02-22-2018 03:01 PM
Trying to understand if there is a difference or compelling reason to use a vlan or not in this scenario.
How we have our current ERXsfp / UAP lite setup on a vlan with switch0, vlan 1(native) and vlan 10.
Our LAN is on native vlan1 as is our internal wifi. Guest wifi is on vlan 10. Firewall rules were NOT placed on the ERX for separation. We opted instead to use guest policies on the UAP itself. We just left the default 'block all internal lan' options checked so the guest wifi only gets internet access and no LAN access, seems much quicker and easier to do on the UAP.
We have another setup we have to do very similar to the first but this one will have no guest wifi, only internal. However we still need LAN separation from wifi. Since we don't need multiple subnets coming in to 1 port like the above scenario would it be better to copy the above config and just tweak the guest wifi into the internal wifi?
Or would it be cleaner to not use vlans at all and if possible just have the same guest policy settings on the UAP to achieve separation?
If either would work just as well would there be any performance / reliability hit using a vlan vs not using one? Just looking for the cleanest solution that would result in a solid reliable setup.
02-22-2018 04:34 PM
I would use vlans because they tend to be more future-proof. For example, if you want to do ipv6 in the future you really need working multicast and w/out vlans that would mean information could easily leak between your lan and wifi because they are on the same broadcast domain. Also, if in the future you want to expose a subset of lan ips to wifi (or visa-versa) you would be in an all-or-nothing situation if you are relying on "guest isolation". With vlans you have implicit layer 2 isolation and you can finely tune any exceptions at layer 3. (I would use zone-based firewalling on the router to control that)
The overhead for vlans is pretty slim; I wouldn't worry about it.
02-22-2018 05:31 PM - edited 02-22-2018 05:32 PM
I can think of a couple of reasons, in addition to what @jsipprell suggested.
- VLANs could be part of a defense-in-depth approach, with isolation being enforced both at the AP and in the switching/routing infrastructure.
- For performance. I read in a thread that I can't seem to find that the peak data throughput of some models of Ubiquti APs is significantly reduced when using Guest isolation. My recollection is that the APs ran out of CPU power, which makes me think it was the lower-cost APs such as the UAP-AC-Lite.