VLAN question
-
@dashrender said in VLAN question:
If the router has switch ability built in, then the router might allow VLAN1 traffic on all ports of the switch. You don't seem to want this, so you should disable the switch feature, if the router has this feature.
Correct, that has already been turned off or blocked on the port going to floor 2, keeping the 2nd floor isolated.
@dashrender said in VLAN question:
So this is failover only? You're not routing traffic for floor 1 out ISP 1 and floor 2 out ISP 2, right?
The 2nd floor does not rely on the internet as much as the 1st floor. The 1st floor has it's main internet connection and uses the 2nd internet as a backup in the event that their's goes down. Floor 2 uses the 2nd internet connection as it's main isp. This is all handled by the firewall.
Everything is working as designed and the two floors are separated, my only sticking point is that the 2nd floor switch (EdgeSwtich) has its default vlan (vlan1) as the 172.16.0.0 network but on the 1st floor and the firewall the default vlan is the 192.168.1.0 network. While I understand how this is setup now, is there a better way of configuring it.
-
Better in this situation is in the eye of the beholder.
Personally, I would use the default VLAN on both floor 1 and floor 2 switches for production networks, then make a VLAN 1 on both switches and assign the need IPs.
The router should treat each interface completely independently from each other. Then you mainly have to remember that VLAN default is prod and VLAN 1 is guest, regardless of what network (floor 1 or 2) you're connected to.
Is my way better than your current setup? Maybe yes maybe no.
You can also do what you mentioned, leave the firewall along and change the untagged ports to all VLAN3, and trunk the ports that need VLAN 4 as needed for guest access to WiFi.
-
With two legally separate entities, I would not even use a VLAN. I would plug the 2nd floor stuff into a different port on the router No VLAN required to separate. Just some firewall rules to keep traffic separate.
Unless as someone else mentioned this overpriced Meraki gear is actually a switch and not a router. Then you are screwed and have to VLAN everything.
-
@jaredbusch said in VLAN question:
With two legally separate entities, I would not even use a VLAN. I would plug the 2nd floor stuff into a different port on the router No VLAN required to separate. Just some firewall rules to keep traffic separate.
Unless as someone else mentioned this overpriced Meraki gear is actually a switch and not a router. Then you are screwed and have to VLAN everything.
you completely missed the fact that the OP is trying to use the same APs for both prod and guest access.
And the two different legal entities are coming into two different ports on the router.
The port on the firewall connecting to the first-floor switch is a trunk port on the native VLAN allowing VLANs 1 and 2. The port on the firewall connection to the 2nd-floor switch is also a trunk port allowing VLANs 3 and 4 with 3 being the native VLAN on that port.
-
@dashrender said in VLAN question:
@jaredbusch said in VLAN question:
With two legally separate entities, I would not even use a VLAN. I would plug the 2nd floor stuff into a different port on the router No VLAN required to separate. Just some firewall rules to keep traffic separate.
Unless as someone else mentioned this overpriced Meraki gear is actually a switch and not a router. Then you are screwed and have to VLAN everything.
you completely missed the fact that the OP is trying to use the same APs for both prod and guest access.
Two separate production networks. The only VLAN needed is VLAN2 on each network. Production wireless has no need for separation from production LAN. It is all production.
And the two different legal entities are coming into two different ports on the router.
The port on the firewall connecting to the first-floor switch is a trunk port on the native VLAN allowing VLANs 1 and 2. The port on the firewall connection to the 2nd-floor switch is also a trunk port allowing VLANs 3 and 4 with 3 being the native VLAN on that port.
I got that, and if his router was really a router, he would not be having problems.
Here is how it would work on my ERL. Obviously I need more than a ERL for his scenarios because he also has dual WAN. So he need 4 router ports.
WAN on eth0
ethernet eth0 { address dhcp description "WOW WAN" dhcp-options { default-route update default-route-distance 210 name-server no-update } duplex auto speed auto }1st floor on eth1
ethernet eth1 { address 10.254.103.1/24 description "Jared LAN" duplex auto speed auto vif 2 { address 10.254.104.1/24 description "Jared Guest WiFi" } }2nd floor on eth2
ethernet eth2 { address 10.254.105.1/24 description "Jason LAN" duplex auto speed auto vif 2 { address 10.254.106.1/24 description "Jason Guest WiFi" } } -
Then you set some drop rules in the firewall to prevent the router from routing anything between the two.
-
@jaredbusch
Are you creating vlans on the ERL? -
@i3 said in VLAN question:
@jaredbusch
Are you creating vlans on the ERL?My example there was yes.
That doesn't help your original question directly. But the idea is the same.
-
@JaredBusch example follows my suggest of using the default VLAN and what he labeled VLAN2 for the wifi.
