Unifi gear + network segregation via VLAN

[mastrmind11 722]

Upgraded to a unifi 24 and trying to work out segregating my IoT junk from my LAN using VLANs.  I have what I believe set everything up correctly, but when I try to join the IoT wifi that's VLAN'd as a test, I am unable to connect to it.  I've tried everything I can think of.  I know there are some Unifi guys on here, so curious about your thoughts.

 

Gear:  USG, USW, AP-AC-LR

 

I do run Actiontec MoCA adapters, but according to the internet, they're simply passthrough and are therefore VLAN compatible.

 

Any help would be appreciated.

[Guest asrequested]

Are you making a WLAN or a VLAN on the switch? Or one leading to the other? Have you made any user groups or other rules?

[mastrmind11 722]

Are you making a WLAN or a VLAN on the switch? Or one leading to the other? Have you made any user groups or other rules?

VLAN.  I just created a VLAN Only network in the controller (also tried Corporate), created a new SSID, assigned the VLAN to the SSID.  That's it.  All my switch ports are set to "all" except the uplink to the USG which is set to whatever the default admin VLAN is.  I'm under the impression this should work, I haven't even locked down ports or added FW rules at this point.

Edited September 12, 2018 by mastrmind11

[Guest asrequested]

Well if you're trying to connect wirelessly to new VLAN on the switch, you probably need to configure the AP to direct you there. Otherwise you aren't on the same network. I don't have enough time right now to check on that, but maybe look into making a user group. You haven't made another wireless network, so that may also need to be done, and point it at the VLAN ports. I'm just throwing ideas out, as I'm at work.

[mastrmind11 722]

Well if you're trying to connect wirelessly to new VLAN on the switch, you probably need to configure the AP to direct you there. Otherwise you aren't on the same network. I don't have enough time right now to check on that, but maybe look into making a user group. You haven't made another wireless network, so that may also need to be done, and point it at the VLAN ports. I'm just throwing ideas out, as I'm at work.

Yeah I plan on taking it on this weekend.  Thanks for the suggestions.

[Swynol 375]

i have mine setup like this. 

 

I have 3 vlans

 

vlan 1 - main data

vlan 2 - IOT

vlan 3 - guest

 

 

vlan 1 and 2 are corporate networks with set vlan ids.  then i create a wireless networks for both using their vlan ids.

 

vlan 3 is a guest network, and has a guest wifi assigned to it.

 

switch ports can be set to all. or set to a single vlan with other vlans tagged. so for example, i have some switch ports that are set to 'all' others set to iot only and then other set to vlan1 data but with tagged vlan 3. this means the device can be on either vlan 1 or vlan 3.

 

 

I ran into some issues, for example my sonos speakers on vlan 2. however the controllers are on vlan 1. you have to setup some mDNS stuff to allow certain devices to cross the subnets, but only in one direction.

[Swynol 375]

VLAN.  I just created a VLAN Only network in the controller (also tried Corporate), created a new SSID, assigned the VLAN to the SSID.  That's it.  All my switch ports are set to "all" except the uplink to the USG which is set to whatever the default admin VLAN is.  I'm under the impression this should work, I haven't even locked down ports or added FW rules at this point.

 

uplink to USG i think should be admin vlan as the main. and then the other vlans as tagged. otherwise the iot devices wont be able to contact your dhcp (USG)

[Guest asrequested]

I may finally get around to creating other networks. I may look at making a SAN.

[mastrmind11 722]

uplink to USG i think should be admin vlan as the main. and then the other vlans as tagged. otherwise the iot devices wont be able to contact your dhcp (USG)

Ahh. That might be it. Never tagged the other vlans. Thanks for that. Also where is mdns, I can't find it anywhere and I've looked quite a bit. Thanks

 

Sent from my SM-G965U using Tapatalk

Edited September 12, 2018 by mastrmind11

[mastrmind11 722]

Tagging (or the unifi equivalent, profies) is a no go.  But, in the process I managed to tweak something out of frustration which caused me to lose all WAN/LAN in the house.  Not a fun time, took me an hour to hook up an unmanaged switch, reroute the USG (after connecting to it directly thanks to the 15 yr old windows pc I keep around for this reason), readopt everything, and start from scratch.  Lost all my history, dpi, etc etc etc.  Lesson learned.  In any case, I'm back to square one.  Not gonna pick this up again until the weekend.  The profiles thing was what I thought was the missing link, and it makes complete sense.  In any event, gonna pick it up this weekend and not gonna stop thinking about it until shits working.

 

TL;DR, dont fuck with port settings cuz you're gonna have to go years back in time.  Thank god for USG config auto backups and an above average understanding of disaster recovery.  

