VLAN for WiFi traffic separation (new to VLANing)

I run a school network with switches in different departments. All is routed through to a central switch to access the servers.

I would like to install WiFi access points in the different departments and have this routed through the firewall (an Untangle box that can captive-portal the traffic, to provide authentication) before it gets onto the LAN or to the Internet.

I know that the ports that the APs connect to on the relevant switches need to be set to a different VLAN. My question is how do I configure these ports. Which are tagged? Which are untagged? I obviously don't want to interrupt normal network traffic.

Am I correct in saying:

  • The majority of the ports should be UNTAGGED VLAN 1?
  • Those that have WiFi APs attached should be UNTAGGED VLAN 2 (only)
  • The uplinks to the central switch should be TAGGED VLAN 1 and TAGGED VLAN 2
  • The central switch's incoming ports from the outlying switches should also be TAGGED VLAN 1 and TAGGED VLAN 2
  • There will be two links to the firewall (each on its own NIC), one UNTAGGED VLAN 1 (for normal internet access traffic) and one UNTAGGED VLAN 2 (for captive portal authentication).

This does mean that all wireless traffic will be routed over a single NIC which will also up the workload for the firewall. At this stage, I'm not concerned about that load.

A rough sketch of the network


That's close to what we have, right down to the Untangle gateway. We do it a little differently, though. It helps visualize if you start from a completely flat network with no vlans. Represent this with everything untagged on vlan 1.

Now we want to add support for wifi traffic on vlan 2. To do this, set both ends of every trunk line (lines connecting two switches) to also be tagged for vlan 2. There is no need to switch vlan 1 from untagged to tagged, as you do in your current proposal; all you need to do is add the port as tagged member of vlan 2. Additionally, ports needing to talk to wireless clients should be added as tagged members of vlan 2. This includes the port your untangle server is connected to, and the ports for any servers (like dhcp) that wifi traffic should be able to see without routing. Again, you want to leave them untagged on vlan 1; just add them as tagged members of vlan 2 also.

One important key here is that our central switch supports layer 3 routing, and we have an ACL there that tells it when it's allowed to route traffic from one vlan to another. For example, all of our printers and our printer server are on vlan 1. We use a software package on the print server to count jobs and bill students for print usage, so we do want to allow wifi traffic to hit the print server. We do NOT want to allow wifi traffic to hit individual printers directly, which would bypass that software, and so the printers are restricted in the ACL, but the print server is allowed.

You will also need to do some work on your untangle box itself, depending on how things are set up. Look under Config->Networking->Interfaces and edit your internal interface. There you want to see your untangle server's Primary IP Address and Netmask set for an address on your vlan 1 subnet. We also have an IP Address Alias setup for each vlan we use, NAT policies defined for each vlan network address and netmask, and routes for each vlan to send traffic for those vlans to the internal interface.

I should add that we run our untangle in router mode with a single internal interface and have dhcp/dns on a windows server box. Your setup may be different if you use bridge mode or want to run dhcp/dns off of untangle, or use separate interfaces for each network.

Now your network is prepared to add access points. Whenever you add an access point to the network, set it's port as untagged for vlan 2, and tagged for vlan 1. That vlan 1 tag here is optional, but I often find it helpful.

Finally, depending on the size of your installation, you may find that one vlan for wifi is not enough. You generally want to keep it down to about one /24's worth of clients online at a time. Fewer is better. Any more than that and broadcast traffic will start to eat up your airtime. You can get away with larger address spaces (say, /22's), as long as all of the addresses aren't in use at one time. That's how we handle it here. I support about 450 residential college students on a single SSID with a /21 subnet, but I'm really stretching it and probably should start carving my assignments up so that broadcast traffic from students in different buildings doesn't interfere with each other. If this is more of a single large building like a high-school, you probably want to choose different SSIDs per vlan. If it's a multi-building campus where the buildings are separated by some distance and you won't be pushing coverage to the space between buildings, you can get by with one SSID for all of the vlans.

Hopefully, your controller/wifi vendor covers all that, but if you're like us you don't have the funds for $600/access point or $3000+ per controller unit. It might be worth remembering that you can use simple consumer routers as access points by turning off dhcp and using a LAN port rather than WAN port for the uplink. You'll miss out on some reporting and automatic power and channel adjustments, but with some good access points and some careful work at setup you can put together quite a large network this way.


Yes, sounds like you have a good grasp of how things need to be set up. You are correct in guessing that all traffic between VLANs will need to traverse the firewall, so you'll need to make sure ACLs are put in place to allow that traffic. The only way to take this load off of the firewall would be to get a L3 switch.