Balance 20x & AP One AX Lite: VLAN question

Hello there- I have read numerous posts here and elsewhere about VLANs but I did not find my exact question so here goes:

We recently purchased a Balance 20x and an AP One AX Lite for our small office. I’ve got the Balance 20x set up and working great with all of our wired clients. The Balance is also set up to manage the AP. The AP is set up with 2 wireless networks, one for the internal trusted network and one untrusted network for wireless guests. The two SSIDs have been created and I set up a VLAN 22 that has been assigned to the guest wifi network. The trusted network has VLAN “none”.

I have the AP connected to a Netgear GS324TP managed POE switch which in turn is connected to one of the trunk ports on the Balance 20x. I know enough about VLANs to be dangerous (haha) but I am no expert.

I can connect to the trusted wifi network and get an IP assigned that corresponds to the trusted internal network and I can connect to the internet. I can connect to the untrusted guest wifi network and get an IP assigned to the untrusted guest network but I cannot connect to the internet, which I assume is because I still need to configure the switch for the guest VLAN.

My first question is about the Peplink AP. Does the AP know to tag the traffic with either VLAN 22 for the guest network or untagged for the trusted wifi network? (Actually, is the trusted wifi tagged 1 or untagged?)

My second question is about configuring the vlan on the Netgear switch. Do I leave all ports on the switch untagged, set the port that is connected to the AP as tagged for VLAN 22, and also set the uplink port to the Balance 20x as tagged for VLAN 22? Do I need to also tag those two ports with VLAN 1 in the switch? My confusion here is from the Netgear documentation for the switch, it says this:

“In the Ports table, click each port once, twice, or three times to configure one of the following
modes or reset the port to the default mode:
• T (Tagged). Selects the port as a tagged port in the VLAN. All frames transmitted on
the port are tagged for this VLAN.
• U (Untagged). Selects the port as an untagged port in the VLAN. All frames
transmitted on the port are untagged for this VLAN.
• Blank. The port is excluded from the VLAN.”

These instructions makes it seem like if I tag the AP port and the uplink port with VLAN 22, then all traffic (i.e. the untagged internal network) will have the VLAN 22 tag added.

Third question: Do I leave all ports on the Balance 20x as trunk?

Thank you!

On the netgear you assign VLAN membership to ports separately to assigning Port based VLAN operations.

So you would set the uplink port and the port with the AP attached to be members of the VID 22.
Then the AP will be able to use the untagged trusted network as normal, and it will tag the untrusted network with VID22 which will pass through the switched as a trunked VLAN all the way back to the Balance 20x and then on to the internet.

The trusted network is referred to as the untagged LAN. Data packets without a tag go there. For a data packet to be in a VLAN, an extra tag indicating which VLAN it belongs to is added to the packet.

You setup is just beyond me. However, I would suggest walking before you run. That is, first get things working with the AP plugged directly into the router. Then, maybe, plug it into a dumb switch before moving to the more complicated setup of a smart switch.

Just to be on the safe side, I’d recommend reviewing a tutorial on VLANs. The first one google threw at me was VLAN Basic Concepts Explained with Examples and it seems decent enough.

Once you have that under your belt, the following observations would make sense:

• On Peplink devices SSIDs are tied to VLANs (or untagged). The AP will tag packets as per your SSID definition.
• Ports can also be tied to VLANs (access ports), in which case packets are assigned whatever VLAN the port is assigned to. If the port is trunk (default) then whatever tagging the packet arrives with is passed on (incl. being not tagged at all)
• The switch (if it is a smart switch) decides whether to pass on tagging, add/remove tagging or block a packet altogether, depending on the setting of the port on the switch. As with the router, a port can pass on the tags (trunk), assign tags (access) or block packets altogether if the tag is not one of those assigned to the port.

In your case a simple switch setting is to define VLAN 22 and untagged/VLAN 1 (synonymous) and let the AP be connected to a trunk port that is a member of both VLANs 22 and 1 (that’ll pass on packets from the two SSIDs, respectively).

I am with @Michael234, since it seems that you understanding of VLANs is incomplete: Do the set-up with the router only at first, then add the switch once you have a working VLAN architecture that you are satisfied with.

Cheers,

Z

Thank you guys. @MartinLangmaid - yep that was it, thanks!