My topology is pretty simple although dumb, I'm thinking in fixing it later.
The goal:
Pretty straightforward,
Short Version:
I want to create a VLAN for my guest wifi so people connecting to this WiFi don't have access to my server.
Long Version:
I originally had setup two WiFi networks, one for the guests and one for my internal network. Now what I want is to separate them so I don't want people connecting to my guest wifi be able to access computers or my servers connected on my internal network. The solution as I have been doing the research is to create a VLAN for just the guest network so that way it will be isolated.
My setup:
I have 2 gateways connected to my switch (ports 1 and 2)
Palo Alto Gateway is the gateway that has the DHCP server for my internal network and Unifi Security Gateway is the one containing the DHCP server for my guest network (I know, I should have 1 gateway only but I just want to be able to create this fix fast by just adding another gateway and VLAN for just the guests for now).
Now, the problem is the tagging those ports in the switch. As you can see here in the configuration of the VLANs inside of the switch:
This configuration works, but I don't know why. In my opinion it should be Tagged for port 2 in VLAN 99 and Excluded in the default VLAN but, if I do that I can connect to the guest WiFi but I can't get an Ip address so the DHCP server on the Unifi gateway fails. Can anybody help me with this one? Thank you!
Best Answer
The simple setup is to only use tagging on the trunk between switch and the Unifi gateway. Your default/production VLAN runs untagged while you tag the guest VLAN. This must be the same on the switch and the Unifi. On the WAP ports, just use the guest VLAN untagged.
However, this puts your WAPs' management completely inside the guest network. If you want to avoid that, use the same VLAN trunks - production untagged, guest tagged - with the WAP ports (on both switch and WAP side) and associate the guest VLAN with the guest SSID.
It seems that you've tried the latter setup but you reversed the tagging for the Unifi - if it's the same on the Unifi side it's fine but I wouldn't do it that way.
I don't know your hardware, so I can't give any more specific advice, sorry. And I can't make too much sense of the screenshot either. If you think you've already got the setup you should provide a table with the settings.