Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

Firest issue:

    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
            listen-on eth2.10
        }
    }

 Should be listen-on eth2.100 not eth2.10.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access


@tsztokma wrote:

Unifi AP is connected to Port Mode General (Default Vlan 1 and VLAN100 - both TAG).



Try untagging vlan1 on both the switch and UniFi. 

With UniFi the management interface isn't intended to be tagged.  This could be part of your issue.

New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1

Re: EdgeRouter Lite - VLANs with UniFi internet access

[ Edited ]

My main SSID on UniFi is untagged, Guest is tagged 100. By the way I dont think that the problem is UniFi config - when I check port to be Default Vlan 1 Port Mode Access - it operates in my LAN (Internet, other LAN devices, etc). But when I try to do tracert 192.168.100.100 (VLAN100) it goes like this (even if connected to switch directly via cable):

Tracing route 192.168.100.100 over a maximum of 30 hops

1 1ms 1ms 1ms 192.168.0.254

2 * * *

...

Destination unreachable.

And I fixed my DNS caching - thanks.

I did someting similar years ago at school called router on a stick (except the routing was between two non-default vlans). BTW does the tagging really matters for router? I can ping my ERL from LAN at address 192.168.0.254, I can ping ERL from inside VLAN100 192.168.100.254. I thought that since on both ends the routes to these two subnets are active and displays as connected this should be enough to do the routing between them.

[EDIT2]

From the server in LAN (192.168.0.9) I can even ping the other interface of the router 192.168.100.254!

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access


@tsztokma wrote:

I did someting similar years ago at school called router on a stick (except the routing was between two non-default vlans). BTW does the tagging really matters for router? I can ping my ERL from LAN at address 192.168.0.254, I can ping ERL from inside VLAN100 192.168.100.254. I thought that since on both ends the routes to these two subnets are active and displays as connected this should be enough to do the routing between them.

[EDIT2]

From the server in LAN (192.168.0.9) I can even ping the other interface of the router 192.168.100.254!


Tagging.....
When you create the interface vif100, that is automaticaly tagged when leaving the router.  As you look at your interfaces, (eth0, eth1, eth2, etc.) the physical interfaces are untagged.  Anything in a vlan (eth2.100, eth1.50, etc.) will be tagged when it leaves the port. 

Any untagged traffic entering a trunk port on your switch will be assigned to the native vlan for that port.  Most people seem to leave this as the default vlan1, although (except for very inexpensive switches) it doesn't have to be.

You can assign a network to eth1 (or any other physical port) and connect it to an access port on your switch which is assigned to say vlan33 and that traffic will be tagged as vlan33 on any trunk it travels.

For my network, my management vlan is vlan99.  The trunk ports which connect to my UniFis are assigned native vlan99.  Additionally they have vlan60 (my secure wireless vlan) and vlan160 (my open guest vlan).  Since I do vlan pruning on all my trunk ports, these are the only vlans available on those switch ports.

 

Anyway, back to your issues.  I'll look further to see what I find.  Can you set a switchport to access vlan100 and connect a computer to it.  Check that it gets a proper IP address (192.168.100.x) and see if it can access anything on vlan1.  This will isolate the issue as wireless or hardwired.  If that computer then has full functionality, its a wireless issue.  If it has the same issues, we can forget about anything with the UniFi for now.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access


@tsztokma wrote:

From the server in LAN (192.168.0.9) I can even ping the other interface of the router 192.168.100.254!


This is normal.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

[ Edited ]

@tsztokma wrote:

Greetings,


I have small setup in my company - I have Linksys router with address 192.168.0.1 which grants internet access and DHCP to computers in network 192.168.0.0/24. I also bought Edge Router (LITE) to employ some basic vlan separation in order my UniFi serve two different LANs 192.168.0.0/24 and 192.168.100.0/24 (VLAN100) - I can successfully connect to either of my UniFi Wireless SSID with correct addresses being assigned from each DHCP but VLAN100 has no internet access (it should have one via Linksys router). PCs in 192.168.100.0/24 can successfully ping 192.168.0.1 but it seems that my Linksys won't pass the 192.168.100.* to the internet. I have already put a static route the Linksys router. Do I need some additional configuration i.e. some additional NAT or port mapping?


Internet ----- (Public IP) Linksys (192.168.0.1) ------LAN1------- (192.168.0.254) Edge Router (VLAN100 192.168.100.1) ----- LAN2

PCs in VLAN100 use 192.168.100.1 as default router, EdgeOS has 192.168.0.1 configured as default static route and DNS 8.8.8.8.

