NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

PBG_from_TN's avatar
PBG_from_TN
Aspirant
Jun 30, 2021

GS324TP - VLAN setup for Guest WiFi

Needing some guidance on somewhat basic setup.  The GS324TPs are what are confusing me.  I've followed some KBs, were slightly helpful and confusing at the same time. 2 offices, main and remote - c...
schumaku's avatar
schumaku
Guru - Experienced User
Jun 30, 2021

What exactly do you want to achieve with the two VLANs? Especially what is the purpose of this guest network on the VLAN 99?

 

PBG_from_TN wrote:

no PVID used as there are no VLAN dedication (unless I'm missing something). 

Several things missing here I'd say. the PVID does define the VLAN where incoming untagged frames are sent to. For the primary network (VLAN 1), you have (leaving alone the trunks for the fiber link and the wireless APs) to set the VLAN 1 [U]ntagged ports (also the ones serving as trunks) to PVID 1.

 

PBG_from_TN wrote:

Every port needs to be VLAN aware of both VLAN.  So as I'm typing this, I'm wondering if every port on both switches need to be trunks.

Something badly wrong with this idea. 

 

  1. Each 802.1q VLAN is per se an isolated, dedicated network, and it might hold it's own IP subnet.
  2. You can only have ONE untagged VLAN configured on a port - all these VLAN 99 [U]ntagged don't make any sense.
  3. Either a port (eg. to connect your office workstations and printers) is either on the VLAN 1 (untagged, PIVD 1 - you want the 192.168.1.0/24 network here, right?) or it's member of the guest network VLAN 99 (untagged, PVID 99) like say a port where a guest can connect his own computer.

 

Should there be guest workstations or mobiles on the guest SSID and VLAN 99 requiring access to the office network, you go and configure your router accordingly. 

 

PBG_from_TN's avatar
PBG_from_TN
Aspirant
Jun 30, 2021

Ok, so I've done everything wrong?  check...

 

Reason for 2 VLANs?   I thought it would be obvious, but I guess not.  Production vs Guests... Guests get routed directly to gateway and out to the internet.

 

Any advice on how to fix? or should I just go get some Ubiquiti switches and be done with it?

 

I'm more confused by your response than before....

 

 

  • schumaku's avatar
    schumaku
    Guru - Experienced User
    Jun 30, 2021
    PBG_from_TN wrote:

    Reason for 2 VLANs?   I thought it would be obvious, but I guess not.  Production vs Guests... Guests get routed directly to gateway and out to the internet.

    What is configured did not made this so obvious my friend. That's why I had asked.

     

    PBG_from_TN wrote:

    Ok, so I've done everything wrong?  check...

    No, just something - all these VLAN 99 [U]ntaged on ports where I would assume you have your computers and other systems connected ... these ports must not be member of the VLAN 99 in this case. Make them [ ] empty for VLAN 99.

     

    Oh it does not matter what brand of switches you are going to deploy - the learning curve is the same, the technology is the same.

     

     

    • PBG_from_TN's avatar
      PBG_from_TN
      Aspirant
      Jun 30, 2021

      the 2 switches are purposefully for only what is plugged in, nothing else will be plugged into them except the WAPs, the fiber, CloudKey controller, and the uplink port.

       

      Sorry if I'm short, I'm frustrated to say the least. 

       

      So remove any U/T from a port that is unused?

       

      Main Office
 Switch

      VLAN1 - 192.168.1.0/24

      VLAN99 - 10.255.0.0/24

       

      -  waps are broadcasting both VLANs

       

      g17 - WAP - tag on VLAN99?? 

      g19 - WAP - tag on VLAN99??

      g21 - WAP - tag on VLAN99??

      g23 - Unifi CloudKey G2- ??

      g24 - uplink to firewallG25/G26  - ??

      g25 - T/U or blank?

      g26 - T/U or blank?

       

      Remote Office

      g1 - WAP

      g25 - T/U or blank?

      g26 - T/U or blank?

       

       

       

       

      • schumaku's avatar
        schumaku
        Guru - Experienced User
        Jun 30, 2021
        PBG_from_TN wrote:

        Sorry if I'm short, I'm frustrated to say the least. 

        Understood.

         

        However I can't take away the learning curve for your UniFi system and the basic VLAN requirements, plus what is configured on the firewall my friend. The config work is the same if oyu use a Netgear, a UniFi, a more generic Ubiquity, a Cisco or whatever other brand VLAN capable switch.

         

        The UniFi management runs on the primary untagged network (well, unless one does go and try to change it - but this will add more issues for non-experienced network people). Trouble is they don't tell this the unexperienced users 8-)

         

        Said that,

         

        • the CloudKey must reside on an [U]ntagged port on your VLAN 1, PVID 1, not member of any other VLAN, so all empty for VLAN 99 [ ] - making the office network also the UniFi management network.
        • the WAP management and primary SSID does again reside on an [U]ntagged port on your VLAN 1 (office and management), PIVD 1 _plus_ for the guest SSID [T]agged VLAN 99. 
        • the trunk between the two offices as above for the WAP, keep the primary VLAN 1 [U]ntaggged, PVID 1, the guest VLAN 99 [T]agged - ok.
        • Ports not intended to provide guest network access [ ] empty on the guest VLAN 99, just let the unused ports be just office network ports - you can keep the VLAN 1 [U]ntagged, PIVD 1.

        Uplink to the firewall ... well, trying to read the crystal ball again:

        • unclear why you talk of two ports here
        • one could guess one port is for the office network  VLAN 1 [U]ntagged, PVID 1 again _or_ the firewall is configured for VLAN 1 [T]agged, and the 
        • other is the Guest network VLAN 99 [U]ntagged, PIVD 99 again _or_ the firewall port is configured for [T]agged.

         

        Said that - whatever switches you are going to deploy, these switch ports must be configued to work with your firewall and it's two links and two security zones and/or interfaces, your WAC of choice, and your wireless system controller. Nothing of this is coming from Netgear so a lot of grey guessing zone here. Can' take away the burden of exactly knowing what and how a conneced device is configured, being the firewall, the WAC, the CloudKey, ...

         

        So don't blame the messenger who is managing bunches of small and medium businesses and venues with Netgear, and some large venues with UniFi, plus some more in my spare time... beyond nursing some network manufacturers on making thier stuff better.

         

        Last but not least, the question on what to do with "unused" ports - this requires some policy how to handle these ports. Experienced security and network people have a capture all VLAN, a dummy black hole VLAN, for such purposes. So nothing cna go wrong if a random person is connecting his computer there .... Another layer of complexity in network management.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More