Need some help setting up VLANs on my switches

[skyjam]

Hi there

This is not directly related to opnSense.
I'm stuck on setting up VLAN's on my switches to support a separate guest VLAN for my Unifi access points.
I have my internal Network to not use a VLAN, and my guest network will use VLAN 100 on the unifi AP's. (The AP's will add the VLAN tag!)

Code: [Select]


                         (eth1, no VLAN)
     (eth0) |¯¯¯¯¯¯¯¯¯¯|-------------------|¯¯¯¯¯¯¯¯|        |¯¯¯¯¯¯¯|        |¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯|
WAN --------| OPNSENSE |                   | D-Link |--------| CISCO |--------| some devices (PC's) |
            |__________|-------------------|________|        |_______|        |_____________________|
                         (eth2, no VLAN)       |                |
                                               |                |
                                        |¯¯¯¯¯¯¯¯¯¯¯¯|    |¯¯¯¯¯¯¯¯¯¯¯¯|
                                        | unifi AP 1 |    | unifi AP 2 |
                                        |____________|    |____________|


I want to use two ports of my opnSense firewall for this: eth1 should be default internal network, eth2 should be separated guest network.
opnSense must not set VLAN tags. The switches must do that!
Both networks feed into my first switch, a D-Link DGS-3100, which is capable of VLAN and VLAN trunking. Port 5 goes into eth1, Port 6 into eth2.
This switch is uplinked with port 1 to my Cisco SG300 switch, which is also capable of VLAN and VLAN trunking.

How do i set up tagging, untagging and trunking on the ports?

Currently I have this: (check attaced screenshots)
D-Link:


Cisco:


Part of the D-Link config file:

Code: [Select]

! VLAN
 
config vlan default delete 1:6
create vlan WIFI_Guest tag 100
config vlan WIFI_Guest add untagged 1:6
config gvrp 1:6 pvid 100
enable vlan_trunk
config vlan_trunk ports 1:1 state enable
Part of the CISCO config file:

Code: [Select]

vlan database
vlan 100
exit
!
interface vlan 100
 name WIFI_Guest
!
interface gigabitethernet1
 switchport trunk allowed vlan add 100
!
interface gigabitethernet2
 switchport trunk allowed vlan add 100
!
interface gigabitethernet3
 switchport trunk allowed vlan add 100
!
interface gigabitethernet4
 switchport trunk allowed vlan add 100
!
interface gigabitethernet5
 switchport trunk allowed vlan add 100
!
interface gigabitethernet6
 switchport trunk allowed vlan add 100
!
interface gigabitethernet7
 switchport trunk allowed vlan add 100
!
interface gigabitethernet8
 switchport trunk allowed vlan add 100
!
interface gigabitethernet9
 switchport trunk allowed vlan add 100
!
interface gigabitethernet10
 switchport trunk allowed vlan add 100
!
exit

[Sirius1]

I can follow conceptually what you are trying to do, but not sure how your architecture will work, or why you are mixing untagged and tagged/VLANs, with the tagging requirement 'the switches must do that'.

What I can tell you is that you can trunk through multiple switches and use multiple SSIDs/VLANs on the UniFi WAPs. I have a Cisco Catalyst 2960 and an 8-port NetGear Smartswitch with 3 UniFi WAPs and 4 SSIDs/WLANs (and 4 wired VLANs). Everything has VLANs defined: OPNSense, switches, and the WAPs. I trunk from OPNSense to the Catalyst, to the NetGear with connected WAPs (for more Gigabit ports).

Links between your switches, and to the WAPs, must be 'trunked' or 'tagged' with all the VLANS that need to go across: on my NetGear, this means that all my wired and wireless VLANs are 'tagged' for the links between switches and to the WAPs. If you have VLANS 100 and 200 for SSIDs and 300 for wired LAN, then would need to tag 100 and 200 on your WAP ports, and all 3 of them where your switches connect. Your only 'untagged', or 'access' switchports would go to devices like your PCs.

You don't specify both a 'LAN/internal' wireless and guest (VLAN100) wireless on the WAPs, but assume you mean to do that. Again, my experience would be is that if you are 'tagging' one VLAN for guest, your need to tag all of them. Unless you've found something in the UniFi docs or forums that show how to mix tagged and untagged, not tagging everything IMO complicates it unneccessarily.

[skyjam]

I finally got it resolved by using correct tagged and untagged ports.
Thanks anyway!