Help going from flat network to VLAN

Simple system with a FreeBSD box serving as gateway, dhcp, firewall.
Internal nic em0 192.168.4.1/24 connects to PORT0 on a dd-wrt router serving as a switch.
Coming off the switch on PORT4 is a Unify AP.

I'd like to reconfigure my internal network from a flat 192.168.4.X world to put the AP on a guest VLAN. I don't believe this is very hard, but I've waded through dozens of terribly written, outdated, and incomplete ddwrt posts and still can't figure out what I'm doing wrong.

Server Side:

Do I need to define a home VLAN + guest VLAN?

Code:
ifconfig em0 delete #remove existing
ifconfig em0.4 create vlan 4 vlandev em0 inet 192.168.4.1/24 #home
ifconfig em0.5 create vlan 5 vlandev em0 inet 192.168.5.1/24 #guest

Or can I keep my existing network definition (for untagged traffic?) and just add the guest VLAN?

ifconfig em0.5 create vlan 5 vlandev em0 inet 192.168.5.1/24 #guest

Switch Side:

PORT 0 <=> Server
PORT 4 <=> AP
Once the vlan interface(s) are defined, how do I configure the switch? I suspect I want vlan5 tagged on ports 0 & 4, but is that it? Also if the answer is "dear lord, don't use ddwrt because it can't mix tagged and untagged traffic", I'd love to hear that. I'm not at all opposed to buying the right hardware for the job.

Thanks for any help you can offer!
 
You can't delete the em0 interface. You just need something like the following -

/etc/rc.conf
Code:
cloned_interfaces="vlan4 vlan5"
ifconfig_em0="up" # might not be required?
ifconfig_vlan4="inet 192.168.4.1/24 vlan 4 vlandev em0 description home"
ifconfig_vlan5="inet 192.168.5.1/24 vlan 5 vlandev em0 description guest"
(The vlan interfaces don't have to be named vlan4 & vlan5, they could be vlan0 & vlan1, I just like doing that).

You can then run DHCP services on the vlan interfaces if required, and make sure the firewall is blocking traffic from the guest network to the home network.

I can't really help with the dd-wrt config though. The port connected to the FreeBSD machine will need to be a trunk port (configured to allow vlan 4&5 if required), and PORT4 will need to be set as a vlan 5 access port.
 
Thanks all.

The FreeBSD side configuration is drop dead simple. I kept my existing definition for em0 and that picks up untagged traffic, tagged traffic is picked up by vlans added to em0.

The hard part was configuring DDWRT to tag traffic on the WAN port. Granted I'm doing something on the edge of normal usage (E3k WAP used as a router, not a gateway, with the WAN port assigned to the switch), but I went in circles for days. Tried the GUI, tried the CLI, hard reset a dozen times, and finally wedged the WAN port so badly (passing link layer, but no ip layer data) that I installed shibby-tomato. That worked perfectly the first time.
 
Back
Top