GS324TP - VLAN setup for Guest WiFi

Question

Needing some guidance on somewhat basic setup. The GS324TPs are what are confusing me.

I've followed some KBs, were slightly helpful and confusing at the same time.

2 offices, main and remote - connected via Fiber on 2 GS324TPs. That's been working for years.

Recently they requested to install Ubiquiti Wireless APs, setup the SSID, all working, surfing fine.

Adding a Guest Wifi - VLAN99

On Firewall, primary LAN - added VLAN99 with an IP of 10.255.0.1, with DHCP of 10-250

I've included snips and a drawing for layout to aid understanding.

no PVID used as there are no VLAN dedication (unless I'm missing something).

Every port needs to be VLAN aware of both VLAN. So as I'm typing this, I'm wondering if every port on both swtiches need to be trunks...

Both switches are setup the same here, both have VLAN99 set as Guest_Wifi

VLAN1 - Both are the same

VLAN99 - Main Switch

VLAN99 - Remote Switch

schumaku · Answer

What exactly do you want to achieve with the two VLANs? Especially what is the purpose of this guest network on the VLAN 99?
&nbsp;
PBG_from_TN&nbsp;wrote:
no PVID used as there are no VLAN dedication (unless I'm missing something).&nbsp;

Several things missing here I'd say. the PVID does define the VLAN where incoming untagged frames are sent to. For the primary network (VLAN 1), you have (leaving alone the trunks for the fiber link and the wireless APs) to set the VLAN 1 [U]ntagged ports (also the ones serving as trunks) to PVID 1.
&nbsp;
PBG_from_TN&nbsp;wrote:
Every port needs to be VLAN aware of both VLAN.&nbsp; So as I'm typing this, I'm wondering if every port on both switches need to be trunks.

Something badly wrong with this idea.&nbsp;
&nbsp;

Each 802.1q VLAN is per se an isolated, dedicated network, and it might hold it's own IP subnet.
You can only have ONE untagged VLAN configured&nbsp;on a port - all these VLAN 99 [U]ntagged don't make any sense.
Either a port (eg. to connect your office workstations and printers) is either on the VLAN 1 (untagged, PIVD 1 - you want the 192.168.1.0/24 network here, right?) or it's member of the guest network VLAN 99 (untagged, PVID 99) like say a port where a guest can connect his own computer.

&nbsp;
Should there be guest workstations or mobiles on the guest SSID and VLAN 99 requiring&nbsp;access to the office network, you go and configure your router accordingly.&nbsp;
&nbsp;

PBG_from_TN · Answer

Ok, so I've done everything wrong?&nbsp; check...&nbsp;Reason for 2 VLANs?&nbsp;&nbsp; I thought it would be obvious, but I guess not.&nbsp; Production vs Guests... Guests get routed directly to gateway and out to the internet.&nbsp;Any advice on how to fix? or should I just go get some Ubiquiti switches and be done with it?&nbsp;I'm more confused by your response than before....&nbsp;&nbsp;

schumaku · Answer

PBG_from_TN&nbsp;wrote:
Reason for 2 VLANs?&nbsp;&nbsp; I thought it would be obvious, but I guess not.&nbsp; Production vs Guests... Guests get routed directly to gateway and out to the internet.

What is configured did not made this so obvious my friend. That's why I had asked.
&nbsp;
PBG_from_TN&nbsp;wrote:
Ok, so I've done everything wrong?&nbsp; check...

