1

I am based in Germany and have a bit of an interesting setup for a 3 room apartment. I have a modem connected to my DSL internet, then a mini pc acting as a OPNSense based firewall, a managed Switch (TP-Link TL-SG108PE) and two wifi access points (Netgear WAX615 and NETGEAR WAX214). Currently every device is getting a 192.168.1.0/24 ip address which should be my main ip adress pool for my own devices that should be able to interact with each other. I want to also have external devices from friends inside my network, but on a different subnet 192.168.4.0/24 and they are not allowed to interact with any of the devices of the network but with the internet. This subnet I have already setup on my OPNSense as a VLAN with the tag 4. Now I would love for one wifi network (and one other port of the switch) to send every new connection into the private VLAN 4 subnet and for the other wifi network (and the rest of the ports on the switch) to send every new connection to the default ip address space. I haven't done any tweaking on the switch setup and the wifi access points (except setup the two networks with basic settings), therefore everything goes into the default ip address space.

This is what the switch configuration looks like: switch configuration

And this is what the wifi setup of the private wifi network looks like on one AP: wifi configuration WAX615

And this is what it looks like on the other AP: wifi configuration WAX214

If you need any additional infos or already know how I can achieve this then I would love to hear your thoughts. Thanks!

Improve this question

1 Answer 1

Reset to default
0

In general, any time VLAN IDs are involved in routers or access points, they indicate an 802.1Q tag – corresponding to a 'tagged' VLAN on the switch port – while a bare Ethernet interface goes to the 'untagged' VLAN. When you have a bare Ethernet interface with several VLAN interfaces in OPNSense, this directly corresponds to an untagged VLAN plus several tagged VLANs on that switch port.

  • So the switch port that's connected to OPNSense needs to have VLAN 4 tagged (to match the virtual VLAN interface OPNSense has), plus the default VLAN 1 untagged as it currently has.

  • The Wi-Fi AP should have VLAN ID 4 specified for the SSID, and the switch port connected to that AP should also have VLAN 4 'tagged' in addition to the current default VLAN.

  • The switch port that you want to lead directly to VLAN 4 needs to have VLAN 4 untagged (as the connected device will send and expect plain Ethernet packets without any VLAN tag) and needs to be removed from the default VLAN 1 (as a single port should never have multiple untagged VLANs).

Your switch doesn't have a separate "PVID" setting, but many other models do; in those cases, the PVID for each port needs to match the untagged VLAN for that port – it defines VLAN mapping for untagged packets inbound to the switch while the "untagged VLAN" does the opposite for outbound packets. (Don't ask why they make them two separate settings...)

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .