Reply

VLAN compatibility: Help before buying WAC505 or WAC510

chopin70
Virtuoso

VLAN compatibility: Help before buying WAC505 or WAC510

Hi,

 

I currently have a ProSafe GS108Ev3 switch and a non business R7000 Nighthawk router.

I want to disable wifi on the router and setup the WAC5xx AP to provide local Wifi and guest wifi through different VLANs, so that the guest SSID has only internet access.

 

ProSafe GS108Ev3 and WAC505 support the 802.1Q VLAN protocol, however the R7000 router doesn't.

 

I imagined this setup:

- connect the WAC505 to port 1 of the Switch

- connect port 2 of Switch to Port 1 of R7000 router

- internet modem will connect to WAN port of R7000 router

- I create 2 different VLAN IDs on the Switch tagged to port 1

- I setup 2 SSIDs on the WAC505 with client separation and assign them to the 2 VLAN IDs

 

Will my setup work and let me isolate the guest VLAN from my local network, giving it only internet access?

Or I need that also my router be VLAN aware ?

 

Best regards

Model: WAC505|Insight Managed Smart Cloud Wireless Access Point
Message 1 of 14

Accepted Solutions
Retired_Member
Not applicable

Re: VLAN compatibility: Help before buying WAC505 or WAC510

 

@chopin70,

 

to answer your questions...

- can I also assign the 2 LAN ports to specific VLANs on the WAC510 ? > you only use both ports when the WAC510 is used in Router mode. In this mode the WAN port is connected to your modem, and the LAN port is used as uplink to your network, i.e. into a network switch.

When it's used as a standalone AP you use the WAN port to uplink the AP to the network and the VLAN settings are as per my first reply, it depends on whether the AP will support single SSID or multiple SSID's on multiple VLAN's. You don't assign VLAN's to the 2 ports.

 

- Does the client separation for SSID work on a non aware VLAN network ? > I have re-tested it and it doesn't work as you need it, this will not be an option for you. The feature works in that wireless clients connected to the SSID where it is enabled will not be able to communicate with each other, but they can still see and communicate to other devices on the LAN. You do really need VLAN's to get the setup  you desire, unfortunately that means a VLAN aware router.

 

Regards

DavidGo

View solution in original post

Message 13 of 14

All Replies
TheEther
Guru

Re: VLAN compatibility: Help before buying WAC505 or WAC510

You really need a VLAN aware router or a really good firewall, neither of which the R7000 are. You can get both by installing third party firmware. Setting it up is no cakewalk.
Message 2 of 14
chopin70
Virtuoso

Re: VLAN compatibility: Help before buying WAC505 or WAC510

Maybe my first post was not clear.

 

Technically, the router doesn't need to be VLAN aware, I can just add the 2 switch ports where AP and router are connecting to a common tagged trunck for both VLANS. The router ports will be shared though unless using an open source FW to link them to the private VLAN.

 

What I am not sure is if the WAC505 / WAC510 setup will allow such a setup. Can I setup different SSIDs on the APs and link them to the correct VLAN IDs ? Can I setup the AP LAN ports as part of the VLAN instead of PoE ?. In the manual it is not clear and they even mention somewhere that the VLAN setup is different from one on the LAN. Also,  can I manage this with WAC505 that only has one LAN port that seems a mixed LAN/PoE port.

 

If I buy the WAC510, is the WAN port configurable/usable for VLANs or only serving for PoE ?

 

VLAN setup depends on vendors and I am not sure I can isolate the wifi SSIDs from the WAC with my my setup

 

So, I am waiting for some technically competent user owning one of these devices or a Netgear tech before bying one of these 2 APs

Message 3 of 14
TheEther
Guru

Re: VLAN compatibility: Help before buying WAC505 or WAC510


@chopin70 wrote:

Maybe my first post was not clear.

 

Technically, the router doesn't need to be VLAN aware, I can just add the 2 switch ports where AP and router are connecting to a common tagged trunck for both VLANS. The router ports will be shared though unless using an open source FW to link them to the private VLAN.


You can't mark the switch port connected to the R7000 as a tagged trunk.  For that reason, traffic received by the R7000 from the different VLANs won't necessarily be isolated.

 

What I am not sure is if the WAC505 / WAC510 setup will allow such a setup. Can I setup different SSIDs on the APs and link them to the correct VLAN IDs ?


Judging from the manual, no.  The Ethernet interface can only be configured with 1 802.1Q VLAN ID.  IMO, this makes these two products useless for VLAN tagging.

