What's new

I don’t get how VLANs work with wireless APs!

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Miner

Regular Contributor
I do not get how VLANs are supposed to work with wireless APs in a home network!

Background: Have read up on VLANs in a home network. In the interest of experimenting am about to take the plunge. I use a router/FW that fully supports VLANs, opnSense, and shortly will buy an inexpensive managed switch to accommodate. I currently have a TP-Link AP that has some VLAN functionality.

What I don’t get are the following, specific points, conveniently numbered so you can answer individually.

1. I have a TP-Link AP (from recons on here a few years ago, good call thanks very much), documentation says it can assign a VLAN to an SSID. It can have up to eight SSIDs per frequency (2.5 GHz and 5 GHz). I see how to set the VLANs up in the AP. However I do not see how the VLANs will work at the router if I were to configure the VLANs only in the AP: 1.a.) Do I need to configure VLANs in the router to match the configurations in the TP-Link AP? 1.b.) If I do not setup any VLANs at or in the router will VLAN functionality only work from the AP to the wireless clients, 1.c.) and not from the AP to the router?

2. My preference is to have one (main) SSID in the AP while having multiple VLANs, with all configurations done in the router, no configurations in the AP, and the AP fully respects VLAN functionality, no allowing packets to cross VLANs. 2.a.) Is this how things work in the (existing TP-Link) AP? 2.b.) In any AP that supports VLANs? 2.c.) By default?

3. New AP: Getting a newer AP is a possibility. I’ve looked at the documentation for a Ubiquity AP (Model Wall U7), it shows it complies with 802.1Q, does this mean I can do #2 (one SSID with multiple VLANs) above?
 
Do I need to configure VLANs in the router to match the configurations in the TP-Link AP?

You define VLANs on the router first and then match them on the AP to separate SSIDs.

with all configurations done in the router, no configurations in the AP

With no configuration on the AP it will most likely broadcast everything on the main SSID.
 
Last edited:
You need the VLANs and their relevant DHCP servers setup on the main router, and then you want APs capable of VLAN tagging. Then on the AP you can assign a VLAN tag to a particular SSID, and then any device connected to that SSID will get tagged with that VLAN ID, and be properly routed into that VLAN by the router.
 
How about "one SSID multiple VLANs" approach, will that work? On any VLAN capable AP?
 
It will just broadcast everything untagged effectively eliminating the VLAN capable equipment advantages. Not sure what's the goal here.
 
It will just broadcast everything untagged effectively eliminating the VLAN capable equipment advantages. Not sure what's the goal here.
Goal is asking a few questions to determine before buying any new hardware, if one SSID can handle more than one VLAN.

Seems the answer is no. For all the things I've read it is never mentioned SSID and VLAN are always one to one, cannot be one to many.
 
You make the SSID a part of the virtual lan. The packets received by that radio SSID are tagged with the VLAN tag in the AP. You cannot do the reverse. Logically, you could assign multiple SSIDs to the same virtual lan, if the firmware allows.
 
if one SSID can handle more than one VLAN

It is doable in theory, perhaps someone is running a wireless network this way, but very uncommon setup. The clients need to understand where they belong and 802.1x authentication will be needed. You need RADIUS server for this. For a home network it's unnecessary complication. I do run business networks with clients authentication, but my APs broadcast VLAN separated SSID for different purposes. This is the more common setup.
 
By far the easiest thing is "assign a VLAN to each SSID". (You can have multiple SSIDs using one VLAN, but not vice versa.)

There are some APs that will let you chop things up more finely. In the Omada and Ubiquiti product lines, there is a feature called PPSK that will let you assign wifi clients to different VLANs even on the same SSID, based on the password they supply. "Same SSID but different password" is not that much different from "different SSID", though, so I'm not sure if that helps you.

If you do think PPSK sounds like what you want, I doubt I'd recommend Ubiquiti: their implementation is fairly new and by all reports it's still rather buggy and slow. I gather Omada has had PPSK for awhile, so hopefully their version is more mature, but I have no experience with that product line.
 
2. My preference is to have one (main) SSID in the AP while having multiple VLANs, with all configurations done in the router, no configurations in the AP, and the AP fully respects VLAN functionality, no allowing packets to cross VLANs.
There is no scenario in which you can use VLANs for wireless clients without the router, switch if any, and the AP(s) knowing all about the VLANs. I think you are phrasing your problem the wrong way: what you apparently want is to have a single control point that will dole out the requisite configuration details to all the devices. This is not a thing in the consumer networking world, but all the business-grade product lines are all over this concept. You'd have to ditch your pfSense router though, and I can feel your pain about that (I use and like pfSense too).

If you're willing to make that jump though, any of Omada, Ubiquiti, Zyxel, Cisco, or some other names will sell you compatible routers, switches, and APs that are all configured and managed from a single controller. Typically, you can buy a hardware device to run the controller software, or you can run the software on a Windows, Mac, or Linux box you already have, or you can subscribe to "cloud management" whereby your configuration data is kept on servers run by the networking-hardware company. (This last makes more sense if you're a company IT guy with dozens of sites to manage.) In some cases, depending on which hardware you buy, the network controller software can be hosted on your router so you don't need any separate controller device.

