TL-SG105E v3 VLAN Setup Questions for Relative Noob

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TL-SG105E v3 VLAN Setup Questions for Relative Noob

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TL-SG105E v3 VLAN Setup Questions for Relative Noob
TL-SG105E v3 VLAN Setup Questions for Relative Noob
2018-02-17 03:46:48
Here is a brief rundown of my setup.

Cable Internet Modem-->Asus RT-AC68U (for DHCP server, wireless networks turned off)-->TL-SG105E (currently running MTU VLAN)

TL-SG105E Port 1-->2nd Asus RT-AC68U for wireless router on my personal home network
TL-SG105E Port 2-->Ubiquiti UniFi UAP-AC-PRO Access Point for internet access for two separate tenants at the rear of house
TL-SG105E Port 5-->Internet connection from the RT-AC68U DHCP Server

The UniFi UAP-AC-PRO runs a primary wireless network (rdwAP) which has been allowing connections no problem, and the first Asus router is serving up IPs to connected devices no problem. The UniFi UAP-AC-PRO does not have its own DHCP server.

Currently the two tenants share the rdwAP network. However, I want to give each of them their own secure network with their own passwords. They need to be able to connect to other devices on their own network (like wifi printers) while being unable to access the other tenant's network, so a guest configuration won't work for this.

As such, I have set up two additional networks on the UniFI UAP-AC-PRO with SSIDs rdwAP229 and rdwAP235. rdwAP229 is tagged for VLAN ID of 229, and rdwAP235 is tagged for VLAN ID of 235.

So after this is set up the SSIDs of rdwAP229 and rdwAP235 are being broadcast and I can connect to them without issue. However, no IPs are being served, which I assume is due to the VLAN IDs and the current setup of the MTU VLAN being insufficient to handle them. Without an IP, the devices are unable to connect to the internet.

So....I assume that I need to disable the current MTU VLAN configuration and do something with the tagged VLAN IDs of 229 and 235 (going through Port 2) while still keeping my personal network (Port 1, no VLAN ID) enabled and separate from the Port 2 traffic. I am just at a loss as to how to go about this.

If someone would please give me some instructions on how to accomplish this it would be greatly appreciated. I've experimented with settings on the 802.1Q and PVID pages, but haven't been able to get things to work and I really don't know what I'm doing.

Thanks in advance for any and all help. It is greatly appreciated.
  0      
  0      
#1
Options
6 Reply
Re:TL-SG105E v3 VLAN Setup Questions for Relative Noob
2018-02-17 09:20:17

genexpieguy wrote


As such, I have set up two additional networks on the UniFI UAP-AC-PRO with SSIDs rdwAP229 and rdwAP235. rdwAP229 is tagged for VLAN ID of 229, and rdwAP235 is tagged for VLAN ID of 235.

So after this is set up the SSIDs of rdwAP229 and rdwAP235 are being broadcast and I can connect to them without issue. However, no IPs are being served, which I assume is due to the VLAN IDs and the current setup of the MTU VLAN being insufficient to handle them. Without an IP, the devices are unable to connect to the internet.


To use additional networks your router needs to support either different subnets or so-called Multi-Net-NAT (as TP-Link's routers implement it) and needs to be VLAN-aware. Many routers support a second (guest) network which can be assigned to an Ethernet port (therefore avoiding VLAN-awareness), but you would need three networks here: your own network and the two networks for the tenants.

Another alternative would be to split a common IP range in three parts handled by different DHCP servers and using Access Control Lists on an AP to secure the subnets. This way, one network could be used, but I don't know wether the UniFi AP can manage ACLs.

A third, but not so elegant alternative would be to use separate routers for each network.

Before thinking of an 802.1Q setup for your switch you need to decide how to separate three networks and three DHCP pools on the router and how to pass VLAN IDs to the switch (if using the single router method).
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#2
Options
Re:TL-SG105E v3 VLAN Setup Questions for Relative Noob
2018-02-17 09:53:22
I'm all about "no so elegant alternatives"!

Asus OEM router firmware does not support what you describe. I might look at some of the open source stuff we briefly discussed in another thread, but I think that it's just going to be easiest to bite the bullet and purchase a UniFi Security Gateway (about $115), which I know will solve the problem.

