Reply
Member
Posts: 108
Registered: ‎12-18-2016
Kudos: 17
Solutions: 2
Accepted Solution

[Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN's?

[ Edited ]

Ubiquiti devices:

a - Unifi USG (Gateway, 192.168.15.1/24, WAN has access to the internet)

b - UniFi Switch 24 POE-250W (192.168.15.2)

c - Unifi Cloud Key (192.168.15.3, only controller is activated and working, without cloud function)

d - UniFi AP-AC-Lite (192.168.15.4)

 

Other devices:

e - Main desktop computer (Kubuntu, 192.168.10.10)

f - Synology RT1900ac (used as Gateway/DHCP-server at the moment, 192.168.0.1/20)

g - Synology DS415+ (NAS, several server options enabled like Surveillance Station, email etc.)

h - Several IP Cams

i - Home Domotica Gateway

j - Several IoT (LAN) for Home Domotica

 

First goal:

I want to have several seperate VLAN's which can acces several devices by all VLAN's.

 

1 - Main desktop should be have access to all.

2 - A seperate VLAN for IP-cams, no internet access, only access to the Synology DS415+ NAS and Home Domotica Gateway

3 - A seperate VLAN for Home Domotica Gateway, with internet access through Synology RT1900ac, and IP-cams and local IoT.

3 - A seperate VLAN for local IoT, no internet access, access to Home Domotica Gateway and Synology DS415+ NAS

4 - All other devices on a local network should have internet access and access to the Synology DS415+ NAS, no access to IP-cams, no access to LAN IoT.

 

At the moment I use the SynologyRouter for DCHP/Gateway. I have to migrate step for step to the Unifi in order to keep my local network working.

 

My first step is to get the IP-cams seperate and let them communicating to the Synology DS415+ and Domotica Gateway. The problem is, they are not 'managed' by the Synology router instead of the Unifi USG (yet).

 

Can anyone explain me how to setup this? I just starting exploring Ubiquiti Unifi/VLAN and did a lot of testing but I can't get it seem to work. I'm not an expert so please be patient with me Man Wink

 

Any help will be appreciated!

 

 

Gateways: UniFi Security Gateway 4P / UniFi Security Gateway 3P
Controller: UniFi Cloud Key
Switches: UniFi Switch 24 POE-250W / UniFi Switch 8 POE-150W / UniFi Switch 8 POE-60W
Access Points: UniFi AP-AC-Mesh / UniFi AP-AC-Mesh-Pro

Accepted Solutions
Regular Member
Posts: 550
Registered: ‎06-26-2016
Kudos: 206
Solutions: 16

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

[ Edited ]

All of this is possible, and probably the hardest part will be the firewall rules.  I think you'll be happier long term having the DHCP handled by the USG.

 

You don't want offsite/cloud access so just turn that off in the controller.

 

Create your networks as corporate, decide if USG will manage DHCP.  I have a similar setup with IOT, computers, Security for my cameras, here are a couple of screen shots.  By default all traffic (VLAN-to-VLAN and VLAN-to-Internet) is allowed.  This will segreate your traffice.

 

Setup your switch ports for the VLAN of the connected devices.

 

Restrict traffic.  Create address groups for networks to restrict.  Create the rule.  Here are examples from my inter-VLAN rules.  On the internet side (for your cameras) you can probably just create a Deny rule on the WAN_IN, but I haven't done that.

 

setup_networks.JPGenable_DHCP.JPGcloud-access.JPGdeny_vlan_traffic.jpgdeny_vlan_traffic_details.jpgaddress_group.JPG

 

 

 

 

 

View solution in original post


All Replies
Regular Member
Posts: 550
Registered: ‎06-26-2016
Kudos: 206
Solutions: 16

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

[ Edited ]

All of this is possible, and probably the hardest part will be the firewall rules.  I think you'll be happier long term having the DHCP handled by the USG.

 

You don't want offsite/cloud access so just turn that off in the controller.

 

Create your networks as corporate, decide if USG will manage DHCP.  I have a similar setup with IOT, computers, Security for my cameras, here are a couple of screen shots.  By default all traffic (VLAN-to-VLAN and VLAN-to-Internet) is allowed.  This will segreate your traffice.

 

Setup your switch ports for the VLAN of the connected devices.

 

Restrict traffic.  Create address groups for networks to restrict.  Create the rule.  Here are examples from my inter-VLAN rules.  On the internet side (for your cameras) you can probably just create a Deny rule on the WAN_IN, but I haven't done that.

 

setup_networks.JPGenable_DHCP.JPGcloud-access.JPGdeny_vlan_traffic.jpgdeny_vlan_traffic_details.jpgaddress_group.JPG

 

 

 

 

 

Emerging Member
Posts: 83
Registered: ‎10-19-2015
Kudos: 67
Solutions: 2

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

To my knowledge:
Block inter-vlan communication can be done using rules as stated above. However Allow traffic from Say example vlan10 to vlan20 but not allowing the other way around vlan20 to vlan10 is not possible. I have ask the support this from chat. I wanted my managment vlan to access all vlans, but no vlans should access the managment vlan basicly the same fw fule in reverse. This was not possible they told me.

Sound to me that this is what op wants so i would hold on if that is an requirement.

Or maby @UBNT-cmb can chime in.

