Avatar of Bert2005
Bert2005Flag for United States of America asked on

How do I make a VLAN to use for one port on my switch for a wireless router?

OK, I am not a novice, but I am certainly not an expert, so I will try to follow along anything I am instructed to do, but please bear with me.


I have a Cisco SG200-26-Port Gigabit Smart Switch. Each peripheral attached to it is given the IP address of 192.168.1.x. 


I have one port which is free to use and I would like to use it for a wireless router. I obviously do not want it on the same LAN as the rest of the network. So, I am trying to make a VLAN just for it. 


I am looking for advice as to how to do this.

CiscoNetworking* Switch* VLAN

Avatar of undefined
Last Comment
Bert2005

8/22/2022 - Mon
RedNectar Chris Welsh

Hi Bert,
Probably everything you need to know is in this guide.  If the switch is in its default state, you can access the management via http://192.168.1.254 
However, I'm not sure WHY you want to put your wireless router on a different VLAN, unless of course you DON'T want any of your wireless clients to have access to the same resources as your wired devices.
And assuming your wired devices have access to the Internet, then putting your wireless clients on a DIFFERENT VLAN would mean those devices would NOT have access to the Internet. [Unless you do the 7 steps I describe below]
Is that what you are trying to achieve?
Like I said - I have NO IDEA WHY you want to do this.  If you want to be sure that your wireless clients are separated from your wired devices, then it is your wireless router that should be configured to do this, rather than the Cisco switch.
Having said that, you COULD achieve separation using a VLAN, but then you'd have to:
  1. configure the VLAN on your Internet router too, 
  2. then assign it a different IP address, 
  3. enable DHCP on that VLAN (so your Wireless router gets an IP address), 
  4. configure the link between your switch and router as trunk port on the router (oh - and you'd probably loose connectivity with the router the moment you did this)
  5. configure the link between your switch and router as trunk port on the SG200 (hopefully connectivity returns)
  6. and then check that your wireless router does NOT route between VLANs anyway.
  7. AND FINALLY - configure the port your wireless router connects to for the same VLAN as you created on your Internet router.
To me it seems you are making the job much harder than it needs to be.

ASKER
Bert2005

Very good to know. I must not have written enough as to what I am trying to accomplish. It sounds as though it will still be rather difficult.
This is a doctor's office. I want to allow wireless to patients when they are in the waiting room. I am sure there are other ways to accomplish safeguarding my network, and I hope you can explain. Given the data is very confidential and must meet HIPAA requirements, I wanted to make sure no one could easily access the network.
This isn't for a wireless printer or for a nurse to be able to access the network.

I guess a better way to ask the question would be simply like the above. How do I allow wireless Internet access to customers (patients) without allow them access to my network.?
David Johnson, CD

ok sounds like you want to set up a guest network possibly using a hotspot that doesn't allow access to the local network but does have access to the internet. HIPAA doesn't come into play here.
This is more of a firewall problem than a switch problem. on the switch you simply set the port to tagged and the vlan id. the rest is done via a firewall. 
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
Bert2005

OK. I will set that up.
ASKER
Bert2005

Just a question. Would be more expensive and unnecessary, but just wondering.
Given that the modem has four ports, and the first port must be used for the router of the LAN, could I connect a second ethernet cable to a different router from port two and run the wireless router off that? (or would that be called a WAP)
RedNectar Chris Welsh

Hi Bert,
Apart from the SG200, you have mentioned:
"modem with four ports", and
"router of the LAN", and
"wireless router"
Can you be a bit more specific with brands and models?

I'm trying to mentally connect these pieces of equipment.
The comment that "modem has four ports, and the first port must be used for the router of the LAN" doesn't sound quite right to me.
Typically a modem is actually a router - and will have one port that is the "uplink" - ADSL/ADSL2/ADSL2+, HFC coax (CATV), fibre, or on more modern connexions another Ethernet port (in which case it is probably labelled as a Router, not a modem).  Many modern "modems" have wireless capabilities build in too.

But if the device that connects you to the outside world has some extra ports, there is a good chance that you can connect your wireless router to one of those ports, but that probably does NOT prevent the wireless clients connecting to your internal LAN.

Like David hinted - you may need to get a firewall into the picture.  On the other hand, the equipment you have may well have the firewall capabilities you need, but without brands and models we have no hope of saying if they do or not.

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
CompProbSolv

"Given that the modem has four ports ": that almost certainly means it is a modem and a router (and a 4-port switch).  ISPs will very commonly (and incorrectly) call that device a "modem".

If all you want is for WiFi access to the internet, it may be much simpler run a cable from one of the other ports on the modem/router to the wireless router (or a Wireless Access Point which doesn't have a router) and constrain it  within the modem/router to only access the WAN side of the modem/router.  Your modem/router may or may not have such capability.

