Can Multiple VLANs exist on one port? Can they coexist with a LAN on one port?

Comments

16 comments

  • Avatar
    Firewalla

    You can have multiple VLAN's on the same port ... this is exactly what VLAN's are built for.   If you can, share us your network configuration screen or the errors you are receiving? 

    0
    Comment actions Permalink
  • Avatar
    Anthony G

    Do these help? When I choose the G VLAN 2 SSID I am not assigned an IP address via DHCP.

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    I have this setup you are referring to, except everything is contained on port 3.

    FWG port 3 to Netgear VLAN aware switch with respected ports tagged fo VLAN, to AP with 3 profiles, 2 are tagged with VLAN.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Anthony, start simple.  Should do what James did, that is, make sure you only setup one port and with one or two VLAN's and grow from there.   

    1. Use only one port on the Gold and connect that to your AP.
    2. On the AP and on the Gold implement 1 or 2 VLAN and make sure they work

    Also, I see you have two VLAN 0, not sure how that will work with that AP, mapping two different SSID to one VLAN ID ...

    0
    Comment actions Permalink
  • Avatar
    Anthony G

    Thanks for the help, folks!

    To be clear, the Firewalla ports 2 and 3 go to different access points. I tried removing one physically, and in the Firewalla app, and it didn't help.

    I also rebuilt the remaining AP with a simpler lineup of SSIDs, no dice.

    (VLAN 0) is what the TP-Link AP config shows when VLANs are not enabled for that SSID.

    Even the simplest setup with one LAN and one VLAN on Port 2 fails to assign addresses when connected to the VLAN SSID.

    Is there a way to share under-the-hood configuration with support folks to see if the configuration is matching up with the app UI?

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    So we know, are you:

    1) FWG > AP
    2) FWG > switch > AP

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    Here is my TP-Link setup

     

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    Also, is there a reason your are suppling DNS that is outside your network for your local lan?

    0
    Comment actions Permalink
  • Avatar
    Anthony G

    Thanks for the help, James!

    I think I have it working now, and have uncovered what I believe are a few bugs along the way.

    James: I changed the DNS setting to default. Didn't have a good reason for using an external one ;)

    I can't be sure my problem resulted from this bug, but it appears that if you delete and recreate all your LANs/VLANs (which I did a few times) the app does *not* always turn on the Source NAT that is supposed to be a default.

    I think my VLAN may not have had Source NAT enabled, which prevented the devices from connecting to the Internet.

    I recorded a movie of this behavior here.

    0
    Comment actions Permalink
  • Avatar
    Anthony G

    And James, to answer your earlier question I didn't have a switch involved in my original post. I've since added a switch onto Firewalla Port 1, which is currently configured for LAN (not VLAN). I have a lot of additional non-wireless devices plugged into that, and it's currently working.

    I'll have to wait until the rest of the family is asleep again before I try to bring that into the VLAN setup too ;)

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    If you do, just make sure it is VLAN aware, or at least can pass the VLAN tag with the request

    0
    Comment actions Permalink
  • Avatar
    Anthony G

    James, for sure. I'm using a TP-Link TL-SG116E 16-port switch, and the VLAN interface is horrid. Going to take my time with that one.

    Do you happen to know if there's a way to make a backup of the Firewalla configuration? I lost a fair amount of work when I deleted my LANs and I'd like to avoid it in the future.

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    That would be more in line with @Firewalla to answer that question. I just had to set my VLAN up once and have never touched it since. I think part of it was the external DNS. I've had the wrong DNS in before and it lost all internet connectivity when that happened.

    Do you know if your TP-Link is compatible with the Omada software? I just set that up for my AP this morning and it has a interface for switches too.

    0
    Comment actions Permalink
  • Avatar
    Anthony G

    My Access Points are compatible with the Omada software, and I'm honestly impressed at how good it is (on iOS). The first few times I set them up was with Safari, and it was OK, but clunky. Omada makes it genuinely easy, though I had to move to Safari to configure VLANs on them.

    I don't think my switch supports Omada. The Interface for VLAN is seriously terrible. I may record a screencast.

    In general, though the switch port that's connected to my Firewalla Gold on Port 1 should Tag every VLAN and the endpoints on the other switch ports should be Untagged for the VLANs they are intended to use, right?

    0
    Comment actions Permalink
  • Avatar
    Firewalla
    • Tagged Ports == Trunk Ports 
    • In general, tagged port should be connecting to tagged port. 
    • Firewalla Gold LAN ports are trunk or tagged port.  

    So ... if you turn VLAN on, the switch port connecting to firewalla should be tagged/trunk port. 

    If you connect the TPLink (SSID ->VLAN mapping) AP to the switch, the switch port it connects to should be the trunk/tagged port. 

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    Correct @Firewalla. I would go FWG port 1 to tp-link switch with any VLANs to be used as tagged on that port. Then connect your AP to a port on the switch and tag that port with any vlans to be used. You should be good to go after that.

    The only time you use untagged VLAN is when you are connecting say a desktop that you want to be on a VLAN 2. It is basically saying to only talk on that network only and (or like having a completely separate switch inside your main switch)

    0
    Comment actions Permalink

Please sign in to leave a comment.