Need advice to set-up vlan over wifi on Omnia 6.4.2

Software SW help
#1

Hello,
I have set-up vlans over the ethernet ports and it is working fine. The set-up is equivalent to a managed switch.

Now I want to expand vlans to Wifi, but I encounter a difficulty:
I have created 4 vlans in the br-lan device, but, I enabled ‘local’ only for the management vlan. This set-up is then creating only 1 vlan in device and I can only create only interface with the management vlan.
When I go to wireless page and I want to create an SSID, I am only proposed the management vlan which is the one I don’t want to see over WIFI. I can’t see any other vlan.

Do I need to enable ‘local’ on the other vlans, even though I don’t want any of them to connect to the router except for the management vlan? Or is there another way to do it?
What should be the firewall set-up to ensure that there is no cross vlan routing and that only the management vlan is authorized to communicate with the router?

#2

So, what I did is:

  • enable ‘local’ for all wifi VLANs on the ‘br-lan’ device
  • create for each wifi vlan an interface with protocol ‘unmanaged’
  • as my default firewall is ‘reject’ for input, output and forward, I included none of wifi vlans in any firewall zone

So far it seems to work, but is it correctly secured?

#3

There was topic like this. Cannot find it now. Basically you add manually in the field with ports in your br-lan new port with your WLAN interface so most likely wlan0 wlan1 wlan0-1 or something like that. So you add it to your bridge. Save settings and next time you open VLAN settings you can assign untagged VLAN to your WiFi Interface.

#4

By default there is no interzone routing set so if you didnt allow it it won’t work. So simply Reject Accept Reject should be enough

#5

Are you referring to this post?

#6

No I found it:

#7

Thanks @AreYouLoco :+1:
I did some experiments and, as it is a dumb AP set-up:

  • reject reject reject as default allows correct network traffic on the VLANs
  • accept accept reject is needed for the management VLAN (input to config and output for updates)
#8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.