Kr,

Tomasz


What Linksys router do you have?  Have you defined the subnets and routes for the networks behing the ERL?

     .....or are you doing double NAT?

 

EDIT:

I looked further.  No double nat.  Defined address eth0 192.168.0.254.  Default gateway is set correctly as 192.168.1.1.  Back to the question of is the subnet 192.168.100.0/24 defined and routed on the Linksys.  If not, it won't know where to send traffic comming in from the internet as the Linksys is not directly connected to the subnet.

Also, without setting dns-server on the ERL system, dns-forwarding won't do anything as the router has no path for dns.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access


@tsztokma wrote:

My main SSID on UniFi is untagged, Guest is tagged 100. By the way I dont think that the problem is UniFi config - when I check port to be Default Vlan 1 Port Mode Access - it operates in my LAN (Internet, other LAN devices, etc). But when I try to do tracert 192.168.100.100 (VLAN100) it goes like this (even if connected to switch directly via cable):

Tracing route 192.168.100.100 over a maximum of 30 hops

1 1ms 1ms 1ms 192.168.0.254

2 * * *

...

Destination unreachable.

And I fixed my DNS caching - thanks.

I did someting similar years ago at school called router on a stick (except the routing was between two non-default vlans). BTW does the tagging really matters for router? I can ping my ERL from LAN at address 192.168.0.254, I can ping ERL from inside VLAN100 192.168.100.254. I thought that since on both ends the routes to these two subnets are active and displays as connected this should be enough to do the routing between them.

[EDIT2]

From the server in LAN (192.168.0.9) I can even ping the other interface of the router 192.168.100.254!


Equipment in lan cannot talk to vlan100 because equipment in lan are not directly connected to vlan100.  Settings on that equipment tell it to send traffic to unknown addresses to the Linksys router 192.168.1.1.  This is normal.  The issue arrises because the router at 192.168.1.1 does not know the path to 192.168.100.0/24 and therefore sends traffic to its default gateway (your ISPs router which doesnt know the path either).

The Linksys should have a path defined stating the 192.168.100.0/24 is accessed via 192.168.1.254.  Depending on the model, it should have settings for subnet also.  This is required for NAT masqerade to operate properly when sending and receiving traffic from the internet.

New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1

Re: EdgeRouter Lite - VLANs with UniFi internet access

@CowboyJed- Linksys is no longer a part of this network. As I wrote earlier it has been replaced with ERL. The setup is similar to this:

Internet -------- (external IP) ERL eth0 (192.168.0.254) ----------------- LAN (switch port mode general VLAN1 and 100)

                                               eth2.100 (192.168.100.254) --------------VLAN100 (port mode general VLAN1 and 100)

Connecting directly to Port set with port mode ACCES VLAN100 with cable on the switch gives me the correct IP address from ERL DHCP - so I assume that VLAN tagging part for VLAN100 is OK. From VLAN100 I can freely access Internet and the LAN network (network shares, printers, etc). On my LAN the DHCP is Windows 2008 R2 but the default gateway is my ERL (192.168.0.254) - I can access the internet from there (therefore I have the communication with the ERL) but when say I put a printer in VLAN100 - any member of LAN (192.168.0.0/24) cannot access it. I wonder if it would change anything if I would set the switch port my ERL eth0 is connected to ACCESS VLAN1 and eth2 to ACCESS VLAN100.

Highlighted
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

My bad, I missed the updated config at the bottom of page 1.

I'll take another look tomorrow.  I have to get to bed as I have to leave for work in about 6 hours.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

Just a quick question on dhcp setup.  Did you use the proper gateway address for each scope?  Namely the routers ip for that network.  I've seen the gateway address being on the wrong network do odd things.

New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1

Re: EdgeRouter Lite - VLANs with UniFi internet access

I can confirm that the gateway addresses are in proper networks. So if I get DHCP from my LAN it is 192.168.0.254 and when I connect to VLAN100 it is 192.168.100.254.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

What are the wireless devices you are logged into the wireless with?  If windows based, how is the windows firewall configured?  Will it accept ping?  Most of my Win7 machines will not reply to a ping request, but my sbs 2011 will.

