I’m running a RB750Gr2 in my home environment. All is good and fine.
I’ve setup the VLAN 1003 as VLAN in Interface on bridge1 and interface intern; All Apple Access Points can distribute the guest WIFI with their own segment and DHCP pool, internet access,… working flawlessly.
But how the heck do I define ether3 to only provide VLAN 1003 with the same DHCP pool and internet access as the Apple Airport is doing it?
I have a cable outside the house to connect to a mAP lite with VLAN 1003 only, if someone would directly connect to the CAT6 outside, he shouldn’t access the house internal network, only this “guest/dmz” one…
If AP tags the traffic itself, then you can set port vlan security so that on ingress it only accepts tagged frames. A random passer-by won’t know it needs to tag packets so for him the port will seem useless. If one knows to tag frames with correct VID, he’ll be able to become part of guest subnet.
If it’s RB tagging ingress traffic (and untagging egress), then you should set port vlan security so that it only accepts untagged ports and with pvid set to 1003 (guest VLAN) anything connected to that port will automatically become part of guest subnet.
Things become complicated if the ethernet port is “access” port meaning that it carries both tagged and untagged frames … because Apple AP might insist on such set-up .. and that management interface should be on untagged “VLAN” (Ubnt devices insist on such setup) … then any anonymous trespasser with physical access to the ethernet cable can directly access management/internal network.
It is possible to play with bridge filtering so that it only passes frames with correct src/dst MAC set … but it’s not trivial and affects performance.
Thanks, this would mean it is more easy to buy another airport, place it inside the house and let the guest wifi work outside (it’s mainly for my carport connection to the Tesla once I get him
