Need some help setting up VLANs on my switches

[skyjam]

Hi there

This is not directly related to opnSense.
I'm stuck on setting up VLAN's on my switches to support a separate guest VLAN for my Unifi access points.
I have my internal Network to not use a VLAN, and my guest network will use VLAN 100 on the unifi AP's. (The AP's will add the VLAN tag!)

Code Select Expand



                         (eth1, no VLAN)
     (eth0) |¯¯¯¯¯¯¯¯¯¯|-------------------|¯¯¯¯¯¯¯¯|        |¯¯¯¯¯¯¯|        |¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯|
WAN --------| OPNSENSE |                   | D-Link |--------| CISCO |--------| some devices (PC's) |
            |__________|-------------------|________|        |_______|        |_____________________|
                         (eth2, no VLAN)       |                |
                                               |                |
                                        |¯¯¯¯¯¯¯¯¯¯¯¯|    |¯¯¯¯¯¯¯¯¯¯¯¯|
                                        | unifi AP 1 |    | unifi AP 2 |
                                        |____________|    |____________|



I want to use two ports of my opnSense firewall for this: eth1 should be default internal network, eth2 should be separated guest network.
opnSense must not set VLAN tags. The switches must do that!
Both networks feed into my first switch, a D-Link DGS-3100, which is capable of VLAN and VLAN trunking. Port 5 goes into eth1, Port 6 into eth2.
This switch is uplinked with port 1 to my Cisco SG300 switch, which is also capable of VLAN and VLAN trunking.

How do i set up tagging, untagging and trunking on the ports?

Currently I have this: (check attaced screenshots)
D-Link:


Cisco:


Part of the D-Link config file:

Code Select Expand

! VLAN

config vlan default delete 1:6
create vlan WIFI_Guest tag 100
config vlan WIFI_Guest add untagged 1:6
config gvrp 1:6 pvid 100
enable vlan_trunk
config vlan_trunk ports 1:1 state enable

Part of the CISCO config file:

Code Select Expand


vlan database
vlan 100
exit
!
interface vlan 100
name WIFI_Guest
!
interface gigabitethernet1
switchport trunk allowed vlan add 100
!
interface gigabitethernet2
switchport trunk allowed vlan add 100
!
interface gigabitethernet3
switchport trunk allowed vlan add 100
!
interface gigabitethernet4
switchport trunk allowed vlan add 100
!
interface gigabitethernet5
switchport trunk allowed vlan add 100
!
interface gigabitethernet6
switchport trunk allowed vlan add 100
!
interface gigabitethernet7
switchport trunk allowed vlan add 100
!
interface gigabitethernet8
switchport trunk allowed vlan add 100
!
interface gigabitethernet9
switchport trunk allowed vlan add 100
!
interface gigabitethernet10
switchport trunk allowed vlan add 100
!
exit

[Sirius1]

I can follow conceptually what you are trying to do, but not sure how your architecture will work, or why you are mixing untagged and tagged/VLANs, with the tagging requirement 'the switches must do that'.

What I can tell you is that you can trunk through multiple switches and use multiple SSIDs/VLANs on the UniFi WAPs. I have a Cisco Catalyst 2960 and an 8-port NetGear Smartswitch with 3 UniFi WAPs and 4 SSIDs/WLANs (and 4 wired VLANs). Everything has VLANs defined: OPNSense, switches, and the WAPs. I trunk from OPNSense to the Catalyst, to the NetGear with connected WAPs (for more Gigabit ports).

Links between your switches, and to the WAPs, must be 'trunked' or 'tagged' with all the VLANS that need to go across: on my NetGear, this means that all my wired and wireless VLANs are 'tagged' for the links between switches and to the WAPs. If you have VLANS 100 and 200 for SSIDs and 300 for wired LAN, then would need to tag 100 and 200 on your WAP ports, and all 3 of them where your switches connect. Your only 'untagged', or 'access' switchports would go to devices like your PCs.

You don't specify both a 'LAN/internal' wireless and guest (VLAN100) wireless on the WAPs, but assume you mean to do that. Again, my experience would be is that if you are 'tagging' one VLAN for guest, your need to tag all of them. Unless you've found something in the UniFi docs or forums that show how to mix tagged and untagged, not tagging everything IMO complicates it unneccessarily.

[skyjam]

I finally got it resolved by using correct tagged and untagged ports.
Thanks anyway!