New Firmware Needed For VLANs

Hi All,

Long time Tek viewer, first time forum poster. Need to upgrade our home networking and I thought you guys would be the best to help.

My current setup is an ISP provided cable modem bridged to a Netgear WNDR3800 with a few dumb switches and stuff behind it. Additionally there are two crap old routers acting as wireless access points. The WNDR runs a guest network which isolates guests from the main LAN so presumably it creates a new VLAN. This is perfect as we have people renting rooms who we dont want on the LAN but have to give them internet access. Problem is its only from the WNDR and that only covers a portion of the house(a bungalow). 

So, what I'd like to do, if possible, is this:

  • WNDR As Base with DD-WRT/OpenWRT/Tomato
  • Two new units to act as access points
  • All three transmitting two SSIDs, one Main, one Guest
  • The guest clients all on one VLAN and the main on another

Is it possible to do what I'd like? What firmware would you recommend? And suggestions for some cheap .11N APs that would facilitate this?

Thanks in advance for any input,

Linef4ult.

 

I have a set up similar to this but I use managed switches . It might be tricky to do this with vlans without a managed switch but I'm no expert. I use openwrt as the firmware, but i don't use it as a router (I have pfsense) but I would assume all you would need to do is have 3 firewall zones, wan, lan, and public and configure it so lan and public can access wan but not each other. There's probably some Nat stuff you'd need to figure out too but I imagine you can just copy whatever is there for LAN and use it for public as well. 

If you install openwrt on all the routers one option would be to group each ssid with one port and run two cables to each router, that way you don't need to try and trunk the vlans. If the switches in the routers support vlan tagging then you might be able to do it with one cable. Definitely check out the openwrt compatibility Page and make sure all the routers support openwrt, multiple ssids and vlan tagging and you should be able to work something out. 

Thanks Dexter. VLAN Tagging is a term I wasnt aware of, think thats what I need to research.

If I can get a pair of Mikrotiks that support that and get the WNDR to route based on them that would be me sorted. Time to do some more googling, cheers :)

Back with a quick question.

 

If the WNDR is already doing its own VLANing then is it possible that if I attach an AP that supports VLAN tagging and match the current tag that it'd just work? Or is that highly improbable? 

 

Thanks

 

Only if it gives you control over which ports are tagged for which vlan, but it sounds like it just does it internally so the two SSIDs are isolated from each other. If it lets you control which ports are in which vlan then you don't need to install any custom firmware.

What you need to be able to do is to have two firewall zones on the router, one for each vlan, then have all the ports for your private network set to untagged for vlan 1 and disabled or excluded for vlan 2. That way whatever is connected to those ports will only be able to access stuff on vlan 1. The port which will connect your router to the access points will be untagged for vlan 1 and 2, or tagged for 1 and untagged for 2, i'm not 100% sure on how it works, but that's how I have mine set and it works. This allows traffic for both vlans to go on that port. On the access point you will have to do the same thing, set the port which connects to the router as untagged for vlan 1 or 2 (or tagged for 1 and untagged for 2, whichever works) then set each ssid to the right vlan.

Alternativly if you can't get both vlans to go down the same port to each access point you can just run two cables to each one for each vlan.

Thanks for the info. Im postponing it as we're making some changes around the house and then Ill be doing a big re-organization of the LAN. 

 

ISP is being a right shit ATM anyways, so thats first to be dealt with. Thanks again.