Page 1 of 2 12 LastLast
Results 1 to 10 of 18
  1. #1
    Untangler
    Join Date
    Nov 2014
    Location
    Charlotte, NC
    Posts
    83

    Default Vlan on Untangle that has 3 internal NICs **Solved***

    Hello,
    I am a Home untangle user and would like to break my network into at least two networks. I have been reading about Vlans but have never set one up. I don't have a switch that supports Vlans but since I have 3 internal ports on my Untangle box I thought I would use Port 3 which is an internal port. I created a Vlan called Guest and bridged it to port 3. My thought was that all traffic on this port would now now be on a separate network from the others. The network IP address on the other interfaces,(ports 1 and 2) are set to use 192.168.X.X and the Vlan was set to use 10.1.X.X. I connected a Wireless access point to this port that is set to use DHCP. I expected the WAP to be given an IP address of 10.1.1.X but it still gets 192.168.X.X.

    What am I doing wrong?

    Thanks for everyone's help.
    Last edited by Marty_B; 05-13-2020 at 09:19 PM.

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    without a switch, or an AP that does VLAN tagging, the packets aren't tagged, and are coming in on the base physical interface (you still have both)

    NGFW is a little different, in that it doesn't simply tag traffic from the physical interface, like a switch.
    If the traffic is already tagged properly, it will appear on the virtual interface.
    Last edited by Jim.Alles; 05-13-2020 at 06:22 PM. Reason: VPN on my mind
    If you think I got Grumpy

  3. #3
    Untangler
    Join Date
    Nov 2014
    Location
    Charlotte, NC
    Posts
    83

    Default

    Thanks for your quick response. So your saying that Untangle will not route traffic to a specific port, it simply tags the data and the switch/ap routes the data to the appropriate port? In other words, I cant do a vlan without a switch or ap that supports it even though I have multiple ports on the untangle itself?

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    I am in the same place you are, just setting up a VLAN for the first time.
    Yeah, a VLAN exists between two points that understand tagging. All of the traffic on a switch port can be tagged, prior going to another device w/ multiple VLANS possible over a single trunk cable.

    In a sense, since you have the extra port, you technically don't need a VLAN - but I understand that's not the point here.

    I haven't tested it, but you may be able to force the traffic to the VLAN, by disabling the underlying physical interface on NGFW. This isn't very intuitive, I know. But it seems to have worked for a PPOE setup on a WAN.

    As far as a switch goes, small managed switches are readily available for under $50
    Netgear ProSAFE Plus

  5. #5
    Untangler
    Join Date
    Nov 2014
    Location
    Charlotte, NC
    Posts
    83

    Default

    Quote Originally Posted by Jim.Alles View Post
    In a sense, since you have the extra port, you technically don't need a VLAN - but I understand that's not the point here.
    Actually My goal is to allow guest access to internet in my house with a separate wireless access point, and have a separate policy for web filtering etc. than the rest of my network. I use have a fair amount of home automation that I would like to isolate from guests. If I can do that without a vlan please do tell. Just point me in the right direction. Your help is much appreciated.

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Well, then the whole purpose of a VLAN is to save on cabling infrastructure.

    If you can run a separate cable, then you are done. What kind of device do you plan on using for the second AP?

  7. #7
    Untangler
    Join Date
    Nov 2014
    Location
    Charlotte, NC
    Posts
    83

    Default

    A linksys EA7500 WAP. I have set it up in bridge mode so it only acts as an access point. I can make it work with no problem, I just dont know how to isolate it and the guests who will connect to it, from the rest of my network.

  8. #8
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    That brings up another point. A separate physical cable is always more secure. If that is actually a factor in your home, you might want to consider moving

    Anyway, this is one rule that handles isolating one of the internal networks.
    jail.png
    Last edited by Jim.Alles; 05-13-2020 at 08:27 PM.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    Let's set some terminology straight... it helps!

    VLAN is a logical layer 2 division of a consistent switching fabric. To put it in english, it's a way to organize your physical switches, into multiple smaller virtual switches. Again this operates on layer 2 (Data Link), no IP here, just Ethernet Frames.

    IP Network / IP Subnet is a logical layer 3 division. This is layer 3, (Transport Layer). This doesn't just involve IP, it is the essence of IP.

    The VLAN separates the broad cast domain, the IP network does not. The IP network often overlays the VLAN and uses the same borders, but doesn't have to.

    So, if you have VLAN capable switches, you can use a single interface on Untangle to grab packets from everywhere. But if you don't... well you can't! Other firewalls will pick things up and tag them, Untangle won't. Untangle will however transmit tagged packets when things are exiting an interface configured to do so, namely it's a tagged interface.

    Now, after all that... to the OP most of this is irrelevant. Because your stated goal is to create an isolated guest wireless via a dedicated access point. You do that by creating a routed interface, that isn't VLAN, but on its own IP network, and connecting it to a dedicated WAP directly, or via a dedicated switch. And POOF isolation achieved.

    Some people will erroneously refer to such a separation as a VLAN, when it's in fact another IP network. And vice versa... which is why things get horribly confusing.

    And, if you splurge a bit I can tell you that a Unifi WAP connected directly to Untangle tags things quite nicely for Untangle to pickup, allowing you to operate private, and guest wireless networks over the same cable into and out of Untangle seamlessly.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangler
    Join Date
    Nov 2014
    Location
    Charlotte, NC
    Posts
    83

    Default

    I am not sure I understand what this will do but I will give it a try and see what happens. Thanks again for your help.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2