I am using an hAP ac only as Access-Point. I want to use it only to serve two VLANs as different wifis. My infrastructure should look like this:
Code: Select all
WIFI1 WIFI2
VLAN10 VLAN20
▲ ▲
│ │
│ │
┌─────────────────┐ ┌───────────┐ ┌────────────┐ ┌────┴────┴───┐
│ │ │ │ Trunk │ │ Trunk │ │
│ Internet-Router ├───┤ Firewall ├────────────┤ Switch ├─────────┤ hAC ap │
│ │ │ │ │ │ VLAN10 │ │
└─────────────────┘ └───────────┘ └────────────┘ VLAN20 └─────────────┘
VLAN90
VLAN10 = TrustedDevices
VLAN20 = GuestWLAN
VLAN90 = Management
- WIFI1 should be VLAN1 (Trusted Wifi Devices)
- WIFI2 should be VLAN20 (Guest Wifi)
What I found out:
Bringing VLAN to the Wifi:
I add a new virtual wifi-Interface and give it the corresponding vlan-tag and set vlan-mode to "use tag".
Next I create two new VLAN-interfaces. One having the newly created wifi as parent, the other having the trunk ether-port as parent. Both with the same vlan-tag.
Next I create a new bridge and add only the two created VLAN-Interfaces to the bridge (PVID set to defalt 1 and admit all).
(VLAN filtering is turned off)
There is no IP added or set. As it should only be a transparent bridge. No IP-service is needed from the MK.
This way I can bring up multiple VLAN-Wifi-bridges. But they all rely on a rinning physical WIFI-Interface in "ap bridge" mode and having an ssid etc. set.
I also found that I can not bring a VLAN-tag to this physical Wifi-interface, cause there is no setting for wifi in physical interfaces. Including the physical wifi-interface in a bridge (as described above) does not seem to work to serve the vlan.
So for the purpose to have this two wifi-networks attached to the two VLANs I have to add two virtual wifi-interfaces, but then I have this physical-wifi-network hanging around.
Am doing things right? How to handle the physical wifi? Should I just set some credentials to it and hide it? This doesn't feel beeing the right way to me.
Well and at last I'd like if there is something I have to know when setting the management on the vlan90? In my first tries the MK did not respond anymore (might be, as there were two routes).
I'dont need routing (this is done by the firewall), I don't need DNS or DHCP (these are served on other machines), I don't need NAT. So really just bringing the VLANs to the Wifis and usinf the third VLAN as management lan.
Thanks a lot!