12-08-2011 06:57 AM
So I already discovered, by reading in these forums, the DHCP bleed issue with VLANs on the 4400n's. So I thought, no problem, I'll just use the 4400n to provide DHCP to my two VLANs and then a new problem cropped up. I am unable to add a default route to the 4400n's DHCP server. It uses the 4400n's vlan IP as the default route. What I'm trying to ultimately achieve is to configure the 4400n as an access point for our "private" network on vlan1 and also "guest" access to the internet on vlan2.
12-08-2011 11:54 AM
What your trying to achieve can be done with acl in you firewall settings. I posted this before but now I am posting with better img. You need at least 2 vlans to do this. I use 3 in the img because I didn't want to use vlan 1 on any the wireless ssid to avoid future config complications. vlan 1 is default on most other vlan devices. Get your ssid connected to your vlan in the wireless config. Then go to firewall setting and goto acl's and follow the img. That will seperate your private and public networks, allowing private onto your internal network. In this example 192168.2.0 is public and 192.168.3.0 is private. 192.168.77.0 private network/internet source. Make sure to have the cable of the internet source plugged into the wan port of the wrvs4400n.
http://i280.photobucket.com/albums/kk173/jjosephmn/Untitled1.jpg
12-08-2011 12:25 PM
In my case, the private wifi is 192.168.2.x on vlan1 and the public wifi is 10.0.7.x on vlan2. I have two different SSIDs, one pointing to each vlan. I have a server on the 192.168.2.x network providing DHCP services to devices connected via the private wifi but devices connected on the public wifi pickup that DHCP as well, which isn't supposed to happen. Coindidentally, If I shut down DHCP on the server running it and let the 4400n provide DHCP, then this DHCP "bleed over" to the public wifi does not happen. This is a known "limitation" (what Cisco calls it) on the 4400Ns. I'll have to experiment with ACL to see if that helps at all, though I would expect that it would not.
12-08-2011 12:41 PM
Hmm. I don't think I'm experiencing the bleed however I was not aware of that limitation. I guess I should keep my eye out. I'm not sure but I believe DHCP is on of the options in IP ACL's. In my setup I use the VLAN to give DHCP on both netowrks. No reports of any problems. I do have the private network secure with mac control and password. Is there any way I can test that bleed over.
12-08-2011 12:44 PM
There is more info on the bleed over issue on this thread:
12-08-2011 01:06 PM
Yea I see that but I still don't see anyone using ACL to limit communication between networks. What I did is setup 2 additional networks so now the WVRS4400n has 3 networks incuding WAN port which is your internal network. The router allows communication between the 3. Use the ACL to filter your public netowrk which I believe included DHCP communication. Your private clients don't really need your internal DHCP ip, it uses the DHCP from the WVRS4400n which is different from the internal DHCP ip but because there is no filters in your ACL between these 2 networks they communicate.
12-08-2011 01:35 PM
Now that I think back I did have the bleed problem and thats what made me think about ACL's. The router intercommunicate between VLAN's. I get the feeling the VLANS's on this router are more for communicating with other VLAN devices. You do need to create new VLAN's in order to create new networks and connect SSID's to the VLAN. From my experience you will not get it to work without ACL. I do see that button that is disable interVLAN communication (something like that) that button does not accomplish what you want to do. even though it should.
12-09-2011 05:17 AM
I just configured ACL and I still have the bleed over issue. Maybe I don't have the ACL configure properly, I don't know. My private network is 192.168.1.x and my public network is 10.0.7.x. Anyone connecting to the public network SSID is getting DHCP from the private network IP range. Here is my ACL screenshot:
12-09-2011 07:54 AM
First edit the current configuration source interface to ANY on both ACL you created. If I got it right you must have a private internal network of 192.168.1.0. You created 192.168.2.0 for private SSID to communicate with network 192.168.1.0 and 10.0.7.0 will be for public. To stop the bleed create another ACL that will be DENY ALL ANY 10.0.7.0/255.255.255.0
to 192.168.1.0/255.255.255.0. Do that first so you can see it stops the bleed. Now this will also cut all the communication between these 2 networks. To allow your public to get internet just follow my example where I allowed HTTP, HTTPS, and DNS protocols through to the private network and cut all other. In your basic settings the 2 networks of the VLANS you created should be 10.0.7.0 and 192.168.2.0. You do not need to create 1 for 192.168.1.0. That comes from your WAN as long as you have the 192.168.1.0 cable plugged into your WAN port of the WVRS4400n. I gotta step out for a sec I will be back later.
12-09-2011 08:02 AM
No, my private network is 192.168.2.0. There is a DHCP server on that network providing TCPIP addys in the range 100-250. My 4400n is plugged into that network via port #1 on the 4400n. I have port #1 assigned to vlan1. My private SSID is also assigned to vlan1. Port #4 on the router is assigned to vlan2 and is plugged into the 10.0.7.x network. That network also has its own DHCP server providing addys in the range of 10.0.7.100-250. My public SSID is also assigned to vlan2. I will try changing the ACL again and see what happens.
12-09-2011 08:09 AM
Just completed a simple test with just one ACL rule to deny all from any service, any interface to 10.0.7.0/255.255.255.0. I still get DHCP bleed over from the 192.168.2.0 network. I guess it is just not possible with these routers.
12-09-2011 09:31 AM
Trust me it does work. I have 2 that work just like I need them to. I purchased these with the same goal you have. I need to step out for a couple of hours and when I get back I will PM you my Phone#. I will walk you through it. I will say your current config won't work. What I had to do is setup 2 seperate networks for my wireless. ie 192.168.3.0 and 10.0.7.0. Your internal network is 192.168.2.0. I plugged a cable from 192.168.2.0 into my wan port. At this point all 3 networks are communicating. I used ACL's to limit the 10.0.7.0 for web access only. In my experience if you don't put your internal ie 192.168.2.0 into the wan port I could not get it to work. I will be back soon we can get it to work.
12-09-2011 09:33 AM
Michael,
Yes, this has been a big problem since the beginning and cant be resolved. In some situation this scenario has worked.
Vlan 1 – DHCP enabled on router
Vlan 2 – DHCP can be disabled
Again this is using the router as the GW router.
Next
I have advised customers that wanted to use it as a AP only to configure the router this way.
(GW router)Local network ••à to wan port of 4400N
Configured 4400N in router mode
Vlan 1 – 192.168.5.0/24 DHCP enabled
Vlan 2 – 192.168.16.0/24 DHCP enabled
Add 3 firewall rules
Allow GW source to destination vlan 1(corp) source interface WAN
Deny GW source to destination vlan 2(guest) source interface WAN
Deny Guest source to destination GW source interface LAN
Now you are able to add ACL’s to stop Guest traffic talking to corporate traffic.
Basically this configuration is setting up another router behind your GW just for allowing wireless access.
You’ll need to two static routes in your GW router
Also none of the Cisco Small Business Routers allows Lan to Lan ACL’s
Hope this helps,
Jasbryan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide