Hi all,

I've been playing around for a bit with a home setup that implements three HAP AC2's. One is the main router with Wi-Fi and the other two are just wireless AP's and could be used as switches for ethernet connected devices. It's a bit weird, but I have a bunch of them that I've accumulated and never used so instead of buying new hardware I'm just going to utilize what I've got. The idea is to have 1 main wireless network and a guest network that goes to a VLAN. Below is a config breakdown and a quick topology that I drew. Are there any glaring issues anyone sees with this config, and how could it be improved upon? Bare in mind that I've not gotten round to any fancy things yet, its just a basic starting point while I get the wiring done etc.



R1:
1. A single bridge interface with the IP address 192.168.88.1/24 added to it.
2. DHCP server allocating IP's from that block added to the bridge.
3. Guest VLAN with an ID of 20 added to the bridge.
4. IP address 10.20.20.1/24 added to VLAN interface.
5. DHCP server added to the VLAN to hand out IP's.
4. WLAN1 setup with no VLAN tag (default 1)
5. Virtual WLAN setup as a virtual interface under WLAN1 with a VLAN tag of 20.

R2:
1. Bridge with every interface added to it.
2. WLAN1 setup with the same SSID and password as WLAN1 on R1.
3. Virtual WLAN setup as a virtual interface under WLAN1 with the same SSID and password as the virtual WLAN on R1. This one is also set to tag its traffic with a VLAN ID of 20.

R3 same as R2.

Thoughts? Opinions? Everything's working fine and haven't run into any real issues with this setup.

Yes, this is how it is supposed to be done. I have such setup as well and it works.
Instead of "use VLAN tag 20" on the WiFi you can also make the virtual WIFi interface an untagged member of VLAN 20 on the bridge. That requires that VLAN filtering is enabled, the VLAN created in the bridge config, etc. See general texts on VLAN filtering.
But without that, it should work as well.

This looks fine, and is very simple. You threat the bridges/switches in the hAP ac2 as "dump" switches, not filtering or touching the VLAN, what is OK.

There is more in ROS for VLANs, Instead of setting the VLAN id in the VWLAN1 interface, one could deliver the VLAN20 as untagged to that VWLAN1 interface.
So the transition from tagged to untagged then happens in the bridge, not in the VWLAN interface anymore.

I see no immediate benefit in this simple case, for using the bridge as VLAN filter, all traffic goes to all bridges and ethernet ports anyway.
It would be different if you wanted to add a Guest ethernet port dedicated to VLAN20.

Don't complicate things with the Switch VLAN settings. It can be very confusing then.

Some will clearly claim that the "bridge" method is the only way to go. I'm not convinced, and the VWLAN way of setting the VLAN ID works very well. Even in access-lists then you can specify the VLAN to be used.

What will improve your wifi experience is also using the WLAN2 (and VWLAN2 / WLAN2.20 virtual interface), so that 5 GHz band is also available. Using a 40MHz bandwith is no problem here (as is with the 2.4GHz band), even 80 MHz is quite common.

EDIT: I was too late to see pe1chi's post. He was faster :-; (and shorter)

Thank you very much pe1chl and bpwl.

When it comes to having a vlan tagged bridge on the HAPs, I have done this too, but its a little more complex but allows me to allocate VLANS on a per port basis as you mentioned. Let me know what you think of this:

R1: The virtual wlan is not set to tag its traffic, I then tell the bridge to do vlan tagging, give the virtual wlan port a pvid of 20, then say untagged=Vwlan tagged=Bridge. I also add ether 3 and 4 as tagged since the two AP's are plugged into those ports.

R2: This is quite simple, I just remove the vlan tag from the virtual wireless interface, add vlan filtering to the bridge its in, give the vwlan a pvid of 20, make the vwlan untagged with eth1 tagged since its the interface connecting to R1, and done.

With this configuration I can add vlan tagging to the ethernet ports.

Also thanks for the heads up with regards to the wlan2 - I do have it configured so that I've got 5Ghz wifi, I just wanted to make this post as simple as possible and leave out some bulk so that theres not too much for everyone to have to read through to get the main points.

Yes, with those changes it would work, but as bpwl already added it is more work and not really required, using vlan tagging on the wireless interface definition will work OK at least for now. Probably it is also less CPU intensive.