Hi,I am seeking some general direction in the best way to discriminate and segregate wireless AP traffic using a managed switch. I can set up several secure SSIDs on the AP and the AP can be set to tag traffic from each SSID with different Vlan IDs. My question is how do I keep traffic from one SSID private and allow it to access both private network and also the WAN whereas the other SSID clients are only to be able to connect to WAN and not be able to see the private traffic. In other words how may I split the tagged packets from the AP at the switch?Grateful for some guidance here on best approach please.Budgie2 I am using an M4100-DG12 managed switch.

First - what you need is not a "managed" switch, but a switch that supports VLANs, which most managed switches can do - if you're using a managed layer 2 switch, you will also need a router than understands VLANs. The M4100 series is a fully managed switch which allows interVLAN routing, so it will make your task easier. For the sake of discussion ... Let's say you're going to have an office VLAN and a guest VLAN, so you start by configuring the switch with those VLANs, one port of the switch is going to be a member of both VLANs and must be configured to passed "tagged" packets (this is known as a "trunk" port in some circles - the access point will connect to this port.. The wireless access point MUST support multiple SSIDs and understand VLAN tagging, and you will configure two SSIDs, for ease of discussion an office SSID and a guest SSID, and you will configure those SSIDs to be a part of the respective VLANs. At this point you should be able to ping a computer connected to an office VLAN port on the switch, from a computer on any other office VLAN port, or connected to the office SSID - BUT NOT from a computer connected to a guest VLAN port or the guest SSID. The next step will be to configure interVLAN routing on the switch and then set your access lists to prevent the guest VLAN from accessing the office VLAN. Assuming that you will be NATting the internet traffic (sharing a single public WAN ip address) you will need a router that can NAT multiple subnets.

First very many thanks for your reply. My router and connection to wan is firewall router with vlan capability and has three ports on three different subnets: Office, Guests and Private. My wifi access points are capable of running up to 4 SSIDs and vlan tagging each SSID, so I believe the hardware should be OK.Your understanding of my objective is spot on, so I shall now start over following follow your directions. Thanks again,Budgie2

Hi Fordem, Further to your advice I have set the following: M4100 Port 1 member Vlan 100, Vlan ID set to 100 tagging set 'T' This is connected to firewall router port 2 which has DHCP server giving addresses on Office subnet and vlan set to 100. M4100 Port 2 member Vlan 100, Vlan ID set 100 tagging set to 'U' This is not connected at present. M4100 Port 3 member Vlan 100, Vlan ID set to 100, tagging set 'U' This is connected to Office hub switch uplink M4100 Port 4 Member Vlan 100 and 300, Vlan ID set to 100, tagging set 'T' This is connected to wifi AP which has 2 SSIDs, one with Vlan 100 and second with Vlan 300. With this configuration I can log on to the Office SSID and receive an IP address and access wan. (Not surprisingly I cannot yet get an address if I log on to Guests SSID) I can ping from machine logged on to AP to machine on office subnet and vice versa. I cannot make a connection to the Guests SSID because I cannot yet get an IP address. At present I can ping machines on Guests subnet from Office subnet but this is because there is a route through the firewall for admin at present. If I filter this traffic out at firewall then there is no access between Office and Guests subnets. I have tried changing 'T' to 'U' on Port 1 but then connection fails. M4100 Port 6 member Vlan 300 Vlan ID set to 300 tagging set 'T' This is connected to firewall router port 3 which has DHCP server giving addresses on Guests subnet and valn set to 300. M4100 Port 7 member Vlan 300 Vlan ID set to 300 tagging set 'T' This is connected to another outdoor wifi AP which has 2 SSIDs set as above. This AP works as above but having tried it I have had to take down for now and restore simple access just for Guests. Please forgive lengthy message but am at bottom end of learning curve. Looking forward to next advice. Regards, Budgie2

First - is your firewall router a Netgear product? Second - if you configure the M4100 ports that connect to the firewall router to pass tagged packets, then the firewall router must know how to interpret the tags - conversely - if you're not passing tagged packets (and there is no need to since you have two links between the router and the switch, one for each VLAN), then the router should not be configured to do so - in other words both must match. You need to decide what device you want to use for DHCP and configure it accordingly, and also what device you will use for interVLAN routing - you apparently can do it in the router or the switch - the router might be the best place as the switch will not allow you to NAT the traffic (I'm assuming you're sharing a single WAN ip address).

Hi Fordem, Thanks for coming back to me so quickly. No, the firewall router is not a Netgear device. It was supplied by my ISP. It is a FireBrick 105 (now obsolete!) It has a fixed IP on WAN side with two ports connecting to two bonded ASDL lines. This is to give us bandwidth because we are out in the country and a long way from the exchange with only copper connection. There are three other ports and these are set up for three different subnets as described earlier in thread. The two subnets Office and Guests will both have one or two wifi access points and both access points have to be able to handle traffic for Office and Guests. With your help I am taking this one step at a time. If all goes well there is also one AP I have which is not vlan aware but which I would like to use for Guests only. This may not be possible given your earlier advice this has lower priority. On tagging, this is where my understanding is weak. I am assuming setting port 'T' will tag and 'U' will pass tagged frames but not change the tag. If I leave a port without either a T or U set, I understand that this effectively takes the port out of the vlan but am not sure I am correct. I tried with no vlan on router and 'U' on port 1 but couldn't get IP address. Based on experience so far I think I would prefer to set router and switch ports as 'T' tagged. On DHCP I would prefer to use firewall as DHCP server on all subnets. Regards, Budgie2

Help with discriminating wifi AP traffic please

17 Replies

fordem
Mentor
Oct 22, 2014
Ports 2 & 3 are what would be considered VLAN trunk ports in that they are passing data for both VLANs to the VLAN aware access points.

