NWA50AX/GS1900-8HP VLAN Configuration

bhaotf

I am having an issue (probably due to my misconception and misconfiguration of something) getting my new NWA50AX AP and GS1900-8HP working successfully with VLANs.

Sorry that this is such a long post, but I wanted to try to explain my configuration and issue in detail.

I have the following configuration:

• NWA50AX
  • Updated firmware - 6.29(ABYW.1)
  • 2 active SSIDS
    • SSID1, VLAN 1
    • SSID20, VLAN 20
• GS1900-8HP
  • Updated firmware - V2.70(AHHI.3)
  • NWA50AX uplink connected to a switch port on the GS1900-8HP (see below for configuration)
  • Upstream WAN connected to switch port on VLAN 10
  • Trunk port connected to OpenWrt router
• OpenWrt router
  • Running in a VirtualBox VM on a laptop
  • "router on a stick" configuration
    • WAN as VLAN 10
    • LAN on a software bridge with ports for VLAN 20 and VLAN 1

The switch/router configuration works as expected, providing upstream internet access and
between devices on the LAN VLAN.

My issue is with attempting to configure the AP and switch such that I can use SSID20 to connect to VLAN 20 (LAN and the upstream internet connection) and SSID1 (AP management).

I have the AP uplink connected to a switch port that is configured as follows:

• Accept tagged VLAN IDs 1 and 20
• trunk port enabled

When I have the AP configured to to disable "native" VLAN 1 and the uplink switch port configured to accept "tagged only" frames I can connect to SSID1 (VLAN 1), access the AP management site, and the internet. Attempting to connect to SSID20 (VLAN 20) fails (I believe that this is caused by the computer not receiving an IP address via DHCP probably due to lack of connectivity to the router). I can connect to the AP management interface via a wired connection using a different switch port configured as VLAN 1.

When I reconfigure the AP to enable "native" VLAN 1, reconfigure the uplink switch port to accept "all" frames I can connect to SSID20 (VLAN 20) and access the internet. Attempting to connect to SSID1 (VLAN 1) fails (again, I believe that the connected computer doesn't receive an IP address via DHCP due to lack of connectivity to the router). I can connect to the AP management interface via a wired connection using a different switch port configured as VLAN 1.

I am obviously misunderstanding how the settings on the switch port operate with respect to the VLAN settings on the AP and how the switch tags traffic. I don't have a clear picture about the behavior of the switch with different switch port configurations or how the AP VLAN settings work.

My original assumption was that if I disabled "native" VLAN 1 in the AP configuration, I would only get tagged frames on the uplink from the AP. In my case, this would be VLAN 1 tagged frames originating from SSID1 and VLAN 20 tagged frames originating from SSID20. Thus, my original configuration of the uplink switch port to accept tagged VLAN IDs 1 and 20, as a trunk port, and accepting "tagged only" frames. I don't understand why I can only successfully use SSID1 (VLAN 1) but cannot use SSID20 (VLAN 20) in this configuration.

Additionally, I'm not understanding why my alternative switch port configuration to accept "all" frames together with enabling "native" VLAN on the AP results in only being able to use SSID20 (VLAN 20) but cannot use SSID1 (VLAN 1).

When the AP is configured to enable "native" VLAN 1 for management, I am assuming that this implies that traffic originating from SSID1/VLAN 1 is untagged, whilst traffic originating from SSID20/VLAN 20 is tagged. When the switch port is configured to accept "all" frame types (and PVID=1) does the switch tag the untagged frames coming from the AP uplink or are they left untagged? I am wondering whether it does tag the frames as the upstream router doesn't seem to see traffic coming from the AP on VLAN 1. The router LAN is configured as a software bridge for VLAN 1 and 20 and is apparently not seeing the DHCP request from the AP on VLAN 1 in this configuration.

When the AP is configured to disable "native" VLAN 1 for management, I am assuming that this implies that traffic originating from both SSID1/VLAN 1 and SSID20/VLAN 20 is tagged. When using this AP configuration together with a switch port configuration to only accept "tagged" frames, I don't understand why I cannot use SSID20/VLAN 20 (apparently no traffic
from VLAN 20 reaches the router).

I guess the ultimate question is, how do I configure the AP and switch port such that there is a tagged trunk connection for VLAN 1 and 20 between the AP and switch. I will want to expand this to additional VLANs with associated SSIDs in the future. Is part of my problem bridging VLAN 1 and 20 on the router? Still, it seems that I should be able to trunk the connection between the AP and switch passing VLAN 1 (tagged) traffic and one or more additional VLANs as tagged traffic over that connection. On the surface, this doesn't seem to be happening correctly. What are the best practices in regards to configuring the AP and switch?

Any help on clarifying my understanding of how things work and should be configured would be greatly appreciated.

Thanks,

ba

bhaotf

So, I solved this. It turned out that it was a router configuration issue. I moved VLAN-1 out of the LAN bridge that contained VLAN-20, put VLAN-1 into its own OpenWrt interface, bridge, and firewall zone. VLAN-1 is now in a separate subnet, with access to the internet. I ended up disabling “native” VLAN for VLAN-1 on the AP, using “tagged only” on the switch trunk port for the uplink. Everthing works just fine.

Sorry for the noise. But, maybe someone else might benefit from this at some point in time.

ba

bhaotf

So, I solved this. It turned out that it was a router configuration issue. I moved VLAN-1 out of the LAN bridge that contained VLAN-20, put VLAN-1 into its own OpenWrt interface, bridge, and firewall zone. VLAN-1 is now in a separate subnet, with access to the internet. I ended up disabling “native” VLAN for VLAN-1 on the AP, using “tagged only” on the switch trunk port for the uplink. Everthing works just fine.

Sorry for the noise. But, maybe someone else might benefit from this at some point in time.

ba