Reply
New Member
Posts: 5
Registered: a week ago

Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite

[ Edited ]

(Sketch attached)

 

Hi Folks,

I'm currently trying to configure an Ubiquiti ERX with a connected AC AP Lite so that Wi-Fi Guests can have internet access only via one router (shown as 192.168.1.1) but not being able to see any other devices (PC "A" or server) on the 192.168.1.0 network or anything on the corporate network (192.168.111.0).

 

Also, I would like to have the Wi-Fi corporate users able to access anything on the coporate network and internet via 192.168.111.70 but nothing on the 192.168.1.0 network, I have attached a sketch of how I have everything currently connected to the ERX (not convinced its 100% correct), any assistance with the actual ERX configuration would be greatly appreciated.

 

Thanks in advance.

New Member
Posts: 8
Registered: ‎11-30-2017
Solutions: 1

Re: Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite

The principles are the same as in this video.

Just skip the Switch setup part....

New Member
Posts: 5
Registered: a week ago

Re: Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite

Thank you ,

I have gotten much further along watching that video it was a great help, the problem that I seem to be having is that Guests are not being issued DHCP addresses although I have setup a scope within the ERX and enabled it.

 

Once I can get past this DHCP issue then I can work on direccting internet traffic for the Guest Wi-Fi users VLAN to the "Sky Internet".

 

The authorised Wi-Fi corporate LAN users (Paragon network) are being assigned DHCP addresses correctly via a Windows Server on their network and are able to browse their LAN and access the internet via their own BT router. They cannot see the Sky router or anything else on the router which is correct.

 

Thanks in advance (Screenshots attached).

 

Dashboard.jpg
dhcp.jpg
Switch.jpg
Highlighted
New Member
Posts: 32
Registered: ‎10-14-2018
Kudos: 3

Re: Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite

Does your firewall block DHCP traffic to the router?

New Member
Posts: 8
Registered: ‎11-30-2017
Solutions: 1

Re: Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite

@Turbotim16

Create your VLAN (Guest VLAN) on eth2 "Ubiquity AP AC Lite" with the IP of 172.16.0.1/24

Then in the Ubiquity AP AC Lite just assign the correct VLAN ID of 172 to the SSID for the Guests.

Emerging Member
Posts: 45
Registered: ‎05-28-2018
Kudos: 14
Solutions: 3

Re: Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite

[ Edited ]

You should probably have a look at Mike Pott's excellent tutorial on how to set up a ERX and AC AP device to do exactly this task.

 

   https://github.com/mjp66/Ubiquiti/blob/master/Ubiquiti%20Home%20Network.pdf

New Member
Posts: 5
Registered: a week ago

Re: Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite

Hi Fanghui,

No it shouldn't as I setup the routers built-in firewall following the video.

 

Regards

SuperUser
Posts: 7,491
Registered: ‎01-05-2012
Kudos: 1976
Solutions: 981

Re: Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite

The 192.168.1.0/24 network must be isolated from the 192.168.111.0/24 network ? The UniFI controller (10.0.0.10 ?) and the management laptop (10.10.10.2 ?), which network should use, as their wan ? And the controller, is manageable only by the management laptop, or also from the 192.168.1.0/24 and/or 192.168.111.0/24 network ? The edgerouter itself, which network should use as wan network (which router) ? There are a lot of ways, for achieve your goal, but is needed to know how you want the network work ....
Cheers,
jonatha

New Member
Posts: 5
Registered: a week ago

Re: Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite

Thanks Hav0cBuff,

I did this already.

 

Regards

New Member
Posts: 5
Registered: a week ago

Re: Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite

Hi redfive,

I have attached an updated sketch with some notes attached.

 

Regards

New Member
Posts: 32
Registered: ‎10-14-2018
Kudos: 3

Re: Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite


@Turbotim16 wrote:

Hi Fanghui,

No it shouldn't as I setup the routers built-in firewall following the video.

 

Regards


Can you post your firewall config? I was asking precisely because I think the video missed rules that allows DHCP traffic to the router; and the problem you were experiencing was not being able to assign IP addresses on the guest network through DHCP.

New Member
Posts: 8
Registered: ‎11-30-2017
Solutions: 1

Re: Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite

[ Edited ]

@Turbotim16

Attached is a working Config file for you as an example. (i used it some time back)

 

Network is the Main network and can see all in that IP range, inernet as well as the ER-X.

