guest network using tagged VLANs

[Steve Sapovits]

On 1/12/2020 4:54 PM, Rudy Zijlstra wrote:
>
> On 12/01/2020 22.44, Steve Sapovits wrote:
>> I'm wondering if this is possible ... I can't seem to find anything
>> that really matches.
>>
>> Suppose I have a wireless access point (WAP) configured just as an AP
>> -- no router or DHCP functionality enabled on the WiFi device.
>>
>> WAP is connected to a switch with two tagged VLANs.
>>
>> Switch is connected to machine running ISC DHCP.   Connection is from
>> a switch port assigned to both VLANS.
>>
>> In the ISC DHCP configuration for the VLAN subnet, some rules (for
>> example MAC address) are used to assign an address from one of the two
>> VLAN subnets.  For example, known MAC addresses get IPs from VLAN1.
>> Unknown MAC addresses get IP addresses from VLAN2.
>>
>> Since different interfaces are specified as subnets in the DHCP
>> configuration, I don't see that I can specify one set of rules for the
>> combined (trunk) VLAN.  So what I'd end up with is two subnet
>> specifications where a client address may come from either the same
>> subnet or from the other VLAN subnet.  Having an address range from a
>> different subnet alone seems like it might not work (configuration
>> might be rejected).   Beyond that, would it then even work ...
>>
>> I don't really have everything needed to actually test this, which is
>> why I ask.
> You can solve this on condition that the WAP itself is VLAN aware and
> than use 2 SSID. One assigned the your normal VLAN and the second to the
> guest VLAN.
>
> On the DHCP server you than have no problem, as each of the VLAN can
> have it's own subnet definition.


Reading some networking forums, it sounds like not all WAP devices 
retain guest separation if they're not in full router mode.

So, assuming a WAP that can't do the VLAN separation, is there a way to 
make the guest separation on the ISC DHCP side?


-- 
Steve Sapovits
steves06 at comcast.net