Aerohive Geek Network

Separating your LAN with Edgerouter and VLANs

I recently replaced my router as you might have read in the previous post. I wanted to create a separate lan for guests using my Unifi access points. And be able to create other networks for IoT devices.

I have used the following hardware:

Edgerouter 4

Aerohive switch SR2208P (myPoE switch)

Mikrotik switch (for my clients)

2 x Unifi AP Pro

I assume you already have internet connection on your edgerouter.

But you might think that there is already a way of doing this? And it is. By using the “apply guest policies” like in the image below in the unifi controller. This works quite nice and you can have a dedicated ssid for your guests. You will have to have a controller running in order to use this. Not install the APs via the app. But what if your kids want to play Minecraft, or if you have a Chromecast on this ssid. This will not work. This is because this network is isolated and clients should not be able to communicate with each other. If you think this is ok just go ahead and stop reading.

 

If you want to have some more control you might want to create VLANs instead. By doing this you can have your cameras on 192.168.40.0/24, your computers on 192.168.0.0/24 or your guest wifi at 192.168.88.0/24. Or any address you may want.

First some fundamentals.

VLAN – Virtual Local Area Network, logical identifier for isolating a network

Trunk – A port enabled for VLAN tagging. Usually used between two switches or a switch and an access point.

Access – A port that does not tag and only accepts a single VLAN. Could be any port

Native VLAN – The VLAN associated with all untagged traffic on a trunk. Usually VLAN 1.

So basically you would need a switch supporting vlans. Maybe with PoE if you want to power the APs.

I started by creating a new ssid (guestwifi) called “monkeyisland”. There is not much configuration to be done here. Just name it, set a password and vlan. You may test if you want but it wont work. However you should be able to see it.

The next step is to create a new vlan in the edgerouter. You should use the same interface as your lan. I have eth5 (sfp) as wan connected to the fiber. And eth1 connected to my switch.

Also create a new dhcp scope. Use any range you may want.

I belive you will have to set the dns forward as well. Make sure the eth1.88 is added.

Ok, The dns,dhcp and vlan is up as well as the ssid. But it still wont work. This is because the connection between edgerouter eth1 and your switch is most likely still configured as an access port /untagged. This means that only the native vlan1 is going to pass.

Log in to your switch via ssh or gui. Both shown below. Notice that port 5 (in my case) on the switch should be configured as a trunk (tagged). In my case I am permitting all vlans. I could use another separate switch for guests on for example vlan 100. In this case I might have allowed only this vlan here. However I will create some firewall rules later in order to prevent guests from accessing my private lan and vice versa.

 

Still not working? No. However you could use one free port and set this with access port vlan 88. Connect your computer to this port via cable. You should be able to get an ip adress now. Most likely 192.168.88.50. You can see the leases in the edgerouter gui.

What is missing is that you would need to create a trunk port to your acceess points as well. You may configure it the same way as you did with the switch-edgerouter.

Notice: I did try this several times but still got no ip. I suspected there were some misconfiguration on the firewall rules. However I restarted the router and suddely it worked.

Now the guest wifi is working as well as dhcp. But if you try to ping from your lan (in my case 192.168.0.X) to 192.168.88.50 it replies. Same in the opposite direction.

You will have to create some firewall rules to prevent this. Create a new ruleset with default action accept. Interface eth1.88 direction IN.

Also create two rules as below. This will block traffic from and to the guest vlan. You may have to add more rules if you have more vlans. Most likely there are better ways of doing this but it works for me so I left it here.

Now it is done. Create more vlans for your IoT or whatever you want. My setup lokks more or less like the image below.