On Wed, Aug 07, 2013 at 11:55:45AM +0300, lilit-aibolit wrote:
> Hello misc.
> I'd like to setup guest Wi-Fi in my LAN to prevent access to local
> resources.
> I have OpenBSD gateway with em NIC connected to LAN.
> LAN based on switches with VLAN support.
> Suppose I have created two VLANs and added ports from my network
> to vlan1 and wi-fi AP to vlan2.
> What should I do on gateway to accept network from both vlans?
>
Assuming your network config is as follows:
{Internet} -- Gateway -- Switch -- Private Wireless AP
|
-- Guest Wireless AP
You can configure the switch to forward packets from the guest AP to the
gateway tagged as VLAN 1. There is no need to configure a VLAN for the
private AP, unless you have more complex requirements such as management
VLANs or separate wired ethernet broadcast domains. That would cause
more problems than it solves in a simple home network though.
Once the switch is configured, you can bring up the VLAN on the gateway
ifconfig vlan0 vlan 1 vlandev em0
and assign it an IP.
> Should there be a different subnets in vlan1/2 or it can be the same?
They should be different. I will explain why.
Routers route packets between networks. Switches route packets between
computers, but never across networks. Wireless APs are switches that can
talk over radio. A broadcast domain is the network you talk to when you
send broadcast packets. You can always talk to computers on your network
without going through a router. The VLAN makes it so that you appear to
have two NICs connected to two switches. Therefore, you have two
networks, i.e. two subnets.
It is conceivable that you run two IP networks over the same broadcast
domain, but that is not optimal network design and should be reserved
for situations where you must retain old design for compatibility
reasons. It also does not solve any security problems. If 192.168.0.0/24
and 192.168.1.0/24 were over the same physical medium (shared a
broadcast domain), a guest in 192.168.1.0/24 could simply change his IP
address and be on the private network.
- Martin
