Setting up VLAN with 2 Netgear Switches, APs, and TZ210
Posted on 2014-10-31
I am in the process of setting up 5 Access Point Internal and Guest Wireless with 5 Netgear WNDAP360 Access Points, 1 Netgear GS752TP 52 port Switch, and 1 Netgear GS728TP Switch and an existing SonicWall TZ210 Firewall.
I am having trouble with setting up the VLANS so all wired and wireless Internal traffice works and the Guest Access gets sent out to the Internet directly. This is not in production yet so I have a little time to play with it. My main thing is that I can get one network or the other working but not both consistently.
The physical setup is the TZ210(Port 4) will be connected to the GS752TP on (port 45)
The GS752TP (Port 47) will be connected to the GS728TP (Port28) as the Trunk port for communication between the switches.
3 Access Points will be connected to the GS752TP (Ports 1, 2 and 3)
2 Access Points will be connected to the GS728TP (Ports 1 and 2)
The Access Points have 2 Internal network SSID's (Setup for VLAN10) and 2 external SSID's(Setup for VLAN20)
The firewall does not have VLAN settings so in order to do this, I believe I have to have separate physical ports being used for Internal and Guest communication out to the Internet. The internal network has a WIndows 2008 Server running DHCP and DNS. On the firewall I setup a zone (named VLAN20 just to know why it is there later), a DHCP Server entry and interface specifically for for the Guest Access to get out to the Internet.
The GS752TP and GS728TP switches have the natural VLAN 1 and on all the Access Points and Switches, I have configured their IP Addresses as a 192.168.254.x so that they are off of the primary LAN for administration. Not sure if this is necessary.
VLAN10 - Internal Network is 192.168.10.x with a gateway of .1
VLAN20 - Guest Wireless and Network is 192.168.254.x with a gateway of .1
In the Switches I have ports 1,2,3 tagged for both VLAN 10 and VLAN 20, and VLAN 1(default) shows as Untagged. So ports 1,2, and 3 are my Tagged Interfaces for Trunking between the AP's and the switches they are connected to.
On the GS728TP Port 28 and on the GS752TP Port 48 are Tagged in both VLAN 10 and VLAN 20 so that Trunks one switch to the other. Since the Primary use of the wired network is for Internal Business, I have tried to set all other ports to VLAN 10 except one port 45 for management of the 192.168.254.x VLAN1 network, and one port 46 on the GS752TP for Guest Wireless to connect to port 5 of the TZ210.
When I set all the unused interfaces on the switch to Untagged for VLAN10, I am no longer able to access my internal DHCP server on the primary network with address 192.168.10.x so I can't get an IP Address. With this configuration, VLAN20 (Guest Access) works flawlessly and the connected devices get their IP address from the TZ210's VLAN20 zone.
If I switch all unused ports back to VLAN1 which is the out of the box default setting, My Internal Network starts to work without issue, but I break the Guest LAN.
So in a nutshell, I am having problems with the VLAN settings to allow both traffic to where it needs to go. Wind PVID set to VLAN
TZ210 LAN to Untagged port(25) in GS752TP VLAN1 For Internal Network Access to Internet.
TZ210 VLAN20(OPT) to Untagged port(46) for VLAN20
GS752TP ports 1,2,3 all Tagged in VLAN10, VLAN20, for Trunking to Access Points In VLAN1 they still show as U which is set by the VSID. (Should this Change to VLAN10).
Port 48 tagged and connected to GS728TP port 28.
How should I configure all other ports for VSID? VLAN10?
GS728TP ports 1,2,3 all Tagged in VLAN10 & VLAN20 for Trunking to Access Points
Port 28 tagged and connected to GS752TP port 48.
How should I configure all other ports in VSID? VLAN10?
Last thing is their is a VLAN Routing and every time I enter an IP and Subnet in here, the switch says that it already exists.
Hopefully I explained the problem good enough to understand.