EDIT: sorry, you wrote "opnSense" but I read "pfSense". Doesn't much matter to my point here though: they're both good systems but do not play as part of a network-wide configuration scheme.
 
Last edited:
I do not get how VLANs are supposed to work with wireless APs in a home network!

Background: Have read up on VLANs in a home network. In the interest of experimenting am about to take the plunge. I use a router/FW that fully supports VLANs, opnSense, and shortly will buy an inexpensive managed switch to accommodate. I currently have a TP-Link AP that has some VLAN functionality.

What I don’t get are the following, specific points, conveniently numbered so you can answer individually.

1. I have a TP-Link AP (from recons on here a few years ago, good call thanks very much), documentation says it can assign a VLAN to an SSID. It can have up to eight SSIDs per frequency (2.5 GHz and 5 GHz). I see how to set the VLANs up in the AP. However I do not see how the VLANs will work at the router if I were to configure the VLANs only in the AP: 1.a.) Do I need to configure VLANs in the router to match the configurations in the TP-Link AP? 1.b.) If I do not setup any VLANs at or in the router will VLAN functionality only work from the AP to the wireless clients, 1.c.) and not from the AP to the router?

2. My preference is to have one (main) SSID in the AP while having multiple VLANs, with all configurations done in the router, no configurations in the AP, and the AP fully respects VLAN functionality, no allowing packets to cross VLANs. 2.a.) Is this how things work in the (existing TP-Link) AP? 2.b.) In any AP that supports VLANs? 2.c.) By default?

3. New AP: Getting a newer AP is a possibility. I’ve looked at the documentation for a Ubiquity AP (Model Wall U7), it shows it complies with 802.1Q, does this mean I can do #2 (one SSID with multiple VLANs) above?
I'll frame my answer based on the 3rd question about Ubiquiti. In Ubiquiti, and to my knowledge any Wi-Fi system supporting VLANs, each SSID can only point to one VLAN (subnet), but you can have more than one SSID pointing to the same VLAN; but the use case is rare. It is necessary that only one VLAN is tied to an SSID because when a client associates to a specific SSID offered by an AP, they must be assigned to one and only one VLAN for IP addressing purposes. In Ubiquiti you define an SSID and among the things it asks for in defining that is which network you want to tie that SSID to. Assume you have 3 networks for your secure, guest and internet of things devices and they are called Secure, Guest, and IoT for example:

Secure is assigned VLAN10 with an IP subnet of 192.168.10.x.
Guest is assigned VLAN20 with an IP subnet of 192.168.20.x.
IoT is assigned VLAN30 with an IP subnet or 192.168.30.x

Going no further you now have what is needed to separate wired devices and secure them from one another depending on which VLAN you assign their ports to. The problem is the trunk port that feeds an AP carries all VLANs (subnets). Therefore, something at the AP has to create an assignment to direct wireless clients to the appropriate VLAN.

You would need to create 3 SSIDS and it is ok to name them to match the VLAN network names if you remember the two are not the same thing, but for clarity I'll use:

Secure-WiFi - When defining this SSID I will assign it to the network Secure which is already configured for VLAN 10 IP subnet 192.168.10.x
Guest-WiFi - When defining this SSID I will assign it to the network Guest which is already configured for VLAN 20 IP subnet 192.168.20.x
IoT-Wifi - When defining this SSID I will assign it to the network IoT Secure which is already configured for VLAN 30 IP subnet 192.168.30.x

Now you have the same ability to separate Wi-Fi client devices and secure them from one another that you previously only had for wired devices. When a client associates with an AP they are presented with 3 choices for which network to join. Assuming they have the needed credentials, they can join any one of the three. When they do, they will be assigned an IP from the range tied to the network (VLAN) tied to the SSID. If they select Secure-WiFi for example they are now a wireless client on the Secure network (VLAN10) and have an IP in the 192.168.10.x range. This allows all wireless and wired clients on that same VLAN to exchange information assuming no other isolation is in place on that network. This will separate their traffic from those who join the Guest-WiFi or IoT-WiFi SSID and their respective Guest or IoT networks. The only way these devices can communicate is if routing or firewall rules allow them to, otherwise they are isolated from each other.

This helps to clarify why in question 2 it is not possible, or desirable, to have a single SSID with multiple VLANs. The AP would have no way to determine which VLAN to assign a client to if the single SSID had multiple VLANs available. I can't address 1. because I do not know how TP-link handles the assignments of SSIDs to VLANs to IP ranges but assume it must have a way to do that in order for its SSIDs to work with the defined networks and so forth.


Let me know if I can clarify anything.
 
There is something called dynamic VLANs but they are usually handled through some form of security.
 
I know it can be done via Radius. If an AP has one SSID set to WPA2 Enterprise or WPA3 Enterprise, devices that connect can be directed to a Radius server. In Radius the authentication accounts can contain a username, password and a VLAN. Then, anyone authenticating with that username and password get placed on the associated VLAN. This allows a single SSID to be used to place users on different VLANs depending on the account they use to login to Radius. I did this with one of my SSIDs and Unbiquiti's Radius server.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top