No, just something - all these VLAN 99 [U]ntaged on ports where I would assume you have your computers and other systems connected ... these ports must not be member of the VLAN 99 in this case. Make them [ ] empty for VLAN 99.
&nbsp;
Oh it does not matter what brand of switches you are going to deploy - the learning curve is the same, the technology is the same.
&nbsp;
&nbsp;

PBG_from_TN · Answer

the 2 switches are purposefully for only what is plugged in, nothing else will be plugged into them except the WAPs, the fiber, CloudKey controller, and the uplink port.&nbsp;Sorry if I'm short, I'm frustrated to say the least.&nbsp;&nbsp;So remove any U/T from a port that is unused?&nbsp;Main Office  SwitchVLAN1 - 192.168.1.0/24 VLAN99 - 10.255.0.0/24 &nbsp;-&nbsp; waps are broadcasting both VLANs&nbsp;g17 - WAP - tag on VLAN99??&nbsp;g19 - WAP - tag on VLAN99??g21 - WAP - tag on VLAN99??g23 - Unifi CloudKey G2- ??g24 - uplink to firewallG25/G26&nbsp; - ??g25 - T/U or blank?g26 - T/U or blank?&nbsp;Remote Officeg1 - WAPg25 - T/U or blank?g26 - T/U or blank?&nbsp;&nbsp;&nbsp;&nbsp;

schumaku · Answer

PBG_from_TN&nbsp;wrote:
Sorry if I'm short, I'm frustrated to say the least.&nbsp;

Understood.
&nbsp;
However I can't take away the learning curve for your UniFi system and the basic VLAN requirements, plus what is configured on the firewall my friend. The config work is the same if oyu use a Netgear, a UniFi, a more generic Ubiquity, a Cisco or whatever other brand VLAN capable switch.
&nbsp;
The UniFi management runs on the primary untagged network (well, unless one does go and try to change it - but this will add more issues for non-experienced network people). Trouble is they don't tell this the unexperienced users 8-)
&nbsp;
Said that,
&nbsp;

the CloudKey must reside on an [U]ntagged port on your VLAN 1, PVID 1, not member of any other VLAN, so all empty for VLAN 99 [ ] - making the office network also the UniFi management network.
the WAP management and primary SSID does again reside on an [U]ntagged port on your VLAN 1 (office and management), PIVD 1 _plus_ for the guest SSID [T]agged VLAN 99.&nbsp;
the trunk between the two offices as above for the WAP, keep the primary VLAN 1 [U]ntaggged, PVID 1, the guest VLAN 99 [T]agged - ok.
Ports not intended to provide guest network access [ ] empty on the guest VLAN 99, just let the&nbsp;unused ports be just office network ports - you can keep the VLAN 1 [U]ntagged, PIVD 1.

Uplink to the firewall ... well, trying to read the crystal ball again:

unclear why you talk of two ports here
one could guess one port is for the office network&nbsp; VLAN 1 [U]ntagged, PVID 1 again _or_ the firewall is configured for VLAN 1 [T]agged, and the&nbsp;
other is the Guest network VLAN 99 [U]ntagged, PIVD 99 again _or_ the firewall port is configured for [T]agged.

&nbsp;
Said that - whatever switches you are going to deploy, these switch ports must be configued to work with your firewall and it's two links and two security zones and/or interfaces, your WAC of choice, and your wireless system controller. Nothing of this is coming from Netgear so a lot of grey guessing zone here. Can' take away the burden of exactly knowing what and how a conneced device is configured, being the firewall, the WAC, the CloudKey, ...
&nbsp;
So don't blame the messenger who is managing bunches of small and medium businesses and venues with Netgear, and some large venues with UniFi, plus some more in my spare time... beyond nursing some network manufacturers on making thier stuff better.
&nbsp;
Last but not least, the question on what to do with "unused" ports - this requires some policy how to handle these ports. Experienced security and network people have a capture all VLAN, a dummy black hole VLAN, for such purposes. So nothing cna go wrong if a random person is connecting his computer there .... Another layer of complexity in network management.

Forum Discussion

GS324TP - VLAN setup for Guest WiFi

7 Replies

Related Content

S350 Series GS324TP

GS324TP S350 Basic VLAN Setup Not Working

WAX630 Guest WiFI setup

GS324TP - Help configuration

Guest network

NETGEAR Academy

ProSupport for Business