Wired VLANs communicating with wifi VLANs setup
I'm struggling to get my PoE cameras viewable on their mobile apps.
I've got my Cams VLAN (44) set up and seem to work because I can't reach them from my main LAN wifi.
I thought I needed to tag the port on my T1500G-10MPS PoE Switch that the EAP225 is on, to include both the main LAN as well as the camera VLAN.
But in the controller interface, I can't figure out how to do that.
I can see them in the "Manage Profiles" link from adding the profiles, but I can't configure them the way I thought I needed to.
Clearly I need to configure something differently, but not sure where to do that.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
hi @CoKro
Do you set up VLAN interfaces? If so, different VLAN interfaces can access each other without any additional configuration.
- Copy Link
- Report Inappropriate Content
I did not because I'm not using an Omada router. I was under the impression - maybe incorrectly - that I couldn't use "interfaces" because it would require an Omada router to act as the DHCP server for those interfaces. It says "Gateway Required" and I'm not using an Omada gateway. It even says in the dashboard "No Gateway Utilization." I guess I misunderstood.
I had been trying to follow the "How to: Beginners guide for setting up Firewalla with LAN and multiple VLAN via managed Switch" guide (can't post an external link) but got stuck on the differences between using the Controller and working in standalone mode.
Probably would have been helpful if I laid out my network.
I basically need to be able to view the cameras in VLAN 44 on devices in VLAN 11 without the cameras being able to initiate communication to anything in the network.
- Copy Link
- Report Inappropriate Content
Does your router support multi-net NAT (or multi-nets network)? This is the most important thing to confirm. If it does, you can set up a multi-net network using this guide: https://www.tp-link.com/support/faq/887/
By default, different VLAN interfaces can communicate with each other, but for security concerns, you can set up ACL to block some connections.
If your router doesn't support this feature, simple 802.1q VLANs on the switch would not allow different VLANs to communicate with each other.
For information on how to configure a VLAN interface to our Omada Gateway, please refer to this guide: https://community.tp-link.com/en/business/forum/topic/656144
And if your router is not an Omada Gateway, this guide to setting up the controller is also worth reading: https://www.tp-link.com/support/faq/3655//
- Copy Link
- Report Inappropriate Content
I have a Firewalla Gold SE, so yes, it supports multi-nets.
My roadbloack was following guides like https://www.tp-link.com/support/faq/887/ but using the Omada Controller for managing the ports. All of the FAQs seem to use the standalone mode.
Thanks for the guidance.
- Copy Link
- Report Inappropriate Content
I think with a small change to your architecture, you can do what you want to do:
Basically, if you trunk the 11/22/44 traffic through the 3428 to the Firewalla instead of going direct, then you can apply switch-ACLs via the Omada Controller to those VLANs (on the 3428) to prevent VLAN44 from going anywhere but the VLAN11 subnet.
- Copy Link
- Report Inappropriate Content
Thats a great suggestion. Thanks.
As a VLAN noob, I'm still unclear whether or not to set up VLANs or VLAN interfaces.
I've been told both by different TP-Link support reps.
And because the Firewalla supports multi-nets, both ways I was able to get the expected IP addresses assigned to the devices.
I was pointed to a couple of different FAQs on how to do what I want, but each had their own slight differences.
This one is for setting up VLANs with a non-Omada gateway, but one rep told me that it ONLY applied to the Management VLAN. I don't understand why it wouldn't work for ANY vlan, but I don't have the knowledge to argue the point. https://www.tp-link.com/us/support/faq/2814/
This was pretty close to what I wanted to do, but used standalone mode: https://www.tp-link.com/us/support/faq/887/
And this one shows how to do it, but with an Omada Gateway: https://www.tp-link.com/us/support/faq/3091/
So I don't understand what the benetits / drawbacks of doing it one way vs the other are. I imagine there are some, and I'll figure that out slowly when I come to that. I presume it will have something to do with setting up ACLs and managing the communication between them, but I'll find out soon enough. I was told that using "VLAN Interface" rather than just VLAN was for when you use an Omada Gateway, but it did work for me.
If I had all my TP-Link devices in standalone mode, I could have more closely followed the published guides. Creating and assigning profiles rather than simply tagging / untagging ports took a little more brainpower than I had available.
- Copy Link
- Report Inappropriate Content
My suggestion is set up your VLANs as 'Interface', until you find a reason not to do it that way. I've always been able to do what I wanted using the 'Interface' setting, but never really dug into the distinction because I haven't needed to :)
At the end of the day, you enable or disable traffic on a port based on whether or not that port is a member of a given VLAN. If you have 3 VLANs entering a switch, but only assign two of them to a port, only traffic on those two VLANs will present on that port.
The next wrinkle is the native VLAN setting, and that has to do with whether traffic from a specific VLAN retains its tag, or is presented untagged on the port. So in the example above, lets say VLANs 10, 20 and 30 existing on the switch, and for our chose port, we've made only 10 and 30 members. You have the further option of making either 10 or 30 untagged on that port (so visible by devices that are not VLAN aware or capable). Perhaps this port has VLAN10 untagged, but the port beside it has VLAN30 untagged, as you. might do with the camera and children's VLANs.
The last bit, is that Omada, by default, assumes that VLAN1 is the management VLAN, and it is typically untagged on all ports (whether on gateway or switch) by default.
- Copy Link
- Report Inappropriate Content
Thanks again for the suggestion and the clarity. @Hank21 Its infuriating that Tech Support doesn't seem to know their own products and are making an arbitrary distinction that clearly doesn't hold water. Or they are unable to explain the difference or benefit of implementing network segmentation one way vs the other.
The last rep was absolutely adamant that I needed to use VLAN and not VLAN Interface because I wasn't using an Omada gateway. Two days ago when I started messing with this, I specifcally asked the support rep about the "gateway required" warning, and they told me that as long as my router supported multi-lan, then I could safely ignore it. And as I said, both seem to work.
I'll be digging in with the Firewalla community to see if they think there's any benefit from segmenting the network there rather than in the switches. I'm fortunate that I have enough ports available on my 3 switches to segment by port there if I wanted to. If I run out of ports, or have a VLAN spread across two switches, I imagine I'd want to handle the segmentation within the Omada ecosystem, and let the Firewalla focus on keeping the bad guys out.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 900
Replies: 8
Voters 0
No one has voted for it yet.