 

Can I setup the AP LAN ports as part of the VLAN instead of PoE ?


It's not an either or situation. PoE merely determines how the AP is powered.  You can certainly run a VLAN over a PoE port.

 

If I buy the WAC510, is the WAN port configurable/usable for VLANs or only serving for PoE ?


Same as above.

 

VLAN setup depends on vendors and I am not sure I can isolate the wifi SSIDs from the WAC with my my setup

 


It certainly appears that you cannot tag traffic for each SSID with unique 802.1Q VLAN IDs, so this is not the product you are looking for.

 

So, I am waiting for some technically competent user owning one of these devices or a Netgear tech before bying one of these 2 APs


Hopefully, a user with direct experience can confirm.

Message 4 of 14
chopin70
Virtuoso

Re: VLAN compatibility: Help before buying WAC505 or WAC510

I digged in both WAC505 and WAC510 manuals.

It is really confusing.

- WAC505 manual says we can assign a dedicated VLAN ID per SSID, but it mentions that "This VLAN ID is not the same as the 802.1Q VLAN ID that is used for the wired network"

- WAC510 manual: same but it even confuses things by talking about some stripped down router mode

 

In the section "AP Mode: Set the 802.1Q VLAN and Management VLAN", it seems it only suports two function modes: tagged or untagged

- in tagged mode, every untagged frame is dropped

- in untagged, all untagged frames are assigned to the VLAN ID specified

- in any mode, we must choose ONE vlan ID

 

At first, I imagined I can set it to tagged, but what it is that VLAN ID I must specify and what use of this tagged mode if the IDs are not the same as on the wired network ?

 

So at the end, my question is so simple: does this AP really supports VLAN tagging and membership ? They mention in support forums that we can separate the two Wifi SSIDs by assigning them to 2 diiferent VLAN IDs, but what's the deal if the VLAN IDs are not the same as the wired network ?

 

Hope someone can look at my post 1 and answer if my setup is possible using the WAC5xx models or if I should look at other alternatives

Message 5 of 14
Retired_Member
Not applicable

Re: VLAN compatibility: Help before buying WAC505 or WAC510

Hi chopin70,

 

The WAC505 and WAC510 both support 802.1Q VLAN’s and are suitable for your requirement, however as per TheEther’s comment your limitation is at the R7000 not being VLAN aware.

 

For your setup you intend on having 2 VLAN’s, and each VLAN will have its own IP subnet. As the R7000 is only aware of one VLAN and one subnet, you will not be able to route the traffic from the second VLAN and provide Internet access to that VLAN.

To work around this you would need a smart switch with L3 services like an S3300 or else a Fully Managed switch with dedicated routing functions. Alternative is to swap out the R7000 for a router that is VLAN aware.

 

Regarding the VLAN configuration on the AP, it is configured in 2 places;
1. On the Ethernet LAN port. If the AP is serving only one VLAN, it can be left at default VLAN 1 Untagged and the switch port the AP is connecting into would be Untagged.
If the AP is servicing multiple VLAN’s, the switch port would need to be tagged in all VLAN’s the AP is servicing and depending on which VLAN your management VLAN is running on, you may need to change the 802.1Q VLAN settings on the AP.

 

  1. On the SSID configuration page. If you have 2 SSID’s each servicing a separate VLAN, you would specify the VLAN ID within the SSID configuration page. Then depending on which SSID a wifi client is connecting to they will operate in the VLAN the SSID is servicing. For example:

SSID1 > VLAN 100

SSID2 > VLAN 200

 

Please see the following knowledge base article. It is based on an older AP model (WNDAP620) so the web gui is different from what WAC505/WAC510 looks like but the operation is the same, it will give you an idea of how the VLAN settings work depending on whether the AP is working in a dedicated VLAN or it is servicing multiple VLAN’s -  https://kb.netgear.com/30611/How-do-I-create-multiple-SSID-s-to-operate-on-multiple-VLAN-s

 

Finally… you could make use of the Client Separation function on the WAC505/510. When enabled it allows wifi clients to connect to the wireless network (SSID), and get to the Internet but each client cannot see the other connected wifi clients or LAN connected devices, like you would see in a café hotspot.

You could create a second SSID for guests only, and enable Client Separation on that SSID, those client get Internet access, but no other access to any other network devices. See the user manual at page 38 for more info on this http://www.downloads.netgear.com/files/GDC/WAC510/WAC510_UM_EN.pdf?cid=wmt_netgear_organic

 

Regards

DavidGo

Message 6 of 14
chopin70
Virtuoso

Re: VLAN compatibility: Help before buying WAC505 or WAC510

This is really a great explanation, many thanks. After this, I am opting for the WAC510

However, I have 3 more simpler questions before decinding:

 

- on the WAC510, can I also assign the 2 LAN ports to specific VLANs ?