The UniFi AP is highly configurable and it can do what you describe with access control lists if needed. I'm really happy with the UniFi AP PRO. Customization, Signal strength, coverage and speed is all great, and the AP is weatherproof.

Thanks once again for your help, even if it did confirm I'm not able to do what I was hoping with my current setup. At least I learned a lot about switches, VLANs and networking.
  0  
  0  
#3
Options
Re:TL-SG105E v3 VLAN Setup Questions for Relative Noob
2018-02-17 21:03:25

genexpieguy wrote


Asus OEM router firmware does not support what you describe. I might look at some of the open source stuff we briefly discussed in another thread, but I think that it's just going to be easiest to bite the bullet and purchase a UniFi Security Gateway (about $115), which I know will solve the problem.


That's a good decision. An alternative would be the UBNT EdgeRouter X, which also supports several networks and VLANs, has a nice web UI and costs about 45$. Make sure to update the firmware to latest version before setting it up, it will add more functions. It runs a full-fledged Debian Linux (Open Source) and you will have unrestricted access to the operating system.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#4
Options
Re:TL-SG105E v3 VLAN Setup Questions for Relative Noob
2018-02-23 14:44:10
Installed the UniFi Security Gateway tonight. Got everything up and running, glad I went with the Gateway.

I do have a question, though.

I installed the gateway in between the switch (running the MTU VLAN) and the access point. I had envisioned that I would be able to get rid of the router in between the switch and the cable modem which functions as a DHCP server only. Couldn't figure that one out. Does the switch need a DHCP server? Is it because my modem can only serve up one IP and I would need it to serve up IPs to the wireless router and the Gateway? If I set a static IP on the Gateway will that do it?

I'm tired and not thinking well!
  0  
  0  
#5
Options
Re:TL-SG105E v3 VLAN Setup Questions for Relative Noob
2018-02-23 22:25:10
I'm awake, tired and still not thinking well.

But.....I've noticed that the subnet coming from my cable modem is 255.255.240.0 and not the default 255.255.255.0 used by the switch. If I change the subnet on the switch to match the cable modem, will that solve my problem and then I could get rid of the IP server router?
  0  
  0  
#6
Options
Re:TL-SG105E v3 VLAN Setup Questions for Relative Noob
2018-02-24 00:44:48
I don't know the UniFi Security Gateway, but from the product site I saw that it's just a router with an integrated firewall and a VLAN-aware LAN Ethernet.

So it is suitable to replace your ASUS router and directly connect to the cable modem through its WAN port. You have to set up the UniFi GW with the credentials used in the ASUS router to connect to your ISP. Alternatively you can connect the UniFi GW to the ASUS router's LAN if you wish, but it will work as a router meaning you end up with two more subnets on your UniFi APs if you don't change the gateway's config to allow access from the ASUS private LAN to the private wireless subnet on the APs behind the UniFi gateway.

The TL-SG105 is then connected to the LAN port of the UniFi. This link can be a trunk meaning it can carry data for your separate private and guest subnets. SInce you wrote you would like to expand a wired/wireless private network with a guest network, I did recommend the EdgeRouter, which also has a 5-port VLAN-aware switch built-in and would fit perfectly, but certainly you could configure the UniFi gateway for this task, too.

As for IP addresses: strictly speaking, no, you don't need to run a DHCP server if you use static IPs. But for mobile devices of your guests a dynamic IP address (i.e. DHCP) is more suitable. For stationary devices, a static IP address is better. The switch should have a static IP, as should the UniFi gateway, too.

If you really get a /28 subnet from your ISP (16 IP addresses) on a modem, this are most certainly public IPs. Don't connect any device directly to the modem, use a router to secure your private network from public access over the Internet! The ASUS router does exactly this.

If indeed the ASUS router uses this netmask on its LAN, this is unusual. It should have a single IP on the WAN side and 256 IPs (netmask 255.255.255.0) on the LAN side.

Maybe you better draw a picture what you want to achieve. Setups can be anything, so first think about network topology, then select which device is to connect where and configure it. You will need: a modem for Internet access, a router (ASUS or UniFi gateway) for separating your network from the Internet & supporting two subnets and a switch behind the router to distribute those two subnets to APs and other devices.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#7
Options