Mixed untagged and vlan tagged networks, Need help correcting my mistake

Started by wiggler, August 28, 2025, 12:58:21 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
August 30, 2025, 02:42:16 PM #15
The problem with splitting up the networks physically is that the access point has two SSIDs, one for the guest network and one for the main lan network. Making VLAN tagging pretty much required. Unless I want to get a second access point, but then I'd be dealing with a whole set of different issues I'm sure.
August 30, 2025, 02:58:54 PM #16
Tagged an untagged is a property of a link between two devices, not your entire network. You can have e.g.

Access point to switch on a single port:

- guest tagged
- iot tagged
- lan and mangement untagged "because Unifi"

OPNsense to switch:

- guest and iot tagged on one port
- lan and management untagged on a different port

Thus you get the "do not mix tagged and untagged" for OPNsense - all other devices simply do not need to care.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 30, 2025, 03:09:48 PM #17
Quote from: wiggler on August 30, 2025, 02:42:16 PMThe problem with splitting up the networks physically is that the access point has two SSIDs, one for the guest network and one for the main lan network. Making VLAN tagging pretty much required. Unless I want to get a second access point, but then I'd be dealing with a whole set of different issues I'm sure.

Actually, that is not a strict requirement. The assigment of "networks" and "WLAN" in Unifi speak is arbitrary. You can have two WLANs on the same network, yet then, they are not separated unless you use the Unifi "client isolation" feature. This comes in handy if you need certain Wifi parameters for a group of clients but not for the other or if you do not want to hand out your "real" Wifi password for a guest network and still allow guests to use your Wifi.

And about what Patrick says: That is completely correct - you can use two or more physical connections to the switch and configure them accordingly, like one port for untagged LAN traffic only and a trunk port for any VLANs.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
August 30, 2025, 05:06:20 PM #18
Quote from: Patrick M. Hausen on August 30, 2025, 02:58:54 PMTagged an untagged is a property of a link between two devices, not your entire network. You can have e.g.

...

Thus you get the "do not mix tagged and untagged" for OPNsense - all other devices simply do not need to care.
Right, this is essentially how I have it now after reading the suggestions in this thread. My firewall has one port WAN, one for LAN (untagged), and another port as a VLAN tagged trunk, but that only consists of the guest VLAN.

Quote from: meyergru on August 30, 2025, 03:09:48 PMActually, that is not a strict requirement...
I'm already using the client isolation feature on the guest WLAN already, but I suppose I wanted to get myself into trouble using VLANs. But also, I was thinking about the option to hardwire "guest" clients. I was doing that for a little while with my work laptop though an old router running openwrt, but decided to just connect it to the guest WLAN and simplify my office setup.
August 30, 2025, 11:32:36 PM #19
JFYI - I noticed some interesting wording in the "Client Device Isolation" help text in UniFi.  It seems the isolation is per-AP only.

Exact wording is "on the same AP [...]"

You cannot view this attachment.

I interpret that as meaning clients on the same WLAN but on different APs can reach each other.

Still fine in @wiggler's use case though.
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 250GB | 4x 2.5GbE (I226-V)
Site 2 |  J4125 | 8GB | 1000GB | 4x 1GbE (I210)
Print
Go Up Pages 1 2
User actions