I don’t get how VLANs work with wireless APs!

[Miner]

I do not get how VLANs are supposed to work with wireless APs in a home network!

Background: Have read up on VLANs in a home network. In the interest of experimenting am about to take the plunge. I use a router/FW that fully supports VLANs, opnSense, and shortly will buy an inexpensive managed switch to accommodate. I currently have a TP-Link AP that has some VLAN functionality.

What I don’t get are the following, specific points, conveniently numbered so you can answer individually.

1. I have a TP-Link AP (from recons on here a few years ago, good call thanks very much), documentation says it can assign a VLAN to an SSID. It can have up to eight SSIDs per frequency (2.5 GHz and 5 GHz). I see how to set the VLANs up in the AP. However I do not see how the VLANs will work at the router if I were to configure the VLANs only in the AP: 1.a.) Do I need to configure VLANs in the router to match the configurations in the TP-Link AP? 1.b.) If I do not setup any VLANs at or in the router will VLAN functionality only work from the AP to the wireless clients, 1.c.) and not from the AP to the router?

2. My preference is to have one (main) SSID in the AP while having multiple VLANs, with all configurations done in the router, no configurations in the AP, and the AP fully respects VLAN functionality, no allowing packets to cross VLANs. 2.a.) Is this how things work in the (existing TP-Link) AP? 2.b.) In any AP that supports VLANs? 2.c.) By default?

3. New AP: Getting a newer AP is a possibility. I’ve looked at the documentation for a Ubiquity AP (Model Wall U7), it shows it complies with 802.1Q, does this mean I can do #2 (one SSID with multiple VLANs) above?

 

[Tech9]

Do I need to configure VLANs in the router to match the configurations in the TP-Link AP?

You define VLANs on the router first and then match them on the AP to separate SSIDs.

with all configurations done in the router, no configurations in the AP

With no configuration on the AP it will most likely broadcast everything on the main SSID.

 

[JimbobJay]

You need the VLANs and their relevant DHCP servers setup on the main router, and then you want APs capable of VLAN tagging. Then on the AP you can assign a VLAN tag to a particular SSID, and then any device connected to that SSID will get tagged with that VLAN ID, and be properly routed into that VLAN by the router.

 

[Miner]

How about "one SSID multiple VLANs" approach, will that work? On any VLAN capable AP?

 

[degrub]

How would the AP decide which VLAN to assign to a client device ?

 

[Tech9]

It will just broadcast everything untagged effectively eliminating the VLAN capable equipment advantages. Not sure what's the goal here.

 

[Miner]

It will just broadcast everything untagged effectively eliminating the VLAN capable equipment advantages. Not sure what's the goal here.

Goal is asking a few questions to determine before buying any new hardware, if one SSID can handle more than one VLAN.

Seems the answer is no. For all the things I've read it is never mentioned SSID and VLAN are always one to one, cannot be one to many.

 

[degrub]

You make the SSID a part of the virtual lan. The packets received by that radio SSID are tagged with the VLAN tag in the AP. You cannot do the reverse. Logically, you could assign multiple SSIDs to the same virtual lan, if the firmware allows.

 

[Tech9]

if one SSID can handle more than one VLAN

It is doable in theory, perhaps someone is running a wireless network this way, but very uncommon setup. The clients need to understand where they belong and 802.1x authentication will be needed. You need RADIUS server for this. For a home network it's unnecessary complication. I do run business networks with clients authentication, but my APs broadcast VLAN separated SSID for different purposes. This is the more common setup.

 

[tgl]

By far the easiest thing is "assign a VLAN to each SSID". (You can have multiple SSIDs using one VLAN, but not vice versa.)

There are some APs that will let you chop things up more finely. In the Omada and Ubiquiti product lines, there is a feature called PPSK that will let you assign wifi clients to different VLANs even on the same SSID, based on the password they supply. "Same SSID but different password" is not that much different from "different SSID", though, so I'm not sure if that helps you.

If you do think PPSK sounds like what you want, I doubt I'd recommend Ubiquiti: their implementation is fairly new and by all reports it's still rather buggy and slow. I gather Omada has had PPSK for awhile, so hopefully their version is more mature, but I have no experience with that product line.

 

[tgl]

2. My preference is to have one (main) SSID in the AP while having multiple VLANs, with all configurations done in the router, no configurations in the AP, and the AP fully respects VLAN functionality, no allowing packets to cross VLANs.

There is no scenario in which you can use VLANs for wireless clients without the router, switch if any, and the AP(s) knowing all about the VLANs. I think you are phrasing your problem the wrong way: what you apparently want is to have a single control point that will dole out the requisite configuration details to all the devices. This is not a thing in the consumer networking world, but all the business-grade product lines are all over this concept. You'd have to ditch your pfSense router though, and I can feel your pain about that (I use and like pfSense too).

If you're willing to make that jump though, any of Omada, Ubiquiti, Zyxel, Cisco, or some other names will sell you compatible routers, switches, and APs that are all configured and managed from a single controller. Typically, you can buy a hardware device to run the controller software, or you can run the software on a Windows, Mac, or Linux box you already have, or you can subscribe to "cloud management" whereby your configuration data is kept on servers run by the networking-hardware company. (This last makes more sense if you're a company IT guy with dozens of sites to manage.) In some cases, depending on which hardware you buy, the network controller software can be hosted on your router so you don't need any separate controller device.

EDIT: sorry, you wrote "opnSense" but I read "pfSense". Doesn't much matter to my point here though: they're both good systems but do not play as part of a network-wide configuration scheme.