Regular Member
Posts: 747
Registered: ‎11-06-2013
Kudos: 231
Solutions: 26

Re: EdgeRouter Lite - VLANs with UniFi internet access

[ Edited ]

@tsztokma wrote:

@CowboyJed- Linksys is no longer a part of this network. As I wrote earlier it has been replaced with ERL. The setup is similar to this:

Internet -------- (external IP) ERL eth0 (192.168.0.254) ----------------- LAN (switch port mode general VLAN1 and 100)

                                               eth2.100 (192.168.100.254) --------------VLAN100 (port mode general VLAN1 and 100)

Connecting directly to Port set with port mode ACCES VLAN100 with cable on the switch gives me the correct IP address from ERL DHCP - so I assume that VLAN tagging part for VLAN100 is OK. From VLAN100 I can freely access Internet and the LAN network (network shares, printers, etc). On my LAN the DHCP is Windows 2008 R2 but the default gateway is my ERL (192.168.0.254) - I can access the internet from there (therefore I have the communication with the ERL) but when say I put a printer in VLAN100 - any member of LAN (192.168.0.0/24) cannot access it. I wonder if it would change anything if I would set the switch port my ERL eth0 is connected to ACCESS VLAN1 and eth2 to ACCESS VLAN100.


Your diagram does not match your config. Per your config:

eth0 --> LAN 192.168.0.254/24

eth1 --> WAN *.*.*.*/29

eth2 --> Nothing

eth2.100 --> VLAN 192.168.100.254/24

You have NAT outbound masquerade to eth1 so anything on both networks should have internet access.

What you do not have on eth2 is a control network for the UniFi AP itself to get an IP. 

You also stated that VLAN 100 was on eth0 but it is not according to your config. You don't need a VLAN there anyway.

Communication between a VLAN and the LAN will always be through the router because they are different networks. That is the point of a VLAN.

Here is an example from a router I have in place.

 ethernet eth0 {
     address 10.202.254.1/24
     description "WiFi Management"
     duplex auto
     speed auto
     vif 2 {
         address 10.202.2.1/24
         description "Private WiFi"
         mtu 1500
         firewall {
             in {
                 name LAN_IN
             }
             local {
                 name LAN_LOCAL
             }
         }     }
     vif 100 {
         address 10.202.200.1/24
         description "Public WiFi"
         firewall {
             in {
                 name Public_WLAN_IN
             }
             local {
                 name Public_WLAN_LOCAL
             }
         }
         mtu 1500
     }
 }
 ethernet eth1 {
     address 10.202.1.1/23
     description LAN
     duplex auto
     firewall {
         in {
             name LAN_IN
         }
         local {
             name LAN_LOCAL
         }
     }
     speed auto
 }
 ethernet eth2 {
     address XXX.XXX.XXX.42/29
     address XXX.XXX.XXX.43/29
     address XXX.XXX.XXX.44/29
     description WAN
     duplex auto
     firewall {
         in {
             name WAN_IN
         }
         local {
             name WAN_LOCAL
         }
     }
     speed auto
     traffic-policy {
         out VoIP
     }
 }
 
 dhcp-server {
     disabled false
     hostfile-update disable
     shared-network-name LAN {
         authoritative disable
         disable ##note this is a disabled DHCP scope. the LAN is server by the Windows Server.
         subnet 10.202.0.0/23 {
             default-router 10.202.1.1
             dns-server 10.202.1.1
             lease 86400
             start 10.202.0.10 {
                 stop 10.202.0.254
             }
             unifi-controller 10.202.1.227
         }
     }
     shared-network-name Private_WiFi {
         authoritative disable
         subnet 10.202.2.0/24 {
             default-router 10.202.2.1
             dns-server 10.202.1.11
             lease 86400
             start 10.202.2.11 {
                 stop 10.202.2.254
             }
             unifi-controller 10.202.1.227
         }
     }
     shared-network-name Public_WiFi {
         authoritative disable
         subnet 10.202.200.0/24 {
             default-router 10.202.200.1
             dns-server 10.202.200.1
             lease 3600
             start 10.202.200.10 {
                 stop 10.202.200.254
             }
             unifi-controller 10.202.1.227
         }
     }
     shared-network-name WiFi_Management {
         authoritative disable
         subnet 10.202.254.0/24 {
             default-router 10.202.254.1
             dns-server 10.202.1.11
             lease 3600
             start 10.202.254.11 {
                 stop 10.202.254.254
             }
             static-mapping AP_Accounting {
                 ip-address 10.202.254.9
                 mac-address 24:a4:3c:30:2c:0e
             }
             static-mapping AP_Conference {
                 ip-address 10.202.254.10
                 mac-address 24:a4:3c:30:32:f3
             }
             unifi-controller 10.202.1.227
         }
     }
 }
 dns {
     forwarding {
         cache-size 150
         listen-on eth0
         listen-on eth0.2
         listen-on eth0.100
listen-on eth1 } }

