topic Re: Guest wireless with VLAN Tagging in Wireless

Guest wireless with VLAN Tagging

CMorinski — Tue, 29 Mar 2022 14:15:16 GMT

Trying to setup a guest ssid in my elementary school. Below is how the ISP has our firewall configured.

0/3 1x.2xx.2xx.1/22 Internal Wireless VLAN 35 Tagged

0/3.1007 1x.2xx.9x.0/23 Guest Wireless VLAN 1007 Tagged

I am new to this process and would like to figure it out instead of contacting my vendor to set it up.

I assumed I would use NAT Mode but how do I configure firewall settings to pull from my IP pool setup by the ISP instead of this one? (10.0.0.0/8)

NAT mode: Use Meraki DHCP

Clients receive IP addresses in an isolated 10.0.0.0/8 network. Clients cannot communicate with each other, but they may communicate with devices on the wired LAN if the SSID firewall settings permit.

Re: Guest wireless with VLAN Tagging

ww^ — Tue, 29 Mar 2022 14:24:01 GMT

In nat mode its always using meraki dhcp.

I would recommend reading this

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Modes_for_Client_IP_Assignment#Bridge_Mode

Use bridge mode and tag it with vlan 1007.

Configure the firewall to deny local lan and enable l2 lan isolation

Re: Guest wireless with VLAN Tagging

CMorinski — Tue, 29 Mar 2022 14:39:19 GMT

Thanks! I did try doing it that way yesterday. When i try connecting to the guest it will eventually time out just give me a 169.254.x.x IP.

Re: Guest wireless with VLAN Tagging

ww^ — Tue, 29 Mar 2022 14:46:50 GMT

Do you have trunk ports between the firewall and the switches and to the AP?

Are you sure there is a dhcp scope for this subnet?

Re: Guest wireless with VLAN Tagging

CMorinski — Tue, 29 Mar 2022 14:49:24 GMT

My AP's to the switch are set as trunk ports. My port from switch to firewall is Access. I did submit a ticket to my ISP to double check the firewall is correct.

Re: Guest wireless with VLAN Tagging

ww^ — Tue, 29 Mar 2022 15:02:35 GMT

That sounds like the problem. A access port transport only 1 vlan(native). If you want to use more vlans from the firewall you should have trunk ports transporting those vlans

Re: Guest wireless with VLAN Tagging

CMorinski — Tue, 29 Mar 2022 15:09:32 GMT

I really appreciate the help on this! So would my native vlan need to be 35 and allowed just need to be 1007??

Re: Guest wireless with VLAN Tagging

ww^ — Tue, 29 Mar 2022 15:15:25 GMT

Yes , but maybe first configure it on a empty switch port and swap the cable to that port. In case it doesnt work you can easily go back.

Re: Guest wireless with VLAN Tagging

CMorinski — Tue, 29 Mar 2022 15:29:42 GMT

Almost had it. I was able to get the correct IP address but I had no internet. I got no internet on both my secure or guest ssid. Could the trunk port for the AP cause issues? They are not set for vlan 35

Re: Guest wireless with VLAN Tagging

ww^ — Tue, 29 Mar 2022 15:54:03 GMT

That looks fine. Maybe vlan 35 is also tagged and native should be 1 on the uplink?, but your previous config shows access port vlan 35, thats confusing.

What management IP/subnet does you AP have?

Re: Guest wireless with VLAN Tagging

CMorinski — Tue, 29 Mar 2022 15:58:21 GMT

VLAN 1 is for my wired devices. My AP's are pulling their IP from the wired DHCP pool.

0/1 10.236.68.1/22 Data

0/3 10.236.236.1/22 Internal Wireless VLAN 35 Tagged

0/3.1007 10.236.94.0/23 Guest Wireless VLAN 1007 Tagged

0/4 10.236.5.1/24 VOIP

0/5 10.236.81.1/24 DMZ (Not being used yet)

0/6 10.236.32.1/24 Bell & Intercom

0/7 Uplink

Re: Guest wireless with VLAN Tagging

aleabrahao — Tue, 29 Mar 2022 16:58:47 GMT

I think a good test might be to configure a port in access mode on each VLAN and test the connection with a laptop to validate that the connection to each VLAN is working as expected.