[Guest asrequested]

Ouch! I've had a similar experience, in the past. I actually make a backup of the backup, so I have it in two places.

[mastrmind11 722]

Ouch! I've had a similar experience, in the past. I actually make a backup of the backup, so I have it in two places.

yeah, indirectly i have one of those too.  backblaze full backup of my emby server.  (never tested a restore, shhhhh!)

[Guest asrequested]

yeah, indirectly i have one of those too.  backblaze full backup of my emby server.  (never tested a restore, shhhhh!)

 

 lol

[Swynol 375]

Tagging (or the unifi equivalent, profies) is a no go.  But, in the process I managed to tweak something out of frustration which caused me to lose all WAN/LAN in the house.  Not a fun time, took me an hour to hook up an unmanaged switch, reroute the USG (after connecting to it directly thanks to the 15 yr old windows pc I keep around for this reason), readopt everything, and start from scratch.  Lost all my history, dpi, etc etc etc.  Lesson learned.  In any case, I'm back to square one.  Not gonna pick this up again until the weekend.  The profiles thing was what I thought was the missing link, and it makes complete sense.  In any event, gonna pick it up this weekend and not gonna stop thinking about it until shits working.

 

TL;DR, dont fuck with port settings cuz you're gonna have to go years back in time.  Thank god for USG config auto backups and an above average understanding of disaster recovery.  

 

doh. you can make a copy of the whole Ubiquiti directory in C:\users\%username%\

 

I make a copy before changing anything, that way its easy to revert.

 

You could try setting your USG port profile to "all" Thats what I keep mine at. This port should be a trunk. 

 

with mDNS, what controller version you running? i think it was implemented in v.5.9.x - under services tab you should see mDNS. this needs enabling, then you need to do some work in the CLI and create a json file so the change survives a reboot.

 

This is my setting for sonos speakers on network vlan 80 (eth1.80) and controllers on vlan 1 (eth1). The setting allows the controllers to see the speakers but still maintain the subnet security. 

{
"protocols": {
  "igmp-proxy": {
   "interface": {
    "eth1": {
     "role": "upstream",
     "threshold": "1",
     "alt-subnet": "0.0.0.0/0"
    },
    "eth1.80": {
     "role": "downstream",
     "threshold": "1",
     "alt-subnet": "0.0.0.0/0"
    }
   }
  }

After testing the above works, you can change the alt-subnets to what ever your network is. so eth1 - "alt-subnet": "192.168.1.0/24"    eth1.80 - "alt-subnet": "192.168.200.0/24"

 

 

 

Also you can do other clever stuff with the CLI. Not sure if you've heard of static-host-mappings? its similar to dns masquerading.   So for example you have emby on 192.168.1.10. In the CLI you set a static-host-mapping to emby.mydomain,com to 192.168.1.10.  That way when you enter emby.mydomain.com in a web browser when internal on your LAN it goes to 192.168.1.10. (normally it would go out on the internet to come back in). 

Edited September 13, 2018 by Swynol

[mastrmind11 722]

awesome info, thanks @@Swynol.  Gonna pick it up again this weekend.  Learned my lesson last night not to tinker w/ this stuff during a work week

[Swynol 375]

ye defo. as annoying as it is - at least it was your home one. I install unifi gear for businesses which connect back to cloud controllers.

 

this week i had an issue with a business because they changed out a router without telling me, all their till systems and card payment systems went offline. took my 3 hours to sort it all out.

[Guest asrequested]

This week I had an issue with a business, because they changed out a router without telling me. All their till systems and card payment systems went offline. Took me 3 hours to sort it all out.

Gah! Novice tech muggles!

Edited September 18, 2018 by Doofus

[mastrmind11 722]

ye defo. as annoying as it is - at least it was your home one. I install unifi gear for businesses which connect back to cloud controllers.

 

this week i had an issue with a business because they changed out a router without telling me, all their till systems and card payment systems went offline. took my 3 hours to sort it all out.

haha, probably blamed you too LOL

[Guest asrequested]

Did you get it figured out?

[mastrmind11 722]

Did you get it figured out?

I did.  It was a combo of not tagging ports correctly and picking "VLAN Only" for the network type.  I deleted the vlan only network, created a new corp network w/ a different subnet, gave it a vlan id, etc, and all is well.  Set the uplink port to 'all' and added the IoT+LAN group to the port that heads out to my AP.  All is good.  

[Swynol 375]

out of interest, do you use a cloudkey, AWS or locally installed controller?

[mastrmind11 722]

out of interest, do you use a cloudkey, AWS or locally installed controller?

local controller.