WRVS4400N: WLAN, multiple SSID, and VLANs

jgardner · ‎11-30-2011

Equipment

Four-port sDSL Modem / Router with public internet /29 network

Cisco WRVS4400N Wireless-N Gigabit Security Router (Version 2)

Linksys 48-port switch for internal network

Windows DHCP server on internal network

Current Configuration

The DSL Modem/Router is configured to use public internet addressing in a /29 network.

The WRVS4400N (aka Cisco) is currently configured to provide one network (192.168.5.0/24) for corporate use.

-- Wireless disabled

-- Cisco WAN Port is configured with a valid public, static IP on the /29 network, patch cable connected to one DSL LAN port.

-- Cisco LAN is configured as 192.168.5.1/24, patch cable connected from one LAN port to Linksys switch.

All corporate equipment, including internal servers, are connected to Linksys switch.

Desired Configuration

I would like to enable the wireless on the Cisco with multiple SSIDs, one for private use (192.168.5.0/24), and one for guest access (192.168.?.0/24).

I do not want the guest SSID to have any access to the private network and vice-versa. This seems to be a common request and a common problem, but no easy solutions.

What I have tried so far

I enabled wireless and created two SSIDs, one private and one guest, both with WPA2-PSK security.

I created a second VLAN (2) on the router and configured it on the LAN page as a 192.168.10.0/24 network with DHCP enabled.

I disabled Inter-VLAN Routing to prevent communication between the two VLANs.

I enabled SSID Isolation on both wireless networks.

I enabled VLAN in the wireless settings, then entered "2" in the VLAN ID field for the guest SSID.

I left the AP Management VLAN as 1, and the private SSID as VLAN 1.

And voila, it worked! For a few minutes.

As soon as any device was connected to the guest SSID, the device would get an IP address in the correct range. Suddenly, the private network would fail, and the Cisco router could not be accessed from any device or port until it was rebooted. Once the Cisco router restarted, everything would work again until someone connected to the guest network again. The switched environment (i.e, everything on the Linksys switch) continues to work, but any attempts to access the internet would fail.

There must be something that I am missing... anyone have any insight or ideas?

Please let me know if you need any additional information.

Thanks!

Jon

doug_counsil · ‎11-30-2011

Have you tried disabling SSID Isolation on the private wireless network? If you make that change you will have a similiar setup that I had for many months with my WVRS440N v2. I did extensive testing with that configuration and found that VLAN 1 (guest network) was never able to access VLAN 1 (private) *that I was aware of*. The only quirk I found was that if I connected wirelessly to the guest network (received an IP from VLAN 2), I would maintain that IP even after disconnecting that connection and connecting to the private network wirelessly.

jjosephmn · ‎12-03-2011

This can be done with ACL in your firewall settings

Here is a example. 192.168.2.0 is public and 192.168.3.0 is private.

jgardner · ‎12-05-2011

I discovered that the router is holding on to some settings erroneously, which seem to "activate" when trying to make a connection on another VLAN, regardless whether it is wireless or not. Rebooting the router caused it to work again, until again connecting to any VLAN except VLAN 1.

Evidence is available in the router.cfg file, which may be produced using the "Backup" menu option. Here's an excerpt from the LAN settings portion of the file:

lan_ipaddr=192.168.5.1 lan_netmask=255.255.255.0 lan_bipaddr=192.168.1.255 dhcp_server_enable=0

It doesn't seem to matter what screens I edit or what I do in the router, the above information always appears in the config.

I think the next step will be to upgrade the firmware, then reset the router to default values and reconfigure it completely from scratch. Ugh.