvid setting, with the other vlan set to tagged.

 

Your running pfsense as your router?  I can show you some screenshots of what I mean by native and vlan on pfsense.

[+Fahim S. MVC]

got it.. thank you!

I decided to keep my trusted network untagged and decided that VLAN 100 would be a better choice for guest.

 

OK.. now the pfSense set up...

I set up a VLAN for 100, and then a (sub)-interface for this VLAN

I then set the interface with a static IP (I used 192.168.100.1 /32).  Kept everything else as default.

When I go to add a DHCP server, I don't even see the tab for my Guest network. 

 

Have I done something wrong?

 

[+BudMan MVC]

2 minutes ago, Fahim S. said:

/32).

that is wrong!  You prob want /24 which would be 192.168.100.1-254 would be valid IPs on that network.

 

/32 is all 32 bits.. so 192.168.100.1 is the ONLY address.  So can not run a dhcp server on that

[+Fahim S. MVC]

Just now, BudMan said:

that is wrong!  You prob want /24 which would be 192.168.100.1-254 would be valid IPs on that network.

this is because /32 is a single IP Address and /24 would be a block of IP addresses? I don't understand how that works..

 

OK.. so now I have a DHCP server, giving out addresses 192.168.100.10 through 192.168.100.100.

Now no matter which WiFi network I get on, I can get out to the internet, which is good, but both networks can see devices in the trusted network.

 

How do I stop this?

[+BudMan MVC]

What do you mean See?  What are you firewall rules on your vlan interface on pfsense?

[+Fahim S. MVC]

Ooops...Completely forgot the firewall rules.

 

I added 2 rules.. an allow all, and a deny access to the trusted network, both to the Guest interface.

Do I need to add a similar deny rule to stop the trusted network being able to access the Guest network?

[+BudMan MVC]

only if you want to... Normally your trusted is allowed to where ever it wants to go..

[+Fahim S. MVC]

I can reach the pfSense administrative interface through both networks.  192.168.0.1 on the trusted network and 192.168.100.1 on the guest network.

Is there a way to stop access to this UI from the guest network?

[+BudMan MVC]

Yeah put in a firewall rule to block it

 

Normally on a guest network it would be pretty locked down..

 

Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated... Post up our rules on our guest vlan interface and we can discuss

 

[+Fahim S. MVC]

here:

 

[+BudMan MVC]

So what do you want to allow and what do you want to block?  If you just don't want clients to access gui.. Then put a rule above the any rule that says block dest lan address port XYZ, where xyz is the ports (or ports) via an alias that your gui is listening on.

 

example, if your gui just running on 80 (http)

 

Keep in mind that such rules would allow guest to actually hit your gui via your wan IP..

 

You could do something like this

 

So you allow guest to "ping" pfsense guest address. So client can validate they have connectivity to the gateway.

 

But then any other access to firewall is blocked - all IPs, lan, guest, optX, wan, etc.. "this firewall" is a drop down option for dest.

 

This would require clients to be using some outside dns - which is what you normally hand "guest" clients anyway - say 8.8.8.8 for example.

 

Or you could allow clients to use pfsense guest IP for dns and ping - but block all other access

 

Given that when I show "test" on my screenshots you would use your "guest"

 

Since this is local network and not public internet you might want to use "reject" vs just block.. This will tell the client F Off!! Vs letting the client keep trying with retrans, waiting and retrans again.. Client will get told instantly sorry blocked!

 

While reject is normally good for your local networks.. You would normally not want to reject any blocks you do from the internet.. Just block (drop) them.. Vs sending any sort of response.