VLANs for separating two WLAN networks.

    I'm feeling my way into VLANs, courtesy of a charity whose IT I have
    been asked to "sort out". Can someone help me think things through?

    There's a Netgear GS748T which does port-based VLANs, and there's a
    Netgear WAG302v2 wireless access point which is capable of broadcasting
    multiple SSIDs and tagging each with a VLAN id. There's an ADSL router
    managing the broadband connection. (I have manuals for all these).

    The charity wants to provide public WiFi for visitors and private WiFi
    for staff, as well as wired connections in some of the offices, and an
    internal file server. I'm determined to separate the public from the
    staff very strictly.

    Current idea is that I'd set up two VLANs at the switch, call them nos
    02 and 03; I'd set up the private SSID to tag to VLAN 02 and the public
    one to 03. I'd run both VLANs on the same subnet (say

    I know that one MAC address can be a member of more than one VLAN. So
    the ADSL router, acting as a gateway, could be in both VLANs. There is
    expressly no traffic between the two VLANs, so do I need a router to
    link them (i.e. additional to the ADSL router itself).

    And could I get away with just one DHCP server (the one in the gateway

    All thoughts, worked examples, pointers to learned web sites, gratefully
    Henry Law, Mar 19, 2014
    Should have checked this before I posted.

    The WAP has a DHCP server which can be enabled. So it could serve out a
    bunch of addresses for visitors to use, but then the staff VLAN couldn't
    use the DHCP server on the ADSL router, because it's accessible to both
    VLANs. Still sounds like two DHCP servers, one for each VLAN.
    Henry Law, Mar 19, 2014
    I have an Asus RT-N16 running OpenWRT. I have multiple "real" IPs from
    my ISP but this is not essential. I have several VLANs defined.

    One using a couple of real addresses for phone and web/mail server
    One for the LAN both wired and wireless DHCP and 192.168.0.* NATed to
    a real address
    One for public wireless DHCP and 172.16.0.* NATed to a real address

    OpenWRT handles the lot with no sweat. I even have it such that guests
    on 172.16 can print to my LAN printer on 192.168 - They can't get at
    anything else other than the internet - not even each other. The
    various "LAN" ports on the router are spread over those VLANs. Of
    course you may need to ensure that guests can't plug into a restricted
    wired port - but MAC filtering ought to take care of that one.

    Not sure if your router can run Opem WRT but there is an acceptable
    h/w list on their site.

    Dave Saville, Mar 19, 2014
