Dual SSID on Dual VLAN with 2 Access Points

jbartlett323

jbartlett323

Active Member
Reaction score
109
Location
Spring Hill, KS
I'm getting ready to upgrade a local Country Club. They need 2 SSID's, one with private LAN access, and one Guest network. To cover the whole building, it will take 2 access points. This Country Club isn't rich, and has asked to try to keep costs down while still doing it right.

So I'm looking to install a RV220W, 16port GB switch, and another router to act as access point. they currently have a Linksys EA3500 running as an access point, but since I can't adjust any settings on the Guest SSID, I dont think it will play well with the RV220W. I'm thinking to replace the EA3500 with an inexpensive TP-Link router running DDWRT.

My question is: For proper segregation of these networks, do I need 2 hardwires ran between the 2 routers? AKA one for each VLAN?
Setting up segregation on the RV220W is easy, and I have done that before. And if the Access Point didn't need to repeat both networks, this would be easy. But my brain tells me that I have to connect VLAN port to VLAN port for each VLAN for complete segregation. But then I think this is not an uncommon setup, and should be able to run over the 1 existing hardwire. So what do I not know?
 
I much prefer using just pure access points for businesses....you gain much better control, better options, and the ability to have a good upgrade path for future growth.

For less money than an RV220W...much less money, you could pickup a pair of Ubiquiti Unifi APs...and very easily setup what you wish. Plus gain the ability to set them on a cloud controller so you can manage them from anywhere.
 
ok, I will look into those. Still need an edge router though, unless I want to use that EA3500 as one, and I dont. They currently don't have an edge router of any kind, honestly don't know how the network was even functioning. And this morning it stopped functioning, so kinda gotta rush this a bit....

Since I have never seen an Ubiquiti, I assume it uses the hardwire as an uplink, so my question still stands... Im gonna look for an emulator...
 
ok, so no emulator I can find, but I did download the config software. Unless there is a lot that's not showing because I don't have an AP to connect to, it looks very basic.

So I'm guessing I would set this up and enable Guest access? And if I'm using an RV220W as and edge router/access point, would I just set the Guest SSID to match the Unifi's credentials and hope that hand-off happens? What would be difference (aside from supirior hardware of course) that just keeping that EA3500 doing the exact same thing?

My biggest worry here is network segregation. In the past, when people have setup these "Guest" networks that are supposed to go directly and only to the internet, if they are not on the edge device, it defeats segregation as the edge router routes it all together. Obviously, setting VLAN's with separate DHCP scopes mitigates this, but how do you have 2 VLAN's on 1 hardwire that connects your AP? I have a feeling I'm missing something very basic here...
 
You are. VLAN...the v stands for virtual. No need to have a separate physical link...the networks are separated logically. Yes, they do eventually go out over the same WAN connection, but locally, the networks are separate. VLANs add a tag to packets that tell the network devices which logical network the packet is part of. The idea of VLANs is that you can have more than one network running over one physical link.
 
Mokester said:
You are. VLAN...the v stands for virtual. No need to have a separate physical link...the networks are separated logically. Yes, they do eventually go out over the same WAN connection, but locally, the networks are separate. VLANs add a tag to packets that tell the network devices which logical network the packet is part of. The idea of VLANs is that you can have more than one network running over one physical link.
Click to expand...

Ah ha! here is the answer I was looking for! So that is a yes, as long as I set my 2nd VLAN to tagged across all ports, set a different DHCP scope, make sure the Guest network AP from whatever AP I choose is in that scope, my 2 VLAN's will stay segregated?

So couple more questions specific the Ubiquiti Unifi:
Does the controller software have to be running on a PC at all times? Or just for Config?
Is it possible to set static IP for the Guest network? or how do you force it down the second VLAN? Is that set in the "Restriced Subnets" option?

If i'm going about this all wrong guys, let me know! For all intensive purposes, I'm replacing the entire network, so I'm open to idea's and better ways. Like I said, they want to keep costs down, and they have no server. Their building is relatively small, but just big enough to need 2 AP's... I have supported multiple AP sites before, but I will admit this is the first time I have installed one...
 
The client isolation mode of wireless networks will "VLAN" each and every wireless client. The only network resource they get access to is the gateway. You don't have to worry about VLANs or subnets or other things.

If you do wireless APs...skip a wireless router, snag a non wireless router, like the LRT model...(it's like a newer faster model of the RV042).
 
Ok, so your saying I would be better off with a Linksys LRT214, and 2 Ubiquiti AP's? Cause I could do that...

Have you used the LRT214 yet? Reviews aren't great on em, but they aren't on the RV220's either because people don't know how to use em, I assume its the same here...
 
Yeah we've done 4 or 5 already....pretty happy with them. The usual ACL features we're used to on the RV0 series...and very good speed, wicked good speed....but what's nice...is the web interface is snappy. Unlike the recent RV series...with that agonizingly slow interface that needs a reboot every time you adjust something.
 
Right on! Then I will most likely go that route. Does end up being cheaper, so thats even better!

One last question, already asked above, but may have got skipped:
Does the Ubiquiti Controller Software have to be running at all times, or just for Config. Wouldn't make a lot of sense to be all the time, but just want to be sure!
 
