So I already discovered, by reading in these forums, the DHCP bleed issue with VLANs on the 4400n's. So I thought, no problem, I'll just use the 4400n to provide DHCP to my two VLANs and then a new problem cropped up. I am unable to add a default route to the 4400n's DHCP server. It uses the 4400n's vlan IP as the default route. What I'm trying to ultimately achieve is to configure the 4400n as an access point for our "private" network on vlan1 and also "guest" access to the internet on vlan2.
What your trying to achieve can be done with acl in you firewall settings. I posted this before but now I am posting with better img. You need at least 2 vlans to do this. I use 3 in the img because I didn't want to use vlan 1 on any the wireless ssid to avoid future config complications. vlan 1 is default on most other vlan devices. Get your ssid connected to your vlan in the wireless config. Then go to firewall setting and goto acl's and follow the img. That will seperate your private and public networks, allowing private onto your internal network. In this example 192168.2.0 is public and 192.168.3.0 is private. 192.168.77.0 private network/internet source. Make sure to have the cable of the internet source plugged into the wan port of the wrvs4400n.
In my case, the private wifi is 192.168.2.x on vlan1 and the public wifi is 10.0.7.x on vlan2. I have two different SSIDs, one pointing to each vlan. I have a server on the 192.168.2.x network providing DHCP services to devices connected via the private wifi but devices connected on the public wifi pickup that DHCP as well, which isn't supposed to happen. Coindidentally, If I shut down DHCP on the server running it and let the 4400n provide DHCP, then this DHCP "bleed over" to the public wifi does not happen. This is a known "limitation" (what Cisco calls it) on the 4400Ns. I'll have to experiment with ACL to see if that helps at all, though I would expect that it would not.
Hmm. I don't think I'm experiencing the bleed however I was not aware of that limitation. I guess I should keep my eye out. I'm not sure but I believe DHCP is on of the options in IP ACL's. In my setup I use the VLAN to give DHCP on both netowrks. No reports of any problems. I do have the private network secure with mac control and password. Is there any way I can test that bleed over.
Yea I see that but I still don't see anyone using ACL to limit communication between networks. What I did is setup 2 additional networks so now the WVRS4400n has 3 networks incuding WAN port which is your internal network. The router allows communication between the 3. Use the ACL to filter your public netowrk which I believe included DHCP communication. Your private clients don't really need your internal DHCP ip, it uses the DHCP from the WVRS4400n which is different from the internal DHCP ip but because there is no filters in your ACL between these 2 networks they communicate.
Now that I think back I did have the bleed problem and thats what made me think about ACL's. The router intercommunicate between VLAN's. I get the feeling the VLANS's on this router are more for communicating with other VLAN devices. You do need to create new VLAN's in order to create new networks and connect SSID's to the VLAN. From my experience you will not get it to work without ACL. I do see that button that is disable interVLAN communication (something like that) that button does not accomplish what you want to do. even though it should.
I just configured ACL and I still have the bleed over issue. Maybe I don't have the ACL configure properly, I don't know. My private network is 192.168.1.x and my public network is 10.0.7.x. Anyone connecting to the public network SSID is getting DHCP from the private network IP range. Here is my ACL screenshot:
First edit the current configuration source interface to ANY on both ACL you created. If I got it right you must have a private internal network of 192.168.1.0. You created 192.168.2.0 for private SSID to communicate with network 192.168.1.0 and 10.0.7.0 will be for public. To stop the bleed create another ACL that will be DENY ALL ANY 10.0.7.0/255.255.255.0
to 192.168.1.0/255.255.255.0. Do that first so you can see it stops the bleed. Now this will also cut all the communication between these 2 networks. To allow your public to get internet just follow my example where I allowed HTTP, HTTPS, and DNS protocols through to the private network and cut all other. In your basic settings the 2 networks of the VLANS you created should be 10.0.7.0 and 192.168.2.0. You do not need to create 1 for 192.168.1.0. That comes from your WAN as long as you have the 192.168.1.0 cable plugged into your WAN port of the WVRS4400n. I gotta step out for a sec I will be back later.
No, my private network is 192.168.2.0. There is a DHCP server on that network providing TCPIP addys in the range 100-250. My 4400n is plugged into that network via port #1 on the 4400n. I have port #1 assigned to vlan1. My private SSID is also assigned to vlan1. Port #4 on the router is assigned to vlan2 and is plugged into the 10.0.7.x network. That network also has its own DHCP server providing addys in the range of 10.0.7.100-250. My public SSID is also assigned to vlan2. I will try changing the ACL again and see what happens.
Just completed a simple test with just one ACL rule to deny all from any service, any interface to 10.0.7.0/255.255.255.0. I still get DHCP bleed over from the 192.168.2.0 network. I guess it is just not possible with these routers.
Trust me it does work. I have 2 that work just like I need them to. I purchased these with the same goal you have. I need to step out for a couple of hours and when I get back I will PM you my Phone#. I will walk you through it. I will say your current config won't work. What I had to do is setup 2 seperate networks for my wireless. ie 192.168.3.0 and 10.0.7.0. Your internal network is 192.168.2.0. I plugged a cable from 192.168.2.0 into my wan port. At this point all 3 networks are communicating. I used ACL's to limit the 10.0.7.0 for web access only. In my experience if you don't put your internal ie 192.168.2.0 into the wan port I could not get it to work. I will be back soon we can get it to work.
Yes, this has been a big problem since the beginning and cant be resolved. In some situation this scenario has worked.
Vlan 1 – DHCP enabled on router
Vlan 2 – DHCP can be disabled
Again this is using the router as the GW router.
I have advised customers that wanted to use it as a AP only to configure the router this way.
(GW router)Local network ••à to wan port of 4400N
Configured 4400N in router mode
Vlan 1 – 192.168.5.0/24 DHCP enabled
Vlan 2 – 192.168.16.0/24 DHCP enabled
Add 3 firewall rules
Allow GW source to destination vlan 1(corp) source interface WAN
Deny GW source to destination vlan 2(guest) source interface WAN
Deny Guest source to destination GW source interface LAN
Now you are able to add ACL’s to stop Guest traffic talking to corporate traffic.
Basically this configuration is setting up another router behind your GW just for allowing wireless access.
You’ll need to two static routes in your GW router
Also none of the Cisco Small Business Routers allows Lan to Lan ACL’s
Hope this helps,