VLAN Ubiquiti Question

relicalpha · 13 Nov 2021 at 14:12

Hey,

My network looks roughly:

Unifi APs -> Unifi Switch -> dumb powerline adapters -> dumb switch -> Ubiquiti Edge Router (not unifi).

I'd like to play with vlans to make an isolated wifi network.

If I set this up within unifi, to tag a wireless network, does any other point need vlan knowledge? Specifically I guess my question is, are the tags stripped at the AP or does the Edge Router also need to know about them? I basically want tagged packets routed out to the internet and nowhere else. I don't really understand vlans, but can I do that with just a unifi tagghed wifi network, or does everything else also need tagging? Thanks

EDIT: Ah looks like this requires a USG to do properly

Avalon · 13 Nov 2021 at 15:14

You can do a simplified version via the unified controller - I have a guest network set-up with no access to the rest of the LAN, it was a requirement when I had little option other than to allow unknown devices onto my network for the kids doing schooling at home.

Nikumba · 14 Nov 2021 at 20:36

You can do it without the USG I currently use pfSense with Unifi gear

Router > pfsense > Unifi Switch > Unifi APs

I have the VLANs setup on pfsense with own rules to the outside world, then create networks on the unifi controller tagged for whichever vlan.

Devices on my wireless IOT network can not see any other part of my network and can only go out to the internet etc

relicalpha · 14 Nov 2021 at 22:00

Nikumba said:
You can do it without the USG I currently use pfSense with Unifi gear

Router > pfsense > Unifi Switch > Unifi APs

I have the VLANs setup on pfsense with own rules to the outside world, then create networks on the unifi controller tagged for whichever vlan.

Devices on my wireless IOT network can not see any other part of my network and can only go out to the internet etc

Thanks that’s really helpful. Did you need to configure anything on your Unifi switch? Or is tagged AP traffic auto routed through to pfsense by default?

Thats the one but I don’t understand, is if I tag a guest wifi network, am I ok leaving everything else just as default and untagged? And will that tagged traffic auto make it way to the router?

Nikumba · 14 Nov 2021 at 22:11

So the link from my pfsense to switch is a trunk port so all VLANs travel down it, on my unifi switch the AP I have it set to all networks as I have a couple of different wireless VLANs, though you could limit it to your guest network if you wanted to.

The unifi side is with the older controller but this video gives you a good starting point for pfsense and vlans

https://www.youtube.com/watch?v=b2w1Ywt081o&t=779s&ab_channel=LawrenceSystems

Avalon · 17 Nov 2021 at 07:51

If you are ignoring the Unifi AP controller option, then please make sure your power line adapters support VLAN tagging, it’s cropped up in the past that some don’t, even when previous models from the same range/OEM do.