I believe only for the config...but you can have them call in to a remote server if I'm not mistaken...so if you have a server for your business...have them call there so you can manage, update, see status, etc all from one central location for all your clients.

I've ordered a couple bundle packs of those APs to test out the Zero handoff and central management features, along with CC processing integration for a couple potential clients...this is my understanding of how it works. Maybe someone who has already set it up can shed more light.
 
jbartlett323 said:
Does the Ubiquiti Controller Software have to be running at all times, or just for Config. Wouldn't make a lot of sense to be all the time, but just want to be sure!
Click to expand...


Just for config. But as Mokester says, you can set up a remote config server; such as a server back at your workshop or a basic AWS cloud server (which I just did recently myself in fact).

Also, just to add: While the Unifi units do fully support VLANs, you don't need to use a VLAN to create an isolated guest network with them. Instead they block access to LAN subnets specifically (and these are fully configurable).
 
Perfect! This is why this forum is great, all the answers to any question!

I will get a quote for this stuff over to my client! Based on his earlier reaction, will hopefully be installing end of next week!

Thanks again for all your help!
 
Build your own Ubiquiti cloud controller....and set the "inform" address on the APs to report to it....that way you can easily manage all your clients wireless network from one portal. You can even pre-program APs before they leave your shop..and ship them to clients for them to hang...or quickly just go to the clients and hang them. This way making changes, (like password changes) or whatever...are wicked easy for you. Also you can upgrade the firmware on them right from the controller.

Also check out Ubiquiti's routers....very low price, fast, stable.
 
YeOldeStonecat said:
Build your own Ubiquiti cloud controller....and set the "inform" address on the APs to report to it....
Click to expand...

How are you doing that, out of interest?

I'm presently doing it with PuTTY, like this ...

  1. Connect Unifi WAP to LAN and determine its IP
  2. Use PuTTY to connect to the WAP, entering IP and port 22 (default)
  3. Login with default user name and password (both: ubnt)
  4. mca-cli <ENTER>
  6. set-inform https:// [IP Address or domain here] :8080/inform <ENTER>
  7. In the Unifi Controller, adopt the device
  8. Wait for the status to change from 'Pending Approval' to 'Disconnected' then wait 1 more minute.
  9. Repeat steps 5 to 6 until status = 'Connected'
  10. If the status is 'Connected (needs upgrade)', Upgrade it

Just wondering if that's the best way ...
 
There's a GUI "discovery utility" that gets put in the Controller directory when you download and install the controller. Called "Unifi-Discocver"...I run it from my laptop or desktop. I just unpack the Unifi APs...plug them into the same network my laptop or desktop is on...run the utility, and it will find the Unifi's on the broadcast network. From there....you can do several things, including a function called "Manage". from there....it has the default Inform URL http://unifi:8080/inform
I click on that field...and add our quick domain name to it..and apply it.
For example, http://unifi.moltuae.net:8080/inform
Apply that setting...and in about a minute you'll see that AP show up as available in your cloud controller.

I built our cloud controller on an Ubunu instance up in our RackSpace cloud.
It's a low system resource one, single core 512 megs I think...assigned a public IP of course, and I made an A-Record of "unifi" pointing to it for our domain.

As for "best way"? Meg..whichever is easier for you to point them. Not sure there's much advantage in ease and time saving with either method...but guessing the Ubituiti utility would save a little time since it finds them quick. Guessing you have to refer to your DHCP to find what IP a freshly hung AP pulled before you drill into it with Putty. I just stick the GUI in my Start menu. Once in a while the Windoze firewall has fought with it so when you try the utility set the firewall to let it through so it won't nag you down the line.
 
Last edited:
Ah yes, I forgot about the discovery utility. Thanks for reminding me, I'll try that next time.

I had a few problems with the discovery utility the first time I used Unifi units, in that it wouldn't discover the newly connected devices, yet the controller did. I think I probably just missed opening one of the ports in the firewall, but after that I got used to not using the discovery utility, then forgot it existed.

I usually just use Angry IP Scanner, WakeMeOnLan or something similar to quickly discover the IP addresses of the Unifi units.

I think I'll probably put the controller on something Linux flavoured too, when I get around to it. I'm in the process of completely replacing and rethinking my home/office servers, so it'll probably live on a VM there when I eventually get organised. In the meantime, for ease and speed, I created a Windows Server instance on AWS. I know that's not the most secure way to do it, but I figured that since I leave the instance 'stopped', except when I'm configuring devices, the security risks are minimal.
 
You must log in or register to reply here.

Similar threads

Velvis
Unifi Access Point showing up as connected via mesh
Replies
9
Views
3K
JoelM
JoelM
YeOldeStonecat
A fun project....summertime mansions....1x Starlink getting installed, share to 4x buildings
Replies
8
Views
1K
YeOldeStonecat
YeOldeStonecat
JoelM
Untangle vLan Setup
Replies
4
Views
1K
JoelM
JoelM
HCHTech
VLAN 101.....again
Replies
9
Views
2K
YeOldeStonecat
YeOldeStonecat
HCHTech
Let's talk about VLANs!
Replies
16
Views
4K
YeOldeStonecat
YeOldeStonecat
Back
Top