cancel
Showing results for 
Search instead for 
Did you mean: 

Management VLAN on R550 unleashed

Nabla
New Contributor

Greetings.

I have just acquired R550 unleashed, which I have paired with a Netgate router. The system is up and running and works just fine. R550 is running unleashed 200.15.6. WLANs have VLAN ids, and they are routed correctly.

For security reasons, my network devices -- router and access point (AP) -- should only be managed from ethernet (management interfaces can not be accessed from WLAN). With my previous AP model this was achieved by setting a managament VLAN id in the AP, and setting appropriate interfaces and firewall rules in the router.

My main question is: How can this be achieved with R550 unleashed? This leads to a series related questions.

The management interface seems to exist for this purpose. It allows me to "Enable IPv4 Management interface" and "Enable VLAN for Management Interface." However, if I enable IPv4 management interface and enable VLAN, I also have to specify "IP Address" and "Netmask." Furthermore, the text on the page instructs to "Please set the IP address in the same subnet with the device IP address if VLAN is disabled."

1. I know that the idea of specifying a management IP address is that if you have multiple APs and one fails, another one can take over using that specified address. This is where my limited networking knowledge fails: since the router is responsible for handing over the IP addresses via DHCP, how should this be specified in the router? Should the router provide a static IP (management IP) in addition to the dynamic one for the MAC address of the AP? How would this work if I had multiple APs?

2. What does the reservation "... if VLAN is disabled" mean? VLAN would not be disabled, so can I put any random address and netmask here, and management access will be based on VLAN only?

3. At the moment I can manage the AP from the Ethernet side with an untagged interface (no VLAN id). Does this already achieve the target of management via Ethernet only?

I dare not run too many experiments with questions 1 and 2, since I might lock myself out from the AP.

0 REPLIES 0