Independent of this, it's a poor practice to use 192.168.1.x (or any other common/default subnet) on a LAN.  If you ever want to do VPN access into the LAN, this will complicate matters.  It may be too late to easily change to a different subnet, but keep that in mind.
David Johnson, CD

as I stated it is a firewall problem mostly.  you have to ensure that none of the guest network can access the lan network.  many consumer grade routers don't have this capability.

A WAP would have to be on another network segment and be on a separate VLAN  i.e.
192.168.2.0/24 while the LAN network is on 191.168.1.0/24
both having a gateway of 191.168.1.1

The problem bwing that someone could change their ip address to static and set the netmask to 255.255.0.0 which would allow access to the LAN network.
ASKER
Bert2005

David: "on the switch you simply set the port to tagged and the vlan id. the rest is done via a firewall."

So, I did the following and saved it. Is that all I did to do? Do I need to back up the configuration?  

Tag.GIF

Save config.GIF
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
David Johnson, CD

if you don't save it then when the switch reboots (i.e. power outage) you will lose your changes.
now in your firewall you have to create rules to allow traffic / deny traffic.
ASKER
Bert2005

How do I know which tagged number is associated with the ethernet jack that goes to the wireless router?

Once before I ran a cable from a modem to a small switch, then ran one cable from the switch to the LAN and another cable to the wireless router. That seemed to separate the networks. That is what one expert recommended.

David Johnson, CD

GE 17 set to vlan 2 you next on the AP set the network for the VLAN SSID to use vlan 2


Once before I ran a cable from a modem to a small switch, then ran one cable from the switch to the LAN and another cable to the wireless router.

well kinda sorta   That's because you used a wireless router the operative word here is router.  (a router routes traffic from one network to another)

It looks like you are trying to do this on a shoestring and not even using prosumer equipment As things stand now I don't see any rules to what to do with tagged packets with vlan 2 other than add some bytes to the Ethernet frame.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Bert2005

I am just looking for advice. I am not a super networker. I know I used a different cable modem before and the small switch which divided the two networks worked great. And, it was recommended by one of the networking people on here.

Since I was doing it again, I thought I would do it better than a shoestring. GE 17 is what I used. The cable to the wireless router or WAP has an IP of 17, but doesn't seem to match up with GE 17. I don't know what tagged packets are. I did make a VLAN 2. I don't know what an Ethernet frame is.

Sometimes the advice here is great, and if I knew just how to follow it (knew the terms etc.), I could do it easily.

Thank you.
ASKER CERTIFIED SOLUTION
David Johnson, CD

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Bert2005

Thank you David.

Does it matter if I do port 1 to the LAN and port 2 to the wireless router?

Thanks! Thanks!

By the way the way it is set up now where wireless is used by guests on the same network with a password, it obviously is not very secure. I have my phone, and I am on the same wireless network on the same subnet. I can't even figure out how to access the LAN. Of course, I am not a hacker or even someone with more experience than I.  I guess if they had Windows Explorer they could just browse to non-password protected folders and files?
David Johnson, CD

no otherwise you will have lan traffic available. on the wireless network. all you need is to have someone outside sniffing the traffic using wireshark  and they can easily determine your LAN's address range and then start poking into the lan.

I don't know if firesheep is still available for android but you should have client isolation enabled. I don't know if your WAP router supports it.

you can configure WPA2 personal or a hotspot (your router/wap may have it built in)  Consumer gear doesn't normally have this stuff
your WAP/router may be supported by openwrt which will give you additional capabilities
https://openwrt.org/
Your help has saved me hundreds of hours of internet surfing.
fblack61
David Johnson, CD

you can display the wireless password on business cards or some other method
ASKER
Bert2005

Thanks David,
I guess this is why sometimes it is just best to hire a professional.

I used to have one, and he just left. 
RedNectar Chris Welsh

Hi Bert,
If you answer my earlier question:

Apart from the SG200, you have mentioned:
"modem with four ports", and
"router of the LAN", and
"wireless router"
Can you be a bit more specific with brands and models?

We may be able to give a more constructive answer.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Bert2005

I apologize. You did ask that question and i completely forgot. I will get you the model numbers tomorrow. For now the modem is an Arris and the router is a pfSense. 
RedNectar Chris Welsh

Ahh-ha - if the modem is an Arris, it is PROBABLY a cable modem with a single Ethernet port.  But I'm not familiar with pfSense at all - but after a 2 second search, it seems it IS a firewall, so that is promising.
Thanks
C
ASKER
Bert2005

Switch: DG200-26
Modem: DG1670ATW
Router/Firewall: pfSense V2.3.4-Release, FreeBSD 10.3 Release p19

I think pfSense is pretty good. I know you have to install the OS in it.

This was done by my IT guy who is very, very good. I know you won't believe it when I tell you the pfSense router plays the role of DHCP giving out IPs and not the server, which is not the way I would have done it, but it is what it is and thought it may help to add that.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
RedNectar Chris Welsh

OK The Modem model looks like it has a wireless router built in (because the last character is a W) and if I've found the right picture - it has 4 ethernet ports.