Cellphones on their own IP range can only see the internet and nothing else

Guests on their own IP range can also only see internet and nothing else

 

My AP was set on Eth2 and all the VLANs was build around that.

 

Set LAN cable on Eth2  with IP  of  20.0.0.x/24 to log in. Once loged in can adjust as needed

Username and password: ubnt

 

Hope this helps.

Attachment
SuperUser
Posts: 7,491
Registered: ‎01-05-2012
Kudos: 1976
Solutions: 981

Re: Setting up a Guest Wi-Fi VLAN with ERX and AC AP Lite

Something like this ? (Configured on the fly, and untested ...)

Spoiler
ubnt@ubnt# show
 firewall {
     group {
         address-group UNIFI_CONTROLLER {
             address 10.1.1.2
         }
         network-group GUESTS_VLAN {
             network 172.16.0.0/24
         }
         network-group MGMT_VLAN {
             network 172.16.99.0/24
         }
         network-group PRIVATE_NETS {
             network 10.0.0.0/8
             network 172.16.0.0/12
             network 192.168.0.0/16
         }
         network-group UNTAG_VLAN {
             network 10.20.20.0/24
         }
         port-group DHCP_PORT {
             port 67
         }
         port-group DNS_PORT {
             port 53
         }
         port-group UNIFI_AUTH_PORTS {
             port 8880
             port 8843
         }
         port-group UNIFI_SYS_PORTS {
             port 8080
             port 3478
         }
     }
     modify GUESTS {
         rule 10 {
             action modify
             destination {
                 group {
                     address-group UNIFI_CONTROLLER
                 }
             }
             modify {
                 table main
             }
         }
         rule 20 {
             action modify
             modify {
                 table 10
             }
         }
     }
     name GUESTS_IN {
         default-action accept
         rule 10 {
             action accept
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action accept
             destination {
                 group {
                     address-group UNIFI_CONTROLLER
                     port-group UNIFI_AUTH_PORTS
                 }
             }
             protocol tcp
             source {
                 group {
                     network-group GUESTS_VLAN
                 }
             }
         }
         rule 30 {
             action drop
             destination {
                 group {
                     network-group PRIVATE_NETS
                 }
             }
         }
     }
     name GUESTS_LOCAL {
         default-action drop
         rule 10 {
             action accept
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action accept
             destination {
                 group {
                     port-group DHCP_PORT
                 }
             }
             protocol udp
             source {
                 port 68
             }
         }
         rule 30 {
             action accept
             destination {
                 group {
                     port-group DNS_PORT
                 }
             }
             protocol tcp_udp
             source {
                 group {
                     network-group GUESTS_VLAN
                 }
             }
         }
     }
     name MGMT_IN {
         default-action drop
         rule 10 {
             action accept
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action accept
             destination {
                 group {
                     address-group UNIFI_CONTROLLER
                     port-group UNIFI_SYS_PORTS
                 }
             }
             protocol tcp_udp
         }
         rule 30 {
             action drop
             source {
                 group {
                     network-group UNTAG_VLAN
                 }
             }
         }
         rule 40 {
             action drop
             destination {
                 group {
                     network-group PRIVATE_NETS
                 }
             }
         }
         rule 50 {
             action accept
             source {
                 group {
                     network-group MGMT_VLAN
                 }
             }
         }
     }
     name MGMT_LOCAL {
         default-action drop
         rule 10 {
             action accept
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action accept
             destination {
                 group {
                     port-group DHCP_PORT
                 }
             }
             protocol udp
             source {
                 port 68
             }
         }
         rule 30 {
             action accept
             destination {
                 group {
                     port-group DNS_PORT
                 }
             }
             protocol tcp_udp
         }
     }
     name WAN_IN {
         default-action drop
         rule 10 {
             action accept
             state {
                 established enable
                 related enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         rule 10 {
             action accept
             state {
                 established enable
                 related enable
             }
         }
     }
 }
 interfaces {
     ethernet eth0 {
         address 10.10.10.1/24
         duplex auto
         speed auto
     }
