small network with unifi AP and guest access
I'm trying to learn quite a bit about VLANs and still my head is spinning ...
I have a really small network consisting of
- a Huawei LTE-Internet router (very basic network konfiguration) that does WLAN too. And it does the DHCP, so it has to respond on broadcast queries.
- a TL-SG108PE
- a few office devices plugged to this switch.
So far so easy. No VLAN, no separation. The WLAN is for internal use only.
Now this setup should be expanded with an external Unifi-AP that takes over the WLAN broadcast instead of the HUAWEI, mostly to cover more space. With an LTE router the device has to be placed where you have good externel conection, which is not always the optimum place to spread the WLAN.
... and because the AP is capable to broadcast more than one SSID and separate them by different VLAN numbers, this should be used to span a "guest" WLAN that has access to the internet-router, but not to the rest of the LAN.
My understanding so far:
I need at leas two VLANs.
- Default: ID1
- Guest: ID2
Since none of the LAN devices knows anything about VLAN tagging and the internet router is equally ignorant, all ports mist not have VLAN "tagged", and have eventual IDs removed when sending out of this port.
The AP is configured to use VLAN1 for the "office-internal" SSID and VLAN2 for the "guest" SSID.
The AP is connected to Port1 (due to PoE) and this port is configured as "member of VLAN1 + member of VLAN2" and "untagged"(?)
The router is connected to Port8 and is configured as "member of VLAN1 + member of VLAN2" and "untagged"
The rest of the ports (2-7) are configured as "member of VLAN1" and "untagged"
The PVID is kept to "VLAN1" for all ports.
A LAN device plugged in Port2 requesting IP-address and internet access should work as before, since all partners are part of VLAN1.
A WLAN device booked into "office-internal" would act alike and is able to communicate both with the router and all LAN devices
A WLAN device booked into "guest" will get the DHCP broadcast forwarded to the router (the LAN devices do not see the packet, due to VLAN mismatch). The reply from the router (untagged) get's tagged internally to "1" due to the PVID=1 on Port 8. It is still forwarded to Port8 (because it's member of VLAN1).
Since Port8 is "untagged", the AP does get the packet and because there is no more VLAN ID attached
- it trasches the packet, because it is lacking a proper VLAN-ID?
- it still forwards it to the correct client based on the target IP-address?
- it tries to forward the package into VLAN1, as that's the default one?
Would this simple scenario would work as expected?
If I instead define the AP port1 as "tagged", a packet from the router to a client on the AP would inherit the PVID that might be configured for the AP port1 - which would force the packet into just one of the SSIDs, even if the originating request was in the other? The router did not know about any VLAN-ID thus cannot respond properly.
Right? Wrong? Dumb?
I have seen configurations that require a third VLAN just for the router and all ports member of that one, but that does not correspond to my dual VLAN in the AP. I don't see the difference to using VLAN1 instead that already IS part of all ports.
@D-C Thank you for your quick reply.
Obviously I did not get something vital in the concept of the VLAN. Why is it so necessary, that the internet-router knows about VLAN IDs? If it's on a port that is "untagged", it get's normal packages, like before. All VLAN information is stripped. The two intended vlans even share the same IP address space - must share it, as the router is "the DHCP".
Whether a packet gets delivered to the right port is done in the switch, based on the MAC-table - and whether this MAC is behind a port that has a matching VLAN number, as long as the packages are processed inside the switch.
I would assume, that the packages with VLAN ID=2 passed in from the AP can only reach partners that are behind a port that too belongs to #2 (only the port with the router), essentially blocking access to ports 2-7.
The VLAN ID in the AP seems to be applied between the LAN connector and the air-interface. Devices in different SSID should not see each other, even if they share the same IP address range do to this. Similar to devices that are behind different ports in port based VLAN.
The "routing" for the router is plain simple. Everything from the switch to te outside and vice versa. There are no rules to follow how to serve for different clients.
As long as it's all the same IP space, there is no "routing" involved. Not sure about the LAN/AIR gateway in the AP, but this one seems to handle that.
So I really have to add yet another router between the switch and the internet router? Wouldn'd that just propagate the same problem to the internal-router/internet-router link?
The latter is the prvider gateway and as dumb as a simple network printer that is not VLAN capable either and still has to work somehow. Wasn't the VLAN idea meant to keep devices separated without their explicit knowledge or active participation?
Hmm ... my idea was to deliberately prohibit devices on different VLANs to communicate to each other, allow communication between clients on VLAN1 (Default) and all clients with the Internet. Certainly the DHCP has to be behind the WAN Port8 i.e. on the Internet-Router to be accessible to all. Which it is.
When it comes to connect the entire LAN to the internet, all VLAN information has to be stripped anyway, as my provider certainly does not want it and none of the targets out there will.
So, wouldn't it be sufficient to consider the uplink port as "outside" or atl least DMZ, just ignoring that there might be an internet gateway, LTE Router, whatever? When I get a package from Google that happens to arrive on the WAN side of the switch, it certainly lacks any VLAN information. So how would this be applied to the data stream?
I learned, that this is the task of the PVID setting of the port that connects to the "outside". Either apply a named ID or keep it untagged, if it is equal to "trunk". So either way, it would not match any "other" VLAN ID, that the originating request came from, as any client on any VLAN eventually has to pass through that port - and back again.
Since buying yet another router, either to just place it between the switch and the internet-router or to replace the provider LTE-router, is clearly out of our budget, I probably have to dump the idea of separating (part of the) WLAN clients from the LAN with a dedicated "guest" WLAN which in turn makes any VLAN configuration obsolete too. 
Thanks for clarifying this.