VLAN and Guests Network

NethServer Version: NethServer release 7.9.2009 (final)
Module: Network

Hello all again, its been a while! I will be online more often now, since i´m back to networking and linux.

My network is simple:
Red Interface (192.168.0.x) <-em1
Green Interface (172.16.1.x) <- br0
Its all working fine, but my client needs a Guests Network now, i normally would add a new NIC and setup a Blue Interface, but that is not possible, old server and other issues.

I was thinking about a VLAN, as he has a Dlink DGS 1210-24, its a smart switch, and his Access Point has the option to add a new SSID binded to a VLAN ID.

So, this is the first time i do this! :laughing:

At first i thought:
Set a new Blue Logic Interface as VLAN.
Tag: 8 (why? why not, my lucky number lol)
Interface: br0

Enabled DHCP on that

And would go to the AP set the VLAN ID to 8, and voilá… it would work…

But not… lol, then i managed to get into the switch and played around the VLAN stuff, i lost access to that :laughing:

Now i will have to reset, and i ask you guys, what should i follow and read to make this work?

Thanks in advance, and i missed all that (servers and networking)

Lol, and of course this community! :slight_smile: :grinning:


Hello Walter

And welcome back!

I’d always evade vLANs 0 and 1 (One is a placeholder for all non Tagged vLANs). Using these two are asking for trouble! vLAN8 is quite OK!

Your clients Switch (The DLink?) needs to support vLANs (8!), at least on one NIC and only on that one. Your Switch does not need to know about the vLAN, it just passes thru your Switch.

This should work (Lockout of hardware not counted!).

I’m using something similiar at home, but I’m not using NethServer as my Firewall.

I’m using OPNsense on PCengines - might be an option for you. PCengines are reasonably priced, with Quad Core AMD CPU, 4 GB RAM, 4 Intel NICs and a 120 GB SSD costs about $150 …

And you did mention an old server with a few issues… :slight_smile:

(See the APU4D4, at the moment sold out (again), but in Stock middle of January.)

The red is my main firewall, the black is a test device, with WLan (Can be used as WLan client or AP)

My 2 cents


Oh, its a old but powerfull server, Dell T410, but i cant find a nic that fits well there, and honestly i dont want the trouble of a new network cable, for that to happend on that client i need to sacrifice my weekend, or part of it…

hum on the switch side, i need to say that one port will me used for my vlan right? The one i created on NS, i dont need to create one vlan there, right? But i need to say for example that the port 21 where my Access Point is connected will use vLAN ID 8 right?
Like this:

Btw, this access point already has a SSID withou a VLAN, will it still work?

Anyway, the router is down now, cant do anything, tomorrow i get back to ya if that worked! :slight_smile:
Thanks a bunch! Where do i send the beer?

Duuuuuuude, learned two things with you… this awesome machines… and https://opnsense.org/ very good stuff, will test that out!


All those devices without a vLAN will work as expected (as before).
Your NethServer will have LAN and a vLAN, so two Interfaces, both leaving on the same cable.
Only a device with a “Tagged” port can connect to your Nethserver, this will be your clients router!

If it works as expected, you can tick the solution button below each post - you created this post, you’re the one who can say it’s solved my problem. This can help others in a similiar situation!

As you can see from my Profile (Click on my picture…), I’m located in Switzerland…
Sending a beer might entail higher postal costs than the beer itself!
But if you insist, you can always use Paypal… ( aw AT paypal.com )…

And don’t forget: Our Motto here is: Only questions NOT asked are stupid questions!
Anytime stuck, or needing a pointer, don’t hesitate to ask!
After all, the great community here is what makes this forum special!

My 2 cents


BTW, where are you located, if I may ask?

This is OPNsenses GUI, with a Dark Mode Theme…

Part two, where you can see who’s logged in with OpenVPN… :slight_smile:


The APU4D4 is good for Internet up to about 400 MBit/S.
It never gets hot, only ,mildly warm.
No moving parts, in that sense good WAF (Wife acceptancy factor) :slight_smile:
I use these at almost ALL my 25-30 clients I support, from 5-40 users / Site!

If you need high availability or WAN Failover, these boxes & OPNsense can handle it!

And: OPNsense is completly free, there are no enterprise versions with more features!
This is NOT PFsense! (Claiming Open Source and showing of a GIT Repo - which will NEVER compile!).

My 2 cents

Yes, will do it tomorrow prolly! :slight_smile: Oh well, i went to Schweizerschule Curitiba here in Brazil, need to visit sometime! :slight_smile:

I leaved this awesome community to try and open a coding school here in Brazil, pandemic made me leave that dream for a while at least, so back to make microsoft out of business again! :laughing:

I will try to contribute and help as possible here again! Thanks again!

1 Like

Nice! Will try that on some clients that only want a firewall solution and not entire nethserver enviroment.

Also good to know:

OPNsense can handle OpenVPN and IPsec easily. I tend to use IPsec for site2site, and OpenVPN for Roadwarrior-VPN.

That box can handle 20 or more connections…

1 Like

i just use openvpn, never had site2site with my clients…

I do have clients with 3 or more sites. The one with 3 sites is a state organization, 40 users at one site, about 55 all in all. And all log in to one virtualized NethServer (AD).

pretty cool!

You can do site2site with openvpn right?

Yes, you can do RoadWarrior and Site2Site with both (IPsec and OpenVPN).
However, site2site scales better with IPsec, and as I mostly use it for Out of House (Off-Site) Backups - to the bosses home, the performance is welcome!

1 Like

Well, to do as i said i had to create the VID on the Switch:

I created as Untag the port where my Access Point is connected.
Then i was able to do it like this:

As result i lost access to my access point! :laughing: at least i know i did something to that port!

1 Like

It might have been easier to just use the vLAN Tag on your WLan-AP, instead of on the switch!

As I said earlier, the Switch doesn’t even need to know about the vLAN…

1 Like

Oh, that simple? Will try that out now.

As the switch doesn’t know about vLANs (specifically vLAN8), the traffic just passes through the switch, just like the traffic when you’re surfing the net…

A switch has options of Tagging Ports, or using unTagged Ports. If you “Tag” a port, ONLY vLAN traffic goes thru, it ignores all other traffic.

1 Like

I Might be doing something wrong in the NS side, since the AP is quite simple:

My new SSID wont distribute DHCP that i set.

On the NS:


Oh wierd, i just noticed CIDR is 192.168.8.x

created another vlan with id 9… and ip 172.16.9.x will test that out