Help with discriminating wifi AP traffic please

First - what you need is not a "managed" switch, but a switch that supports VLANs, which most managed switches can do - if you're using a managed layer 2 switch, you will also need a router than understands VLANs. The M4100 series is a fully managed switch which allows interVLAN routing, so it will make your task easier. For the sake of discussion ... Let's say you're going to have an office VLAN and a guest VLAN, so you start by configuring the switch with those VLANs, one port of the switch is going to be a member of both VLANs and must be configured to passed "tagged" packets (this is known as a "trunk" port in some circles - the access point will connect to this port.. The wireless access point MUST support multiple SSIDs and understand VLAN tagging, and you will configure two SSIDs, for ease of discussion an office SSID and a guest SSID, and you will configure those SSIDs to be a part of the respective VLANs. At this point you should be able to ping a computer connected to an office VLAN port on the switch, from a computer on any other office VLAN port, or connected to the office SSID - BUT NOT from a computer connected to a guest VLAN port or the guest SSID. The next step will be to configure interVLAN routing on the switch and then set your access lists to prevent the guest VLAN from accessing the office VLAN. Assuming that you will be NATting the internet traffic (sharing a single public WAN ip address) you will need a router that can NAT multiple subnets.

First very many thanks for your reply.
My router and connection to wan is firewall router with vlan capability and has three ports on three different subnets: Office, Guests and Private.

My wifi access points are capable of running up to 4 SSIDs and vlan tagging each SSID, so I believe the hardware should be OK.

Your understanding of my objective is spot on, so I shall now start over following follow your directions.

Thanks again,
Budgie2

Hi Fordem, Further to your advice I have set the following: M4100 Port 1 member Vlan 100, Vlan ID set to 100 tagging set 'T' This is connected to firewall router port 2 which has DHCP server giving addresses on Office subnet and vlan set to 100. M4100 Port 2 member Vlan 100, Vlan ID set 100 tagging set to 'U' This is not connected at present. M4100 Port 3 member Vlan 100, Vlan ID set to 100, tagging set 'U' This is connected to Office hub switch uplink M4100 Port 4 Member Vlan 100 and 300, Vlan ID set to 100, tagging set 'T' This is connected to wifi AP which has 2 SSIDs, one with Vlan 100 and second with Vlan 300. With this configuration I can log on to the Office SSID and receive an IP address and access wan. (Not surprisingly I cannot yet get an address if I log on to Guests SSID) I can ping from machine logged on to AP to machine on office subnet and vice versa. I cannot make a connection to the Guests SSID because I cannot yet get an IP address. At present I can ping machines on Guests subnet from Office subnet but this is because there is a route through the firewall for admin at present. If I filter this traffic out at firewall then there is no access between Office and Guests subnets. I have tried changing 'T' to 'U' on Port 1 but then connection fails. M4100 Port 6 member Vlan 300 Vlan ID set to 300 tagging set 'T' This is connected to firewall router port 3 which has DHCP server giving addresses on Guests subnet and valn set to 300. M4100 Port 7 member Vlan 300 Vlan ID set to 300 tagging set 'T' This is connected to another outdoor wifi AP which has 2 SSIDs set as above. This AP works as above but having tried it I have had to take down for now and restore simple access just for Guests. Please forgive lengthy message but am at bottom end of learning curve. Looking forward to next advice. Regards, Budgie2

First - is your firewall router a Netgear product? Second - if you configure the M4100 ports that connect to the firewall router to pass tagged packets, then the firewall router must know how to interpret the tags - conversely - if you're not passing tagged packets (and there is no need to since you have two links between the router and the switch, one for each VLAN), then the router should not be configured to do so - in other words both must match. You need to decide what device you want to use for DHCP and configure it accordingly, and also what device you will use for interVLAN routing - you apparently can do it in the router or the switch - the router might be the best place as the switch will not allow you to NAT the traffic (I'm assuming you're sharing a single WAN ip address).