If the first VLAN aware access point is supporting both SSIDs (Office & Guest) and separating the traffic correctly, then the second VLAN aware access point will also do so.

Port 7 is a guest VLAN port ONLY and whatever is connected there will only receive data for the guest VLAN.

Computers connected to the office SSID should have their traffic passed to the office VLAN which includes the wired LAN network and through it to the router and the WAN; computers connected to the guest SSID should have their traffic passed to the guest VLAN, (which is separated from the wired LAN) and through the router to the WAN.

Office users should have access to the WAN and the office network, guest users should have access only to the WAN.
Budgie2
Aspirant
Oct 22, 2014
Hi Fordem, Thanks again. I will give it a try tonight or in the morning. I am not only hindered by needing to keep guests on line but also I am a power injector short so things may be more complicated. Will keep it simple for the trials. Where my understanding falls down is with the internal routing in the switch. Your first reply included the advice:-
The next step will be to configure interVLAN routing on the switch and then set your access lists to prevent the guest VLAN from accessing the office VLAN.
It was this I was expecting to do next but appears no longer necessary. Will get back to you after trial. Best wishes, Budgie
fordem
Mentor
Oct 22, 2014
That approach had to be revised because of the configuration of the firewall you are using - as far as I can tell the firebox has multiple internal interfaces and you are already "separating" the office & guest networks there, allowing the switch configuration to be significantly simpler.

Budgie2

Aspirant

Oct 25, 2014

fordem wrote:
That approach had to be revised because of the configuration of the firewall you are using - as far as I can tell the firebox has multiple internal interfaces and you are already "separating" the office & guest networks there, allowing the switch configuration to be significantly simpler.

fordem wrote:
That approach had to be revised because of the configuration of the firewall you are using - as far as I can tell the firebox has multiple internal interfaces and you are already "separating" the office & guest networks there, allowing the switch configuration to be significantly simpler.

Hi Fordem,
I was all set for testing but on Friday the power supply company had to shut us down while they changed a transformer and our systems did not come back up as they should.

In short the M4100 is now inaccessible. You will recall I had set a static IP for management but this could not be accessed, neither could the original default IP using a laptop directly connected.

In the end I did a factory reset with nothing connected. That should have enabled DHCP. I connected to DHCP server but no handshake took place.

Using USB port and Hyperterminal from XP laptop I could get in and run ezconfig but nothing could be saved consistently. I tried several factory resets and setting various Static IPs and enabling DHCP but still nothing.

Strangely the command set for the ezconfig is not all working. For example "show ip" gave me no result. "show network" did give me a result including the admin IP but this did not work. I may try CLI but meanwhile I am going to see if Netgear will stand by their lifetime guarantee and swap out the box.

Will get back to you when I have replacement hardware.
If you have any ideas on reading the above please let me know.
Regards,
Budgie

fordem
Mentor
Oct 25, 2014
A factory default M4100 should be accessible at an address in the 169.254 network (I don't remember what it is, but it's documented) - you will need to configure the computer being used for access at a 169.254 address and also to change this address when you set a new address on the M4100 (assuming you change the network portion of the address). Also - unlike most Netgear products you need to save any configuration changes as a separate step or they will be lost if the unit is powered off.

Budgie2

Aspirant

Oct 28, 2014

fordem wrote:
A factory default M4100 should be accessible at an address in the 169.254 network (I don't remember what it is, but it's documented) - you will need to configure the computer being used for access at a 169.254 address and also to change this address when you set a new address on the M4100 (assuming you change the network portion of the address).

Also - unlike most Netgear products you need to save any configuration changes as a separate step or they will be lost if the unit is powered off.

fordem wrote:
A factory default M4100 should be accessible at an address in the 169.254 network (I don't remember what it is, but it's documented) - you will need to configure the computer being used for access at a 169.254 address and also to change this address when you set a new address on the M4100 (assuming you change the network portion of the address). Also - unlike most Netgear products you need to save any configuration changes as a separate step or they will be lost if the unit is powered off.

Hi Fordem,
Just to update you on the saga of my problems; the reset button does not do a full reset on the device I have.

The instruction set in ezconfig is either wrong or ezconfig has a bug, certainly several instructions do not work, including "show running-config" which is what ezconfig suggests you run to check after you have finished.

The only way I could get back to "as supplied" configuration and thence to the web interface was to root the operating system and do a factory reset from root.

I now believe the in-band static (fixed) IP causes problems as somebody advised in another thread. My problem with DHCP for the management address is finding out what address has been set as I cannot fix it using mac address in the DHCP server in the firebrick. (A limitation of the interface and my linux skills!) I can however check active leases and find the IP by looking for the mac address on list.

Trouble is, for reasons I do not understand, the last time I used DHCP the switch didn't keep the same IP even though all systems were left unchanged and powered 24/7.

Thank you again for all your help. I shall keep trying and report back in due course.
Regards.
Budgie2

Budgie2
Aspirant
Nov 29, 2014
Hi Fordem,
Been working on other stuff for a while but am now able to return to this problem.

I now have all Vlan aware wifi APs, the M4100 is back to factory and I am ready to start over. I shall work with DHCP as static address caused too much grief.

This is just a quick note to ask if you are still there and able to help. Also should I start a new thread or persevere with this one?
Regards,
Budgie2

Forum Discussion

Help with discriminating wifi AP traffic please

17 Replies

Related Content

R7960P logs of outbound traffic

Please, Please, Please add "Force Ethernet Backhaul" to settings!!

DumaOS Traffic Prioritisation

Access Denied Help Please

LAX20-Analyse du trafic

NETGEAR Academy

ProSupport for Business