Br
Regular Member
Posts: 550
Registered: ‎06-26-2016
Kudos: 206
Solutions: 16

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

[ Edited ]

I'm pretty sure it is, though I haven't proved it to myself.  YOu have LAN_IN and LAN_OUT rules, and you have "New" and "Established" as filters, so coming back you could allow established, on allow NEW on the IN side.

 

 

allow_established.JPG

 

Emerging Member
Posts: 83
Registered: ‎10-19-2015
Kudos: 67
Solutions: 2

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

Have you tried this?
Could you please elaborate / provide more info how this could be done?

Highlighted
Regular Member
Posts: 550
Registered: ‎06-26-2016
Kudos: 206
Solutions: 16

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

No, I think I mentioned that I hadn't, and I can't think of a really good use case to test it with.  Do you have one?  What I would recommend you do is this.  Say VLAN60 is your IOT and VLAN10 is your computers, and you don't want 60 to be able to initiate with 10, but you do want 10 to be able to talk to 60, create two rules.

 

  • Create a Secure VLAN group under Firewalls, include 10 and whatever other VLANS you don't want 60 to talk to.
  • LAN_IN on 60, create a DENY rule for New and INVALID packets (don't deny sessions established externally)
  • (may or may not be needed, I'm not sure) LAN_IN 0n 60, create an ALLOW rule for ESTABLISHED
  • create an ALLOW rule for Secure nets to 60 for NEW and ESTABLISHED

Maybe I'll startup a web or FTP server on my IOT net and play with these rules, but I think if you start playing with it you'll figure it out.

Secure VLANs.JPGDeny 60 to Secure2.JPGALLOW Secure to 602.JPG

Regular Member
Posts: 550
Registered: ‎06-26-2016
Kudos: 206
Solutions: 16

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

[ Edited ]

So, yes, I just tested this, and I believe it's working properly.  I created only created one rule, but I basically did what I outlined above, I created a new Network (Corporate) with a 192.168.88.1/24 address with DHCP enable, VLAN 88, and then created a LAN_IN rule that drops any but ESTABLISHED packets from the Secure_NETS group that I showed in the screenshot above (any local networks), and added a port on my switch as a native access port for this VLAN and connected a laptop to that port.  

 

This new VLAN88 test network can connect to the gateway and Internet, but not ping local networks, but my secure networks can ping it and connect to an FTP server on the VLAN88 client using it's local 192.168.88.2 address.

 

VLAN_10_FTP_CONNECT.jpgVLAN_88.jpgVLAN10_Ping.jpgVLAN88_rule.jpg

Member
Posts: 108
Registered: ‎12-18-2016
Kudos: 17
Solutions: 2

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

Thank you guys. I got it working for a big part!

 

Gateways: UniFi Security Gateway 4P / UniFi Security Gateway 3P
Controller: UniFi Cloud Key
Switches: UniFi Switch 24 POE-250W / UniFi Switch 8 POE-150W / UniFi Switch 8 POE-60W
Access Points: UniFi AP-AC-Mesh / UniFi AP-AC-Mesh-Pro
Emerging Member
Posts: 83
Registered: ‎10-19-2015
Kudos: 67
Solutions: 2

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

Nice that worked for me.

You solved what unifi support could not and said was not possible.

Big thanks Man Happy

@bferrell

New Member
Posts: 1
Registered: ‎03-11-2017

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

[ Edited ]

Hallo,

I need som help, tryed the Live Chat but they are saying it is not possible.
What I need is:

 

1. VLAN10 for USERS (33.40.33.1/24)

2. MANAGEMENT (192.168.1.1/24) - buildin


VLAN10, can't acces MANAGEMENT at ALL - but abble to use the internet
MANAGEMENT, having access to ALL VLAN include VLAN10

 

Working so far:

VLAN10, can't acces MANAGEMENT at ALL - but abble to use the internet

Not working:
MANAGEMENT dont have access to VLAN10 at all, have tried everything

 

 

 

Cant figureout why its not working, tryed part of the Thread - no luck

Member
Posts: 112
Registered: ‎05-09-2017
Kudos: 11
Solutions: 2

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

+1 I am struggling with this as well. I have tried making an "allow" rule for my network to talk to the other but not able to have this working.
Emerging Member
Posts: 67
Registered: ‎03-08-2017
Kudos: 15
Solutions: 1

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

+1 Same, I only want One Way Communication part.
New Member
Posts: 6
Registered: ‎07-07-2017

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

[ Edited ]

I am also having the same issue.

 

1) Initial Network, Corp, default VLAN 1

2) New IOT Network Corp, VLAN 10

3) Both VLANs DHCP

4) I can ping IOT VLAN 10 Gateway address X.X.X.1 from any host on Initial Network VLAN 1

5) I CANNOT ping ANY other host on IOT VLAN 10 from any host on Initial Network VLAN 1

6) I have literally deleted every LAN IN FW rule and same result, cannot ping

7) I have setup explicit accept rules between VLAN1 hosts and VLAN 10 hosts and same result, cannot ping

 

I'm pulling my hair you here, does anyone know a way to see why this traffic is being denied?  Is there some log I can get to within the CLI?

 

Thanks

New Member
Posts: 26
Registered: ‎07-19-2016
Kudos: 5
Solutions: 1

Re: [Help Needed] Setup several different VLAN's with access to certain devices allowed to all VLAN'

jnarva - you get that figured out? Same here.

Reply