Hi Fordem, Thanks for coming back to me so quickly. No, the firewall router is not a Netgear device. It was supplied by my ISP. It is a FireBrick 105 (now obsolete!) It has a fixed IP on WAN side with two ports connecting to two bonded ASDL lines. This is to give us bandwidth because we are out in the country and a long way from the exchange with only copper connection. There are three other ports and these are set up for three different subnets as described earlier in thread. The two subnets Office and Guests will both have one or two wifi access points and both access points have to be able to handle traffic for Office and Guests. With your help I am taking this one step at a time. If all goes well there is also one AP I have which is not vlan aware but which I would like to use for Guests only. This may not be possible given your earlier advice this has lower priority. On tagging, this is where my understanding is weak. I am assuming setting port 'T' will tag and 'U' will pass tagged frames but not change the tag. If I leave a port without either a T or U set, I understand that this effectively takes the port out of the vlan but am not sure I am correct. I tried with no vlan on router and 'U' on port 1 but couldn't get IP address. Based on experience so far I think I would prefer to set router and switch ports as 'T' tagged. On DHCP I would prefer to use firewall as DHCP server on all subnets. Regards, Budgie2

Setting a port to T or Tagged will allow it to pass VLAN tagged frames, setting it to U or Untagged will cause it to strip the VLAN tag and pass the untagged frame, or, to accept an untagged frame and append a VLAN tag to it.

Configure the M4100 to have two VLANs with several ports in each VLAN and disable interVLAN routing.

As an example ...

P1 - VLAN100 - UNTAGGED - connects to router's office subnet
P2 - VLAN100 & 300 - TAGGED - connects to VLAN aware access point #1
P3 - VLAN100 & 300 - TAGGED - connects to VLAN aware access point #2
P4 - VLAN100 - UNTAGGED - connects to office switch.
P5
P6 - VLAN300 - UNTAGGED - connects to router's guest subnet
P7 - VLAN300 - UNTAGGED - connects to access point #3 (the one that is not VLAN aware)
P8

I am assuming the following here ...

a) the router has multiple interfaces and each of the three LAN ports is a separate interface.
b) the router has been configured to act as the DHCP server for each of the LAN subnets.
c) the VLAN aware access points have been configured with office & guest SSIDs and these linked to VLAN 100 & 300 respectively
d) the VLAN aware access points have been configured for either a VLAN trunk or to accept/pass TAGGED packets.

Hi Fordem,
Ports P1 - P4 set up as you suggest and all working well with first AP connected and issuing IPs from firewall DHCP.

Ports P6-P8 also set up but not yet connected. I cannot yet move the second AP because it must be available to guests and I cannot plug into P3 until we have routing set up. (It is presently plugged into different hub which supplies PoE on guests subnet.

Regards

Hi Fordem, Is all OK for me to move on to the routing. Hope to learn more from you when you are next on line. Regards, Budgie2

Based on my interpretation of your earlier response (#6) no changes to the existing routing arrangements need to be made. As I understand it - your firebox supports multiple LAN segments, each with it's own range of network addresses - what I'm doing is using the access points to support multiple SSIDs, each on it's own VLAN and then using the M4100 to connect the VLANs to those network segments. When you find a convenient time - maybe on the weekend - just plug it in and see if it works.

Hi Fordem.

QUOTE=fordem;484706]Based on my interpretation of your earlier response (#6) no changes to the existing routing arrangements need to be made.

As I understand it - your firebox supports multiple LAN segments, each with it's own range of network addresses - what I'm doing is using the access points to support multiple SSIDs, each on it's own VLAN and then using the M4100 to connect the VLANs to those network segments.

OK but the AP which has two SSIDs with tagging set to vlan 100 for office and vlan 300 for guest, is connected to vlan 100 & 300 port (ports 2 or 3) on M4100. I wish to discriminate between guests and office traffic and manage access to office lan. The guests lan subnet is on ports 6&7. I thought we had to route vlan 300 traffic to guests subnet.

When you find a convenient time - maybe on the weekend - just plug it in and see if it works.[/QUOTE]

Will try it as is let you know how I get on.
Many thanks once more.
Budgie