cancel
Showing results for 
Search instead for 
Did you mean: 

H510 - SSIDs isolated to individual switch ports

scott_christoph
New Contributor II
I've seen similar questions asked, but this is a bit of a unique setup.

I want to be able have 4 SSIDs, we'll say 1-4, SSID 1 is isolated to port 1, SSID 2 to port 2 and so on.  The goal being that if a client connects to SSID 1, they can only traverse the network connected on port 1.

I've used the 7343 units prior for this scenario and it works fine using the easy VLAN wizard/visual grid selection.  Basically it's a 1 to 1 mapping between SSID and switch port, I just make the SSID a member of one port and make it a non-member of the other ones.  Nice and simple.

The interface all changed with the H510, but I'm hoping the same thing can be accomplished.

I'm not quite sure which combination of settings on the SSID for the Access VLAN/packet forward and the ethernet ports page will accomplish this.  Some of the settings I choose seemingly revert, like setting packet forwarding to isolated just kicks it back to forward to WAN.  This may not matter given what I'm trying to do, but thought I'd mention it.
4 REPLIES 4

robert_lowe_722
Contributor III
The ports on the underneath of the H510 aren't backhaul ports they are LAN Edge ports designed to be connected to things like IPTV or a PC. The rear port is the backhaul port so if you assign a VLAN per SSID then you need to add all 4 VLAN's (+1 management) to a trunk link between this port and a switch port. You can statically assign the ports to be on the same VLAN as the SSID's so a wired device can communicate with wireless clients on the same VLAN but i dont think thats what you are asking about.

Interesting, so there is a fundamental restriction (given my intent) present in the 510 that doesn't exist with the 7343's?  

The last scenario you give is pretty much what I'm asking.  A client connected to WLAN 2 that is tied to VLAN 2 defined on the ruckus with a LAN port part of VLAN 2 on the rucks should only pass traffic to and from that lan port, correct?

A client connected to a WLAN associated to VLAN 2 could communicate with a wired client connected to a LAN port on the H510 configured to be 'untagged' in VLAN 2 yes. However, that port is not a backhaul port but an edge port so for internet access etc, you would need to have VLAN 2 configured on the port 0 (rear) which is uplinked to wider LAN and gateway.

scott_christoph
New Contributor II
An update on this:  I found a solution, but had to use the unleashed firmware. 

So I pretty much gave up on the standalone firmware as it seemed incredibly buggy.  Like I mentioned before, with the reverting settings and seemingly no clear documentation about what each setting really did, it seemed like this was a no-go.  Even with Robert's helpful reply I guess I didn't make it very clear exactly what I was trying to do, but the suggestion of having all VLANs go through the back haul port was not what I was after.

I was able to get this working by waiting for the 2007 version of the unleashed firmware, which as promised, delivered VLAN port management for the H series APs.  The documentation for this by the way was phenomenal.  Read over it really quick and instantly knew what settings needed to be changed.  Kudos to whoever or whichever team wrote it.

I simply had edit the group for the "Access Points" section, go to the "other" tab, select the drop down next to "Model Specific Control" and choose the H510.  A "Edit Port Setting" button then magically appeared which allowed me to modify the ports, associated vlans and all that good stuff.  I changed each port to "Access Port" then gave each port a unique Untag VLAN ID which doesn't live outside the H510.

Once set, I went to the wireless SSID's I created and edited each one to be part of the associated VLAN I made on the switch earlier (advanced settings, WLAN Priority).  So WLAN 1 is tied to the "back haul" port since I'm powering it over POE which is plugged into an upstream switch on the 192.168.0.x subnet.  WLAN 2 is tied to LAN 1 (which is VLAN10 on the H510) and the 192.168.1.x subnet (another switch) and WLAN 3 is tied to LAN 2/VLAN 20 and the 192.168.2.x subnet.  The upstream switches and devices are not configured for VLAN ID 10 or 20, these only live on the H510 and only act as a means of isolating SSIDs to the respective ports.

When you connect a device to WLAN 1 SSID, it gets a DHCP address from the DHCP server sitting on the 192.168.0.x subnet.  When you connect to WLAN 2 you get a 192.168.1.x. So on and so forth.  No clients on any of the WLANs can communicate to the other subnets, unless of course I build routes further out on the network, but the point is the H510 doesn't bleed anything.

Hopefully this helps someone else. I know it's a unique setup, as people seem to only use the ports for a wired client device, but here is how you can set it up to act as a wireless bridge to separate and distinct wired networks.