- client separation for the SSID aimed to be "guest" can work on a non aware VLAN network ?

- loading Tomato or XWRT on the R7000, will allow it to setup VLAN subs and make my setup possible with 2 VLANs on the WAC510 ?

 

Best regards

Message 7 of 14
TheEther
Guru

Re: VLAN compatibility: Help before buying WAC505 or WAC510


@chopin70 wrote:

 

- loading Tomato or XWRT on the R7000, will allow it to setup VLAN subs and make my setup possible with 2 VLANs on the WAC510 ?


Just answering this question.  I have set up VLANs using XWRT on the R7000 and it works.  It is NOT straightforward because XWRT has no GUI support for VLANs; they must be set up using a script.

 

I have limited experience with Tomato but IIRC, it does have GUI support for VLANs.

Message 8 of 14
dynamiX
Star

Re: VLAN compatibility: Help before buying WAC505 or WAC510

hey

i had a similiar setup (R7000 and 2x WAC505)

i have up on the VLAN thing - it's just a mess.

if you want guest access SSID you have to wait for future implementation 

see post https://community.netgear.com/t5/Business-Wireless/struggling-with-guest-WiFi-on-my-WAC505/m-p/14193...

 

inputs / make things better could be posted here and click the KUDOS button

https://community.netgear.com/t5/NETGEAR-Insight-Management-App/What-feautures-would-i-you-like-to-h...

 

i really hope netgear will push out a lot of the missing futures with the new update. the product is just not finished yet, well not even that, it's just an alpha Smiley Frustrated

 

WAC505
Model: WAC505|Insight Managed Smart Cloud Wireless Access Point
Message 9 of 14
chopin70
Virtuoso

Re: VLAN compatibility: Help before buying WAC505 or WAC510

Do you mean the "client separation" SSID feature is broken ?

 

Message 10 of 14
dynamiX
Star

Re: VLAN compatibility: Help before buying WAC505 or WAC510

don't know, but i couldn't either get it working so i gave up (on the different SSID) :-)

have not bothered because i still hope Netgear will bring the update soon and make things easier.

reading again your thread i just figured out you're talking about VLAN only, not differen / guest SSID

maybe i need some sleep, reset my head. sorry if i bumped in your thread...

WAC505
Message 11 of 14
chopin70
Virtuoso

Re: VLAN compatibility: Help before buying WAC505 or WAC510

So, I am left with these 2 before buying the WAC510

- can I also assign the 2 LAN ports to specific VLANs on the WAC510 ?
- Does the client separation for SSID work on a non aware VLAN network ?

Hope you can still answer this @Retired_Member

 

Message 12 of 14
Retired_Member
Not applicable

Re: VLAN compatibility: Help before buying WAC505 or WAC510

 

@chopin70,

 

to answer your questions...

- can I also assign the 2 LAN ports to specific VLANs on the WAC510 ? > you only use both ports when the WAC510 is used in Router mode. In this mode the WAN port is connected to your modem, and the LAN port is used as uplink to your network, i.e. into a network switch.

When it's used as a standalone AP you use the WAN port to uplink the AP to the network and the VLAN settings are as per my first reply, it depends on whether the AP will support single SSID or multiple SSID's on multiple VLAN's. You don't assign VLAN's to the 2 ports.

 

- Does the client separation for SSID work on a non aware VLAN network ? > I have re-tested it and it doesn't work as you need it, this will not be an option for you. The feature works in that wireless clients connected to the SSID where it is enabled will not be able to communicate with each other, but they can still see and communicate to other devices on the LAN. You do really need VLAN's to get the setup  you desire, unfortunately that means a VLAN aware router.

 

Regards

DavidGo

View solution in original post

Message 13 of 14
chopin70
Virtuoso

Re: VLAN compatibility: Help before buying WAC505 or WAC510

Many thanks @Retired_Member

This topic should be pinned or added to the online manual :-)

 

A last question: is there an affordable Netgear router/firewall, not necesserly wifi enabled, that supports multiple VLANs natively ?

Ideally with a 10Gb future-proof port, else without if far too expensive. As a last solution, I will flash Tomato on the R7000

 

 

Message 14 of 14
Top Contributors
Discussion stats
  • 13 replies
  • 7882 views
  • 1 kudo
  • 4 in conversation
Announcements