VLANs with Ruckus APs, ICX6610, OPNSense

[colinb]

Hi all,

Hoping for some pointers on setting up my network. Below is were I would like to get to, before setting up firewall rules for inter-VLAN routing - to come at a later date.

Current physical setup is a bunch of Ruckus unleashed APs wired into an ICX6610, which has a 10GbE link to an OPNsense router+firewall.

My question right now is basically how to set up the ICX to correctly manage the VLAN-tagged frames coming from the multiple SSIDs to the same port?

I should just set each port connected to an AP as tagged for all VLANs with SSIDs, right? So 10, 20, 30, 35, 50, 100 - yes? Then configure on APs, add firewall rules, and it should just work?

I can do all the above on CLI, but am then thoroughly confused by dual-mode, and comments that "Brocade/FastIron is a bit funny in how it handles Default VLAN when set to "1")

Can anyone help guide me as I learn about all this?

Thanks!

1 - (Default) Mgmt/Infrastructure
10 - Trusted - Normal SSID
20 - Guest - Guest SSID
30 - IOT (internet required to function) - IOT SSID
35 - NIOT (internet not required to function) - NIOT SSID
40 - Video cameras - wired only
50 - Entz (TVs, audio, consoles, Switch, uPNP on) - own SSID
60 - DMZ (anything accessible from WAN, but only specific ports opened) - wired only
100 - Work laptop, separate SSID, no firewall and no Zenarmor

IOT is for Echo, smart appliances, etc. that require internet access to function.

NIOT is for things that should not have internet access because there is no good reason for them to have it, but should be able to talk to themselves or others. ESPHome, homekit, etc.

 

[Jason Antes]

I've done something similar with OPNSense, 6610, and Ubiquiti AP's. Yeah, just add the VLAN's to the ports of the AP's.

In my case, 1/1/48 is my AP and 1/3/7 and 1/3/8 are my interfaces to OPNSense.

 

[colinb]

Thanks. So no messing with dual-mode needed?

What's on your 1/1/9?
And for that matter, how come all your other ports don't appear in the VLAN list (e.g. 1/1/23) - presumably they're part of VLAN 1?

Just trying to wrap my head round this!

 

[Jason Antes]

I don't think you need to deal with dual-mode if you have 1 VLAN for the AP and you want to have the management IP in that VLAN. Having multiple VLAN's on the AP I think you need to have 1 of them have the port dual-mode on that port so it can get a DHCP address on the VLAN you want vs one of the other VLANs since they are trunked into the same port. Probably doesn't matter if you set it statically. So for me, I wanted the management IP on VLAN 10 so that port is in VLAN 10 as a dual-mode port. None of the SSID's on the AP use that VLAN though, it's strictly for management IP. Although at some point I'll be adding another VLAN as a management plane for all my gear to use instead. Which then that would need the dual-mode instead. Somebody better at networking may say dual-mode isn't needed but I think that's why I set it that way on VLAN 10. It's been several years since I set it up.



All the ports you don't see are in 1 of the VLANs, you just can't see them as the list is long in VLAN 10 and 2. Some of the wired ports are in VLAN 20 due to providing services on that VLAN (i.e. I have my PLEX server there so I don't have firewall holes punched into my main LAN where I have sensitive data). I need to re-do some of those assignments as I don't use that many ports anymore with having virtual servers instead and segregating IOT stuff. 1/1/9 was there as I had a device that required the default VLAN at one point. I just never moved it back to or VLAN 10. I really could get away with just the 24 port switch but this one was free so...