     ethernet eth1 {
         address 192.168.1.254/24
         duplex auto
         firewall {
             in {
                 name WAN_IN
             }
             local {
                 name WAN_LOCAL
             }
         }
         speed auto
     }
     ethernet eth2 {
         duplex auto
         speed auto
     }
     ethernet eth3 {
         duplex auto
         speed auto
     }
     ethernet eth4 {
         address 10.100.100.1/24
         duplex auto
         poe {
             output off
         }
         speed auto
     }
     loopback lo {
     }
     switch switch0 {
         mtu 1500
         switch-port {
             interface eth2 {
                 vlan {
                     pvid 1
                     vid 10
                     vid 99
                     vid 176
                 }
             }
             interface eth3 {
                 vlan {
                     pvid 10
                 }
             }
             vlan-aware enable
         }
         vif 1 {
             address 10.20.20.1/24
             description "untagged vlan"
             firewall {
                 in {
                     name MGMT_IN
                 }
                 local {
                     name MGMT_LOCAL
                 }
             }
         }
         vif 10 {
             address 10.1.1.254/24
             description "corporate vlan"
             firewall {
                 in {
                     name WAN_IN
                 }
                 local {
                     name WAN_LOCAL
                 }
             }
         }
         vif 99 {
             address 172.16.99.1/24
             description "mgmt vlan"
             firewall {
                 in {
                     name MGMT_IN
                 }
                 local {
                     name MGMT_LOCAL
                 }
             }
         }
         vif 172 {
             address 172.16.0.1/24
             description "guests vlan"
             firewall {
                 in {
                     modify GUESTS
                     name GUESTS_IN
                 }
                 local {
                     name GUESTS_LOCAL
                 }
             }
         }
     }
 }
 protocols {
     static {
         route 0.0.0.0/0 {
             next-hop 10.1.1.1 {
             }
         }
         table 10 {
             route 0.0.0.0/0 {
                 next-hop 192.168.1.1 {
                 }
             }
         }
     }
 }
 service {
     dhcp-server {
         shared-network-name Guests_DHCP {
             authoritative enable
             subnet 172.16.0.0/24 {
                 default-router 172.16.0.1
                 dns-server 172.16.0.1
                 dns-server 8.8.8.8
                 start 172.16.0.1 {
                     stop 172.16.0.254
                 }
             }
         }
         shared-network-name Mgmt_DHCP {
             authoritative enable
             subnet 172.16.99.0/24 {
                 default-router 172.16.99.1
                 dns-server 172.16.99.1
                 dns-server 8.8.8.8
                 start 172.16.99.100 {
                     stop 172.16.99.200
                 }
                 unifi-controller 10.1.1.2
             }
         }
         shared-network-name Untagged_DHCP {
             authoritative enable
             subnet 10.20.20.0/24 {
                 default-router 10.20.20.1
                 dns-server 10.20.20.1
                 start 10.20.20.2 {
                     stop 10.20.20.254
                 }
                 unifi-controller 10.1.1.2
             }
         }
     }
     dns {
         forwarding {
             listen-on eth0
             listen-on switch0.1
             listen-on switch0.172
             listen-on switch0.99
         }
     }
     gui {
         http-port 80
         https-port 443
         older-ciphers enable
     }
     nat {
         rule 5010 {
             outbound-interface eth1
             type masquerade
         }
         rule 5020 {
             outbound-interface switch0.10
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
 }
 system {
     host-name ubnt
     login {
         user ubnt {
             authentication {
                 encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
             }
             level admin
         }
     }
     name-server 8.8.8.8
     name-server 8.8.4.4
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
         server 1.ubnt.pool.ntp.org {
         }
         server 2.ubnt.pool.ntp.org {
         }
         server 3.ubnt.pool.ntp.org {
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
 }

 There is the switch0.1, untagged on theswitchport to which the AP is hooked up, this allows new AP to be connected, receive the ip address on the untagged VLAN, and reach the controller, and nothing more, once adopted, the AP's management interface can be moved (AP, config, services, drop-down menu, management vlan, see image below)

Spoiler
services.JPG

 

To the managment VLAN previously created on the controller (settings, network)

Spoiler
untagged.JPG

For the SSID's, corporate

Spoiler
corporate.JPG

And guests

Spoiler
guests_ssid.JPG

There are some firewall rules, which allow the guests network to talk to the controller, in case you use the Guest Portal...

Cheers,

jonatha

 

 

 

 

Reply