Trouble with First VLAN setup

James Warmuth

Hello All,
I am having trouble setting up my first Vlan.
Here is what I have:
Router - Untangle UTM 10 (Vlan Aware)
Switch - TP-LINK TL-SG2424 (Vlan Aware)
Access Points - Engenius EAP300 (VLAN Aware)

Ok so here we go. VLAN1 on my switch is the management vlan so every port is a member of 1. I created a VLAN1 on the router and bridged it to the internal interface. Basically I told the router that all traffic on vlan1 should be considered the same as no vlan and attached to the dhcp server on that interface port call it 192.168.1.1. 99% of all traffic goes here. Now the access points support up to 4 wireless networks. Each one on a different VLan. I have a corporate network for Vlan 1 so no problems there. Vlan 2 and 3 will be public access networks. So in the router I created VLan 2 and 3 and gave them their own DHCP server call them 192.168.2.1 and 192.168.3.1. I bonded them to the internal parent interface. If i understand what I did correctly all vlan1 and untagged traffic will be given a 192.168.1.1 address and have internet access (corporate network). Vlan 2 and 3 will share the same parent interface but will assigned there own subnet and dhcp 192.168.2.1 and 192.168.1.3 and have internet access. This makes sense to me anyway. I may be dead wrong. Here is where the problem comes in... Configuring the switch. I want all vlans to be forwarded to port 1 on the switch as that is the internal port on the router and it provides the link to the wan and handles DHCP for all VLans. I thought it would be simple but I obviously did something wrong because as soon as I updated the switch configuration I lost all network access to the router and the switch. Can anyone help me with how I should configure the switch to accomplish my goals

Ronnie Wong

James,

If i understand what I did correctly all vlan1 and untagged traffic will be given a 192.168.1.1 address and have internet access (corporate network). Vlan 2 and 3 will share the same parent interface but will assigned there own subnet and dhcp 192.168.2.1 and 192.168.1.3 and have internet access.

Here's the first issue, or I'm not understanding what you're saying. All VLAN 1 traffic should have an IP address in the same subnet but not all VLAN 1 traffic will be 192.168.1.1 (or 2.1 or 3.1) and have internet access. If you've set a DHCP server up for each VLAN, each device will have an IP address from the DHCP server in that VLAN not that same IP address.
The configuration you may need to setup is called "Router On a Stick" from Cisco technology terminology.
On the Router, your internal interface connecting to your switch needs to be logically divided into 3 separate logical interfaces--one for each of your VLANS. The logical idea is that each of these subninterfaces now become the default gateway of your VLANs. This is creating a "trunk" on your router to allow for all VLAN traffic to flow over a single physical interface.
On your Switch, you must configure the switchport connected to the router to also do trunking--allowing for all the VLANs on that switch to send all VLAN traffic over that single interface as well.
Let us know what equipment you're using and how you're setting up DHCP to work with this. Maybe we can troubleshoot better!
Cordially,
Ronnie Wong
Host, ITProTV

James Warmuth

Ok so here is what I am trying to say... I am using an untangle 10 utm as the router. I have an external interface set to wan and it has a static IP. I have 2 additional interfaces (physical interfaces) guest lan and corporate lan. Corporate lan has a dhcp server on 192.168.1.1 /24. DHCP provides 192.168.1.100 to 192.168.1.200. The guest lan has a DHCP server on 192.168.2.1 /24 and provides 192.168.2.100 to 192.168.2.200. I have the interfaces of each network set to NAT so currently guest has no access to corporate and corporate has no access to guest. This all works right now as it is. However, we now have a VLAN switch and VLAN access points. The AP can put out 4 separate SSIDs each with a unique VLAN Tag.
What I want to do is move both of these networks on the same cable and separate them via VLAN. My switch is a TL-SG2424. By default it puts all ports on vlan1 with egress untag and access mode. I want to have the guest network travel across the corporate copper but have no access to corporate resources. I added a Vlan in the switch, trunk, egress tag and assigned it to the AP port and the Router port so all ports have VLAN 1 w/ Untagged egress / Access (I had to change the ports described to trunk) and the 2 ports described above also have VLAN 2 w/ tagged egress / trunk. I want VLAN1 to connect to corporate as if it was not a vlan. I don't have to option to not tag the SSID I just want to segregate and jail guest traffic and only pass it to the wan not to corporate.
I don't understand why I can not make this work... It works great without VLANs. Just want to get us moved to the next level. Once I get Vlan working I can essentially reclaim 50% of my access points as right now I have 1 for corporate and a separate one for guests

Ronnie Wong

Alright. What I wrote, I believe is still correct. What I'm responding with hopefully breaks it down. I'm not as familiar with Untangle, the 4 vlan AP and the TL-SG2424 but I believe it should help.
Cordially,
Ronnie Wong
Host, ITProTV
On your switch,
1.you must configure all ports for your corporate network must be put into the same vlan (e.g. VLAN 2) including the dhcp server.
2. The guest vlan must be configured the same way as your corporate network with a different vlan number.
3. You may need to configure the TL-SG2424 switch to trunk with the AccessPoint that also supports vlan tagging. This assumes both devices support 802.1q trunking, usually when "vlan tagging" is mentioned it's supporting the 802.1q trunking.
4. On your connection between your TL-SG2424 and your Untangle box. You must configure the TL-SG2424 to also become a trunk and on your untangle box, you're going to have to create interface vlan2, interface vlan 3 and etc for each vlan on your switches. These are virtual interfaces that you'll tie to the parent interface (physical interface). Once created you will configure them as the default gateway, one for each vlan.
~Refer to this document for untangle info , pay attention to the creating vlan section. http://wiki.untangle.com/index.php/Network_Configuration#Configuring_VLAN_on_Untangle_in_Bridge_Mode
5. Then you can create your firewall rules to block guest from corporate. Allow guests to wan and allow corporate to wan and guest if you choose.

James Warmuth

Thanks Very Much.. I will try this ASAP

Don Pezet

James,
One other thing worth checking is the network card in the Untangle box. Did you buy an appliance, or build your own Untangle box? If you built your own, be aware that not every NIC supports VLAN tagging. Many desktop NICs will strip away VLAN tags before they reach the OS. If you bought an Untangle appliance, then you are fine. If you built your own box, double check the specs for your network card to ensure that 802.1q trunking and VLAN tags are supported.
Don Pezet
Host, ITProTV