OC200 Ethernet Port und VLAN-Konfiguration

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

OC200 Ethernet Port und VLAN-Konfiguration

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
OC200 Ethernet Port und VLAN-Konfiguration
OC200 Ethernet Port und VLAN-Konfiguration
2019-10-09 20:56:37
Model: OC200  
Hardware Version: V1
Firmware Version: latest

Hi,

 

we are using the Omada Software Controller on a PC running linux. We bought the OC200 for replacement. 

 

Today we are using different VLANs

1 - Management VLAN (Controller and EAPs) 

2 - Guest-WLAN

3 - Internal WLAN

 

Webinterface on software controller is only reachable from a different wired subnet. No access from WLAN. The eth-Interface on our machine running controller software is configured in two ports, one untagged for the web-access and one tagged to connect the controller and the EAPs. 

 

Hardware OC200 has two ethernet-ports, but only one IP-Adress can be configured in the web-interface. There also seams to be no separate VLAN-configuration for the controller. 

 

Is there a way to configure the two OC200 ethernet ports separately (IP/Subnet, VLAN)?

 

Thanks for your help ... 

 

 

in german / auf deutsch:

 

Hallo, 

 

wir nutzen bisher die Omada-Controller Software auf einem Linux-Rechner als Controller für verschiedene EAPs. Nachdem ein Tausch ansteht habe ich den OC200 angeschafft. Bisher nutzen wir VLANs

1 - Management VLAN (Controller und EAPs) 

2 - Gast-WLAN

3 - Internes WLAN

Der Zugriff auf das Webinterface der Omada-Software erfolgt aus einem anderen Subnetz (verdrahtet, keine Konfigurationszugriff aus dem WLAN). Dazu läuft der Ethernet-Port des Controller-Rechners einmal untagged und einmal tagged auf das Management-VLAN.

 

Der OC 200 hat zwei Ethernet-Ports. Ich kann aber in der Software nur eine IP-Adresse eingeben / ändern. Auch VLAN-Einstellungen für den Controller scheinen nicht (gesondert) möglich...

 

Kann mir jemand sagen, wo die Einstellungen für die Ethernet-Ports und die VLAN-Konfiguration je Port angepasst werden kann? (Oder ist das ggf. gar nicht möglich?)

 

Danke für eure Hilfe!

  0      
  0      
#1
Options
5 Reply
Re: OC200 Ethernet Port und VLAN-Konfiguration
2019-10-09 22:27:02 - last edited 2019-10-09 22:43:23

 

The way to configure VLANs in OC200 is to set a management VLAN for administrative access to the controller and to use SSIDs with the VLAN enabled for the specific network the SSID is attached to. I would recommend to not mix tagged and untagged traffic over a trunk connection to the OC200, albeit it might be possible technically (didn't test this, I always use only tagged frames if VLANs are defined).

 

Management VLAN:

 

 

 

 

VLAN-aware wireless subnets:

 

 

 

OC200 network settings:

 

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#2
Options
Re: OC200 Ethernet Port und VLAN-Konfiguration
2019-10-11 18:55:57

@R1D2 

Thank you for your replay.

 

In consequence this means there is no way to configure separate vlan id's or ip-adresses for each of the ethernet ports - right? (bridge?)

 

  0  
  0  
#3
Options
Re: OC200 Ethernet Port und VLAN-Konfiguration
2019-10-11 21:24:32 - last edited 2019-10-12 02:26:39

 

RSHCH wrote

In consequence this means there is no way to configure separate vlan id's or ip-adresses for each of the ethernet ports - right? (bridge?)

 

Yes, there is no way to set different VLAN IDs or IP addresses for the two OC200 interfaces.

 

Update: I made some more tests; it seems that the Management VLAN setting does have an effect only on EAP interfaces, but not on the OC200 interface.

 

May I ask why you would want to use two different VLAN IDs/IPs for the interfaces? For what purpose?

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#4
Options
Re: OC200 Ethernet Port und VLAN-Konfiguration
2019-10-14 19:20:29

@R1D2 

 

 

We wanted to increase the security. We had separated the internal WLAN and the guest WLAN in separate SSIDs and VLANs. We also we used a management vlan to separate EAP-Management from WLAN-traffic. The linux-host running EAP-Controller has acces to Management VLAN to communicate with the EAPs. It is also accessible on a separate VLAN to open the web-interface from the pc used for management (no direct access from this pc to the EAPs). So far this worked.

 

You wrote the management VLAN is only used on the EAPs, but not on the controller. but how should the communication between controller and EAPs work in this case? There should be connection between a tagged VLAN on the EAPs and an untagged on the controller...

 

Thank you for your support.

  0  
  0  
#5
Options
Re: OC200 Ethernet Port und VLAN-Konfiguration
2019-10-14 20:44:11 - last edited 2019-10-15 10:50:18

 

RSHCH wrote

You wrote the management VLAN is only used on the EAPs, but not on the controller. but how should the communication between controller and EAPs work in this case?

 

Communication between controller and EAPs is on layer 3, does not depend solely on VLANs.

 

There should be connection between a tagged VLAN on the EAPs and an untagged on the controller...

 

Yes. I usually place the controller in an own mgmt VLAN and feed him traffic from mgmt VLAN via an untagged port. EAPs are connected to the trunk anyway and each of the EAP trunk ports needs to be a member of the mgmt VLAN, too.

 

Setup using a managed switch

 

Using a managed switch I set up as follows:

 

  1. EAPs are connected to the switch and are members of mgmt VLAN (say, VID 10), local net (VID 20) and guest net (VID 30). Switch port is tagged.
  2. OC200 is connected to the switch and is member of mgmt VLAN 10, port untagged.
  3. Switch needs interfaces for VLANs 20 and 30 for inter-VLAN routing, routes allow local / guest users to access the portal on OC200 in VLAN 10 (ACLs prevent traffic to other devices in VLAN 10).
  4. Internet router needs to have at least two subnets for VLANs 20 and 30, allows Internet access over the WAN for local and guest users.

 

In general I try to avoid a Default VLAN (= native VLAN for untagged traffic), but another possible solution (see this FAQ here) would be to switch untagged traffic from EAPs arriving on the trunk port (no mgmt VLAN defined) and OC200 over a switch to the mgmt VLAN using membership of their ports in primary VLAN 10 (PVID 10).

 

Setup on a Linux router

 

Alternatively this is how I set up using a Linux router (OpenWRT-based):

 

  1. EAPs are connected to three subnets mgmt (VLAN 10, interface ethX.10 tagged), local net (VLAN 20, ethX.20 tagged) and guest net (VLAN 30, ethX.30 tagged). IPs of EAPs are from local net.
  2. OC200 is connected to subnet mgmt only (interface ethX.10 untagged). IP is from mgmt net.
  3. Linux firewall default policy is to deny inter-zone traffic. FW allows TCP traffic from EAPs to ports 29811, 29812, 29813 and UDP traffic to port 29810 of OC200.
  4. For portal access, FW allows HTTP from local/guest subnet to OC200.

 

 

Note that we use our own Captive Portal, so local/client access to OC200 portal isn't needed in our installations, thus I don't need to set up step 3 (switch setup) resp. step 4 (Linux setup) at all, but nevertheless I did test it with a Linux setup.

 

Hope this helps.


 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#6
Options