VLAN setup questions

JP123 · April 9, 2024, 5:01pm

Hi there! Looking for guidance on setting up VLAN’s.

NETWORK MAP:

Firewalla Router-> Alta 8 PORT Switch-> 2 AltaPoE AP’s, 1 unmanaged POE switch (for cameras only), 1 PC, 1 Alarm

VLAN requirements:

Home
Trusted IoT (e.g. Alexa, Apple, etc). Wifi + hardwired.
Untrusted IoT (e.g. wifi printer, PoE cameras)

Questions;
1/ Is the Management VLAN setting on the Switch port specific?
2/ How do I enable multiple VLAN’s while allowing a single VLAN to apply to wired + wifi devices?

Alta-Matt_v2 · April 9, 2024, 5:05pm

No, a management VLAN specifies the VLAN that the switch itself should be on
For WiFi, set the VLAN on the AltaPass that you want it applied to. For physical interfaces, make sure the VLAN is Untagged on that interface and if you want that port to exclusively be on that interface, make sure all other VLANs are Excluded

It’s worth noting that, by default, the switch will trunk (Tag) all VLANs (excluding the default management VLAN of 1) on all interfaces, so that works great for APs.

JP123 · April 10, 2024, 9:04pm

Thanks Matt (v2)!

Ahhh, so by the switch auto assuming all VLAN’s, I just need to tag the specific device to the VLAN (under that device’s settings via the Alta UI). This correct?

For the wifi devices, suppose they should share the same VLAN used by other devices not connected to the Alta switch. Is it simply a matter of not using AltaPass and instead manually tagging the specific device to the VLAN (like above)? Am I getting this right?

Appreciate your patience, this is all new to me!

Alta-Matt_v2 · April 10, 2024, 9:20pm

There’s a lot of variables that would come in to play. The method you refer to is very granular and would generally be reserved to corner case situations.

Generally, for wired, if you want a specific port to be a specific VLAN, set that port to be the only Allowed VLAN under that interface’s configuration. This will then set the interface to be untagged for that VLAN.

For wireless, your individual port will go to an AP which can (in theory) support infinite VLANs, you’d set all relevant VLANs as Allows on that interface. This will result in the default VLAN being untagged and all subsequent VLANs tagged.

Then, if you have a one-off device, you can set its VLAN under the Devices tab if you needed to.

JP123 · April 11, 2024, 3:28am

Thanks for the clarification! Think I’ll keep it simple; wired devices port tagged to VLAN and wireless VLAN tagging via AltaPass.

For setting VLAN at the password level, does the Network Type matter? In other words, if router rules dictate how/where VLAN traffic flows, does setting the wifi password as a Network Type = IoT matter?

dalewhlrr · April 11, 2024, 11:16am

From my understanding if you use the network type IoT in the alta labs controller, the AP will handle the IoT traffic, but if you choose standard and tag the standard with your vlan your firewall will handle it.

The IoT option is nice if you just have a normal consumer grade router that doesn’t support vlan’s

Alta-Matt_v2 · April 11, 2024, 3:10pm

The network type will always matter as the firewall rules are applied at the AP level. Of course, you can create firewall rules beyond that provided you have traffic that crosses subnets. As @dalewhlrr points out, the Network Types are handy if you can’t do VLANs in your network or if you want more granular control at the AP level; i.e. concerns about IoT devices potentially communicating with other devices within the LAN where both devices are on the same subnet.

JP123 · April 12, 2024, 2:45pm

Awesome, thank you both! Super helpful