I currently have everything connected to Green while Blue is not connected. I want some of my wireless devices to have full access to my network, that is why they are on Green. I also want to offer a guest network on a separate VLAN to isolate guests and IoT devices from the network. I understand that I can’t bind the Green NIC with two VLAN tags, is this correct?
If so, I would like to use the Blue interface for my VLAN and leave the Green interface untagged. I am stuck on how to configure this. I don’t think I can set up Blue in a different sub net (instead of VLAN tagging), because the AP gets it’s IP from Green DHCP. As such, I think I need to set up Blue within the same sub-net as Green, however, then I don’t understand how to set up DHCP for guest devices.
I have three ports on my IPFire box, one of which is available and I had assigned it as a Blue interface, but not yet configured it.
I don’t want to connect my AP to my IPFire box, because I have several WiFi devices that I need to keep on the Green network in order to access the network printer and my file server. I can connect both Green and Blue to my managed switch, I am just trying to figure out to configure them.
I connect the blue and green ports from IPFire to my managed switch. I set the IPFire ports to a different VLAN ID for blue and green.
Then the wireless AP gets connected to the managed switch and that port is tagged to use the blue and green vlan id’s. My wireless access point has its IP on my green network so management of it is done via PC’s on the green network.
I created two VLANs on the WAP, one with the blue VLAN ID and the other with the green VLAN ID. The ssid’s are defined for each vlan with a different password etc.
Then packets from the blue wap vlan id will only go to the blue IPFire port and those from the green vlan id will only go to the green IPFire port.
This has all been working for several years now, although setting it up initially took a lot of work to properly understand the vlan way of working for my systems.
The naming of the vlan setup will be different as you are using a Unifi wap and switch whereas I am using TP Link wap’s and switches. So my terminology won’t directly apply to your setup but it can be done. You just have to work at it bit by bit. It is good to create a diagram of the switch and what is connected to it and whether the ports need to be tagged or untagged in terms of vlans. If a port is set as untagged then the vlan id header is removed for any packets being sent out on that port. That would apply for instance for a green pc connected to a port as the pc is likely to not have a vlan id set.
For the port where the wap is connected then you would want that port to be tagged for both the blue and green vlan id’s as both the switch port and the wap port will work with the two vlan id’s.
I have seen other people using Unifi systems on the forum so maybe some of them have experience with setting vlans up on those equipments and can provide input on the nomenclature that those systems use.
That is exactly what I want to do. My remaining question is what IP range to set for Blue? Should the Blue and Green be within the same subnet?
If so, do I just give the Blue port an IP within the same subnet range that I established for Green?
What about DHCP? How do devices connecting to my Blue VLAN get an assigned address if they are not served by the DHCP on Green?
Will this work?
Green IP: 192.168.10.1 subnet mask: 255.255.255.0 VLAN untagged
DHCP range 192.168.10.20 — 192.168.10.120
Blue 192.168.10.2 subnet mask: 255.255.255.0 VLAN tag number
DHCP range 192.168.10.130 — 192.168.10.230
With my TP LINK systems the wap gets assigned one IP address. This can be by dhcp from IPFire but I gave mine fixed IPs from the Green subnet as sometimes the dhcp played up and gave a wrong IP. On IPFire I have the wap listed in the hosts file and I have it also listed in the dhcp fixed leases but disabled. This entry is just so I remember that the IP is already assigned.
Then the two ssid’s are assigned VLAN ID’s each of which is associated with an IP subnet from IPFire.
The APs get one IP address in the green network - so to speak a management ip address. - And the blue network, ist just assigned with an different subnet, ssid and vlan - and connected via the seperate port to the IPFire.
The green and blue networks can be routed together via the IPFire - But the most common case is, the blue “guest” devices should just be routed to the outside internet, and not be able to get to any devices in the green network. If needed - then rules could be established to allow devices from blue to green, or green to blue.
