Question Help configuring VLAN for guest wifi between 2 GS110TP

[TrevorIJones]

Hi Guys,


I really need some help trying to setup a VLAN to run between devices to ensure separate secure guest WiFi. The setup is shown in the attached diagram;

I basically have a DrayTek router one end, with A Draytek 903 access point at the other and in between are 2 Netgear GS110TP switches that are linked. I have configured the Drayteks either end following this guide;

https://www.draytek.co.uk/support/guides/kb-wireless-guestnetwork-ap

The problem is i'm having trouble configuring the switches on VLAN10 to allow users to connect onto the Guest WiFi provided by the Draytek 903, having access to just the internet and no other devices on the network. I'm either getting no internet form the AP and blocking traffic between segments of the network or full access to the internet and LAN. Can someone please advice the config I need?


Many thanks in advance!


Kind regards


Trevor

 

[bill001g]

That link is country restricted very very strange.

Key would be define 2 vlans say 10 is normal 20 is guest. Define all the vlans on all the devices and assign ports as needed to each vlan. On the connection between the devices define them as TAGGED and allow both vlan 10 and 20. On the router you will need to put rules in to prevent the guest network (vlan) from having access to anything other than the internet. You likely will need to put in 2 different dhcp servers and subnets on the router. You will also need to configure the nat to work with both subnets.

 

[TrevorIJones]

Thanks for the quick response.

So I just to be clear I need to ensure the following;

1. That each VLAN I have is created present on each switch same name/number?
2. Then tag the ports in my diagram for each VLAN. I only created an additional 'Guest' VLAN of 10, The default VLAN for Netgear switches is 1 and the default for Draytek is 0. Will I need to make sure these are all the same. i.e. either 1 or 0 for default across all devices? Or should I create a general 'Office VLAN' and leave the default as it is?

When I started re-configuring the switches, which I was doing over VPN I lost connection to the 2nd switch down and everything below. I had just tagged VLAN 10 on the ports listed but didn't get chance to tag the default VLAN. Would this have caused the loss of connectivity? Will I need to plug into each switch to configure?

Many thanks

 

[bill001g]

It all depends on how tagging works. It is not 100% consistent between devices. Trunk ports generally have a untagged vlan on them. Some devices you must explicitly define it other the "default" vlan is automatically assigned. So you could put vlan 1 on the netgear on the trunk port as untagged. On the draytek you would assign vlan 0 as untagged. The reason this works is because there are no tags on these packets. Since there are no tags there are no numbers....very confusing concept that works. Commercial switches like cisco detect this and warn you that you are being stupid but allow it to work.

I tend to put all my traffic into some tagged vlan. I leave the untagged ones with no traffic. This mostly avoids this issue but on some devices the management IP can only be assigned to the untagged vlan.

On most device there is always a untagged vlan that runs the spanning tree messages even if you do not configure it. This is made more complex when you can have different spanning tree instances for each vlan. This is also why cisco commercial equipment complains since you can get loops. Since you only have single connection between your devices you likely can not ever get loops no matter what.

 

[TrevorIJones]

I'm not quite sure I understand. So you're saying make sure each port listed on the diagram is untagged?, and for VLAN 10 too?

 

[bill001g]

Yes I think. You want to assign say port 6 vlan 10 tagged and vlan 1 untagged. The only ports that have multiple vlans assigned are going between the switches. The ones going to the end devices only have a single vlan assigned and it does not have tags since most end devices are confused by vlans tags.

What I normally do is say vlan 10 is guest vlan 20 is normal I would assign both vlan 10 and vlan 20 to the ports between the devices as tagged. I would also add the default vlan untagged. I do this just because I have had issues between vendors. On commercial switches it is actually much simpler in many ways.

 

[TrevorIJones]

Thanks. I've updated the diagram to help identify the switches. Which switches are you referring to with your config for port 1/6. Just to add some background this setup is located over 3 buildings linked by Cat5e. There are devices (computers etc) connected to each switch. There are also some un-managed switches on the network.

 

[bill001g]

You want to define port 1 and port 6 on both switches and port 1 on the AP and port 2 on your router. What you are in effect doing is running multiple "virtual" cables between the devices

 

[TrevorIJones]

When you say define, do you mean tag each of these ports on the devices with VLAN ID 10, then leave them all untagged for VLAN1?

 

[bill001g]

It depends on the switch most the ones I have used you are required to add vlan 1 untagged to the port. This is what is so strange since there has to be a untagged vlan and even though vlan 1is the default vlan it seems to be different. It all depends on the details if the port is actually added untagged or if you had to do it. I know the last time I did this I got frustrated and dug out some of my cisco commercial switches out of my junk box.