Curious how to setup a vlan that routes ssid to specific ip/ports

ewitles
New here

Curious how to setup a vlan that routes ssid to specific ip/ports

howdy -

 

my first post here.

 

i have setup gr10 access points (4 for now) and currently 3 ssid's (two guest and one all access). and will create a 4th depending on what answers i get here.

 

verizon is the main router and handing out ips now. a netgear unmanaged 24 port switch.

 

there is a nas (freenas) serving ftp and smb traffic at a fixed ip.

 

here is what i need to do but really cannot figure this out via google searches or fellow cisco folk.

 

- i would like to setup a wireless vlan for the church staff (all access to resources)

- give wired their own vlan but still full access to all resources.

- create a special ssid to only access a single ip (my freenas) and if possible, limit by port (ftp and smb) but still the internet. basically guest plus special access.

- keep the main guest connected to the internet only (like a good guest).

 

i know names (trunk/tagging/vlan) but that is all i know.

 

for hardware, i have a security appliance, 8 port switch, and single access point to test before i set the church network up..

 

thanks gang 🙂

2 REPLIES 2
Xydocq
A model citizen

Hello

 

I will tell you how I have setup my network. I am not on Verizon and I don't use GR10 on my network, so I can't really tell you how to handle the setup there.

 

I got a router from my ISP. The Router can be set to act as modem. It's called "IP-Passtrough". In that mode, all traffic from the internet is sent to Port 1 of the router. The other ports (Nr. 2-4) of the router still work for outgoing connections. So I use port 2 on the router for my "Guest-Network", I simply added a Wireless-Access-Point in Bridge-Mode to that port and gave it a SSID. And this isn't really a Guest-Network since it's used by my employess for private use.

 

Now on Port 1, I had to connect another router. All that is done there, it hand's out two IP-adresses. One is for my Server (NAS) and one for another router that handles my LAN. So in general I set it up Router1-Router2-Router3.

 

Since all incomming traffic is directed to Router2 it's the one that has the Port-forwarding job to do. Ports for the webservices are forwarded to the Server-IP. And other Ports, needed for the LAN-Setup, are forwarded to Router3.

 

I added another Wireless-Access-Point in Bridge-Mode to the LAN generated by Router3.

 

Now what happens:

 

1. Guests on the Guest-Network are only able to access the Internet.

2. If I connect a client computer to Router2, I am able to access webservices and the Interent but no resources on the LAN behind Router3.

3. I have full access to all my resources on the LAN (Router3), wired and wireless, full access to webservices and any client connected to Router2 and Internet-access. The only thing I can't reach is the Guest-Network. I would have to sign on to that trough Port 3 of my ISP's router.

 

I guess that setup comes close to what you try to accomplish.

 

I recomend you use one VLAN for Guests and one for all your church-related issues.

Meraki Go - Wireless Address Translation - Cisco Meraki

 

 

Xydocq
A model citizen

Well after some thinking...

 

You're missing one Router to accomplish what you try to do.

 

You have that Verizon Router. Let' say you set the LAN to 192.168.0.0/24 now you would need another Router, let's say you get the Meraki Go GX50. You connect the GX50 to the Verizon Router and give it a Static IP on the Verizon let it be 198.168.0.100. The GX50 is set to have dynamic IP-adress for Internet connection.

 

Connect your GR10's to the GX50 and create the VLAN's you want to have, let's call them Default, ID 1 (IP 192.168.10.0/24) Church_Stuff, ID 2 (IP 198.168.20.0/24) and Church_Guest, ID 3 (IP 192.168.30.0/24).

 

Connect your NAS to VLAN 1 and make the IP static let's make it 192.168.10.250.

 

VLAN 2 gets a SSID "Stuff" and has to be set to Bridge-Mode.

 

VLAN 3 gets a SSID "Guests" and needs to be set to NAT-Mode.

 

Now everyone on VLAN 1 wired and VLAN 2 wireless can access the NAS and the resources placed on VLAN 1.

 

VLAN 3 is blocked and only has Internet-Access.

 

Now you would need to set some portforwarding rules on the GX50. Allow Port 445 for 192.168.10.250 and set the allowed IP-Range to 192.168.0.2 - 192.168.0.254. This will allow SMB access for a device directly plugged in the Verizon Router on the Network 192.168.0.0/24 but not from the Internet.

 

To access the NAS from that Network thru SMB you have to use the Wan-IP given to the GX50 (192.168.0.100) The GX50 will translate that to 192.168.10.250.

 

Now if you want acceess from abroad. I would recomment to use a VPN-Server and not use the ftp-protocoll. You can setup the VPN-Server on the GX50 and use that one to access the resources on the LAN. All you have to do is forward the VPN-Ports on the Verizon Router to the GX50 (192.168.0.100). If you want the ftp to work you'll have to set rules on the Verizon Router and the GX50. On the Verizon the Ports have to direct to the GX50 and on the GX50 the target is the NAS. You can't set a rule to allow IP-Adresses like you did on the SMB-configuration. Since 192.168.0.1 will be the only IP visible for the GX50. So please don't go ftp, use VPN!!!

 

If you need wireless access to the Verizon Router. Maybe that one has a build in wireless you can use.

 

This setup should give you exactly what you were asking for.

 

Guests only be able to reach the Internet, wired has it's own VLAN (Default) with access to all resources, have a wirless VLAN for stuff with access to resources. the only thing that might be missing is wireless access to the NAS from one client but I guess you get an idea what you're missing to accomplish that too.

 

Hope this helps.