VLAN Wireless & Nebula

firstly the customers network which is looked after by a third party. They have 2 vlans
VLAN 1 is the office and default network IP Range 192.168.252.xxx
VLAN 10 is the guest network. IP Range 172.10.10.xxx
The IT company have programmed a port on there switch for me to connect to.
When i connect my laptop to this port DHCP gives me a 192.168.252.xxx and i connect to the internet.
When i statically assign VLAN 10 on my laptop to the same port, DHCP gives me 172.10.10.xxx and i connect to the internet.
I programmed up and POE switch and connect it to this port on the network switch and repeat this testing process. SO in my head i know the VLAN tagging works.
i Have 8 x  WAX510 Zyxel Wireless access points. I have 2 wireless ssid's setup
SSID: Office setup with vlan 1
SSID: Guest setup with vlan 10 (Guest networking feature not enabled just programmed the vlan)
This is all done on Nebula

I connect the AP's to the POE switch. The devices don't connect to Nebula. The SSID's are broadcasting. If i connect to the office SSID i don't get internet but if i connect to the Guest SSID i get a 172.10.10.xxx ip address and i connect to the internet.
The IT programmed a port on the firewall and i connect a unmanaged poe switch to this and the AP's connect to Nebula and the Office ssid works and correctly the guest ssid does not.

This makes no sense to me as i know the vlan's are working yet the AP's aren't?

All Replies

  • Zyxel_Richard
    Zyxel_Richard Posts: 254  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
    Hi Sir,

    First I'd clarify one thing, based on our design, "the VLAN1 should be untagged".

    So on the "PoE switch that can be configured", please set the VLAN1 untagged, and test if the AP can go online, as well as other wireless clients connecting to office SSID.

    As for the second case you've mentioned, please also configure the Firewall port to support VLAN10, since the VLAN1 can access the Internet, AP goes online; which traffic from the guest SSID will be tagged with VLAN10, we also need to ensure the gateway can handle this tag.

    Overall, for AP's perspective, the traffic from VLAN1 should be untagged (no matter it's sent out or received). For traffic belonging to VLAN10, AP will add a VLAN10 tage when sending towards the switch, and the received packet should be also have the same VLAN tag. 

    So on the "firewall port" and "switch ports where both AP and Firewall connects", please ensure the VLAN1 is untagged, and VLAN10 is tagged out.


    Best Regards,
    Richard
     

Nebula Tips & Tricks