Network Layout Question for Firewalla Purple & VLAN tagging

Hello All,

I'm working on trying to segment my network into VLANs with the purple and have a few questions I'm hoping you can help with. I have a Manged 5 port POE Netgear switch and an AP that supports VLAN tagging. I've set up the VLANs I want onto the Purple and its setup in router mode. The intent is to have a few SSIDs on the AP that then join the devices attached to it to a specific VLAN network. I can get the VLANs working fine with hardwired connections but the WIFI devices aren't getting assigned to the right VLANs. I suspect I have something configured incorrectly so I have a few questions hopefully someone can point me in the right direction.

Anyway here's how it's setup -

Local Network (192.168.0.x)

DSL Modem (x.1) > Firewalla Purple (WAN x.3)

Firewalla LAN Network (192.168.125.x)

VLAN Network 1 (192.168.120.x) VLAN ID 120 - For home devices
VLAN Network 2 (192.168.150.x) VLAN ID 150 - For IoT devices
VLAN Network 3 (192.168.195.x) VLAN ID 195 - For work devices

Firewalla Purple (LAN) > Negear POE Switch (Port 5 - Trunk)

Netgear AP > (Port 1 - Access - VLAN 120)

Wired Computers > (Ports 2-4 Access VLAN 120 & 195 depending on what's plugged in)

All VLANs are set on the switch and VLANs work fine on the wired connections. I did setup a basic 802.1Q but I believe I need to go Advanced to allow PVID and tag multiple VLANs from the AP port.

Currently, all the devices on the WAP regardless of the SSID are assigned IPs on the 120 VLAN. If I set the WAP SSIDs to any VLAN other than 120 they can't get an IP from the Purple.

Question one -

Should I assign the POE and AP static IPs on the Purple's LAN network? I would assume this would be the correct way to set them. Right now I have them set statically to the VLAN 1 network but I think that's incorrect.

Question two -

Since the switch and AP support VLAN 802.1Q should I set port 1 on the switch to a Trunk port since it needs to handle multiple VLANs based on the SSIDs coming from the AP?

Question three -

This relates some to the first question but on the Firewalla do I need to create a Management VLAN network? or should it work fine with the LAN network? Both the AP and the switch have management VLAN set to VLAN 1

For reference, I have a Netgear GS305EP managed switch and a Netgear WAX620 AP.

Anyway, I think I have it mostly figured out, but wanted to clarify the above 3 questions.

Michael Bierman

March 20, 2022 16:49
Edited

The APs have to have different SSIDs set for each VLAN.

you can set up a mage ent VLAN but it isn't necessary. I would get thing as working first. It can be confusing to get this right.

Matt

March 20, 2022 16:48

So I have two SSID's programmed currently but the gameplan is to have 3.

One SSID is supposed to go to VLAN 120

One SSID is supposed to go to VLAN 195

One SSID is supposed to go to VLAN 150

If I set the VLAN on the SSID for 195 or 150 they can't get a DHCP address. The 120 SSID works fine.

March 20, 2022 16:50
Edited

Perfect. So for each VLAN make sure that FW is serving dhcp, not the AP.

March 20, 2022 16:54

You can use static or dhcp IPs that isn’t a solution bough if you have things set correctly. That won’t solve any problem if you don’t.

you need a trunk port anytime a connection carries more than one VLAN. So say from the switch to FW. any other port had to be either set to a specific VLAN or the devices connected have to do their own tagging.

March 20, 2022 16:57

Ok cool I think that may be my problem. Port one on the switch (Plugged into the AP) is set to Access. I think if I switch that to Trunk the AP will handle the tagging from the various SSIDs and then the purple will respond to the DHCP requests.

March 20, 2022 19:03
Edited

Connections between FW and switch and from the switch to AP should be trunk, if I understand your setup.

March 21, 2022 03:11

Got this working! Thanks for the help!

Network Layout Question for Firewalla Purple & VLAN tagging

Comments

Didn't find what you were looking for?