J

18 Messages

 • 

242 Points

Mon, May 17, 2021 7:09 PM

Q regarding IP ranges/routing and SSIDs

Dear all,

I am a (prospective) Ruckus newbie interested in the following setup with a couple of R650’s: the R650's would be connected over 2.5Gb Ethernet to a Mikrotik router 10.1.0.1 offering dhcp within 10.1.0.0/16; 10.1.0.1 is a NAT-gateway towards the Internet.

 

I would then like to span 3 SSIDs (each 5 and 2.4 GHz) over the R650’s:

  • SSID1 should simply bridge to 10.1.0.0/16.
  • SSID2 and SSID3 should be different subnets, say 10.2.0.0/16 and 10.3.0.0/16, and route (no NAT) via 10.1.0.1 towards the Internet. Access to 10.1.0.0/16 should be restriced, access from 10.1.0.0/16 to 10.2 and 10.3 should be allowed.

 

Can this be set up with Unleashed? What would be the preferred way: VLANs for 10.2.0.0/24 and 10.3.0.0/24 with dhcp, frewalling, etc. handled by 10.1.0.1; or SSID1 and SSID2 configured on the master R650 e.g. as Guest WLANs with local dhcp-servers and routing?

 

Thanks a bunch to anyone who cares to read & answer!

 

                Joachim.

Responses

25 Messages

 • 

312 Points

1 m ago

I would suggest letting the router do all the work.  Make 3 VLANs and have each SSID be associated with one VLAN so the Ruckus does nothing but move packets between SSID and the VLAN. Have the router perform routing and enforce inter-VLAN firewall policies.

eizens_putnins

399 Messages

 • 

5.1K Points

It is impossible to route 10.x.x.x networks to Internet, as these are the private (which means "unroutable") networks, so you must use NAT to connect them to Internet.  You can route between private networks, but the connection to Internet must be NATed.

And you want all routing and NATing done on router, so APs just bridge SSIDs to proper VLANs, and that's it (no routing or DHCP on Ruckus gear, etc). Mikrotik have reach routing functionality, and Ruckus has brilliantly performing WiFi, so use best from each and be happy. 

(edited)

18 Messages

 • 

242 Points

Sure ... I meant: 10.3.0.0/16 should route, not NAT into 10.1.0.0/16. Finally, 10.1.0.1 will certainly NAT towards the Internet.

18 Messages

 • 

242 Points

@raymond_lau_7402727  Thanks a bunch. Would the other scenario also be possible? I am still struggling to find extensive documentation on configuration options: Is there a way to assign subnets and dhcp-servers to SSIDs on the master router?

25 Messages

 • 

312 Points

While Unleashed has some abilities to support ACLs, isolation of client traffic and QoS (e.g. for voice), my opinion is that it is better to think of a SSID as akin to a switch with VLAN support, only over WiFi. Use those ACL/etc capabilities to manage traffic between WiFi and wired when on the same VLAN, but let your router do the heavy lifting between VLANs.

There are also some very limited NAT/router capabilities in Unleashed, but they are very limited and not as performant as having a router perform those functions. As such, I haven't invested much time in designing my networks to do more in Unleashed and less in my routers.

Employee

 • 

296 Messages

 • 

6K Points

Hi Joachim,

Ruckus Wi-Fi access points are primarily layer 2 devices (bridges).  There are some L3 functions for management and Gateway mode but they aren't relevant here.

As mentioned by the other respondents; you need to use VLANs to achieve your L3 separation.  Each SSID/WLAN will be tagged with VLAN X/Y/Z and each VLAN will be configured on your router with the relevant L3 subnet you require. Wi-Fi clients get their IP address from a DHCP server operating on each VLAN or are statically assigned.

Unleashed can assign a VLAN to each SSID/WLAN.  This is standard practice in enterprise networks.

An example of a similar scenario: https://support.ruckuswireless.com/articles/000001547

HTH,
Darrel.

399 Messages

 • 

5.1K Points

1 m ago

Making routing, ACLs, etc in router is not only faster and better, it is also simpler -- as you do all of this in 1 place, not on each AP. So go with standard and recommended design - separate VLANs for each SSID, and routing/NATing/etc them on the router. Same with DHCP server for you subnets - use router for that. It's actually correct approach for any WiFi system not for Ruckus only.

(edited)

18 Messages

 • 

242 Points

So, thanks to all! I got the message, I'll leave them alone with layer 2 :-).
Now I just have to finde a way to buy some for an acceptable price here in Europe..

Cheers, Joachim.

18 Messages

 • 

242 Points

Here's a short update: With the help of people from Ruckus support/sales I was able to buy two R650s and deployed them last weekend. The hardest bit was to configure the VLANs on my Mikrotik infrastructure, all else was straightforward and it now works like a charm. I wish I had discoovered Ruckus earlier...

Important Announcement