 

 

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

One of mine....

interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description "DMZ SUBNETS"
        duplex auto
        speed auto
        vif 130 {
            address 10.112.130.1/24
            description Public_Servers
            mtu 1500
        }
        vif 160 {
            address 10.112.160.1/24
            description BCF_Guest
            mtu 1500
        }
    }
    ethernet eth2 {
        description "LAN SUBNETS"
        duplex auto
        speed auto
        vif 20 {
            address 10.10.20.1/24
            description BCF_Home
            mtu 1500
        }
        vif 30 {
            address 10.10.30.1/24
            description BCF_Servers
            mtu 1500
        }
        vif 40 {
            address 10.10.40.1/24
            description BCF_VOIP
            mtu 1500
        }
        vif 50 {
            address 10.10.50.1/24
            description BCF_CCTV
            mtu 1500
        }
        vif 60 {
            address 10.10.60.1/24
            description BCF_Wrls
            mtu 1500
        }
        vif 99 {
            address 10.10.99.1/24
            description BCF_Mgmt
            mtu 1500
        }
    }
    loopback lo {
    }
    openvpn vtun0 {
        local-address 10.99.99.1 {
        }
        local-port ****
        mode site-to-site
        openvpn-option --comp-lzo
        remote-address 10.99.99.2
        remote-host *********.***
        remote-port ****
        shared-secret-key-file /config/auth/secret
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2.30
    lan-interface eth1.130
    rule 1 {
        description Minecraft
        forward-to {
            address 10.112.130.145
        }
        original-port 25565
        protocol tcp
    }
    rule 2 {
        description "Video RTP/RTCP"
        forward-to {
            address 10.10.30.142
        }
        original-port 51000-54999
        protocol udp
    }
    rule 3 {
        description "Video NTP service"
        forward-to {
            address 10.10.30.142
        }
        original-port 60000
        protocol udp
    }
    rule 4 {
        description "NVR Client Log-in"
        forward-to {
            address 10.10.30.142
        }
        original-port 38880
        protocol tcp
    }
    rule 5 {
        description "NVR Client Log-in"
        forward-to {
            address 10.10.30.142
        }
        original-port 38881
        protocol tcp
    }
    wan-interface eth0
}
protocols {
    static {
        interface-route 172.16.50.0/24 {
            next-hop-interface vtun0 {
            }
        }
        interface-route 192.168.2.0/24 {
            next-hop-interface vtun0 {
            }
        }
    }
}
service {
    dhcp-relay {
        interface eth2.20
        interface eth2.30
        interface eth2.40
        interface eth2.50
        interface eth2.60
        interface eth1.130
        interface eth2.99
        server 10.10.30.10
    }
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name BCF_Guest {
            authoritative disable
            subnet 10.112.160.0/24 {
                default-router 10.112.160.1
                dns-server 208.67.222.222
                dns-server 208.67.220.220
                lease 28800
                start 10.112.160.101 {
                    stop 10.112.160.120
                }
                static-mapping UniFi_AP-1 {
                    ip-address 10.112.160.241
                    mac-address 24:a4:3c:6e:dd:94
                }
                static-mapping UniFi_AP-2_LR {
                    ip-address 10.112.160.242
                    mac-address dc:9f:db:f6:f7:93
                }
            }
        }
    }
    dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name *******.***
                    login *******
                    password *******
                }
            }
        }
    }

 

New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1

Re: EdgeRouter Lite - VLANs with UniFi internet access

OK guys I know this is utterly stupid but when I connect to my VLAN PC changes firewall profile and blocks everything... for test purpose I disabled the firewall and everything works as expected... I forgot about the basic thing which is firewall on the machine itself Man Happy sorry!

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

[ Edited ]

So this took care of everything?  You're good?

New Member
Posts: 31
Registered: ‎03-12-2014
Kudos: 2
Solutions: 1

Re: EdgeRouter Lite - VLANs with UniFi internet access

Yes - I can access the computers in both networks. Connecting to the new network resulted in changing FW profile on the PC and that is why access was limited.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: EdgeRouter Lite - VLANs with UniFi internet access

Awesome. Ubnt Banana