So what I have is a wireless access point that supports 802.1q tagging on multiple ssids. I have enabled tagging on 2 ssids and given them tags for VLAN 10 and VLAN 20. Right now, the AP is connected directly to a linux box running ClearOS (very similar to red hat). The linux box has 2 nics, one for lan and one for vlan.

I have set up VLAN 10 and 20 on the linux box and enabled a DHCP server for each vlan. I have the correct drivers for my NIC to enable tagging and have enabled IPv4 forwarding and 8021q on the linux box. I am able to connect to either SSID, pull a DHCP address from the correct pool, and access the internet - hooray!

The problem is, I don't want vlan 10 to be able to communicate with vlan 20. I assume this has something to do with iptables - which I have been googling about all morning. I'm hoping one of you fancy linux using wolfwebbers can spit out some rule to block traffic.

The odd thing is, it seems that this is usually disabled by default, and you should have to add the rule to allow them to talk to each other, in my case, they all can talk to each other once added.

I'll deal with the cisco switch portion of this later. For the moment, I'm just trying to get the linux box and the AP to function as I think it should (i.e., 2 separate vlans able to see the internet but not each other.) The purpose for this btw is to have an access point with public internet and private internet that can access our internal network. I don't want the public ap users to see our private vlan.

I have a layer3 capable switch if there's an easier way to do this - I'm open for suggestions as long as it doesn't involve buying more hardware.

7/1/2012 1:47:52 PM

What kind of WAP is it? Is the linux box the controller or is it a standalone?

The two VLANs can communicate because something is routing between them. I'm not familiar at all with ClearOS but from the wiki page it looks like it's a server/router OS, so you have to stop it from routing between the two.

What kind of L3 switch do you have? With access lists or private VLANs you can easily isolate the one VLAN. I'm not really sure how you would do it on the ClearOS box.

7/1/2012 6:48:17 PM

I think i figured it out. By default, vlans route between each other once added. I added some rules to the firewall - ip tables to tell vlan 10 not to talk to vlan 20 or the default vlan, but added an exception for the clears box (using as a gateway). Works like i'd like it to now. Thanks for the reply.

7/1/2012 11:16:01 PM