Scheduled maintenance: Community will be offline Monday June 17th, 1:00 AM - 6:00 AM (PT)
New Member
Posts: 7
Registered: ‎04-24-2019
Accepted Solution

Help with VLANs

Hello everyone,

 

Relative unifi newby looking for some help; decidedly I am not getting something about VLANs…

 

My use case is simple segregation of certain devices (IoT and IPTV set-top boxes) from the rest of the trusted devices. I’ve learned that to achieve this I will need more than just VLANs, like having them on different subnets, and firewall rules, but I’m building up to this by trying to grasp some of the basics first.

 

My topology is an ISP-provided router (technically it’s a combination DSL modem + router + WAP + switch (assumed a dumb-switch)). I have it connected to Port 1 of a Switch-24, which in turn has on its port 2 a feed to a Switch-8 (on Port 1 of the US8). Clients are fed off the US24 and US8, and a AC-Lite that’s on the US8. The controller is a windows 10 PC fed off the US24.

 

And, just as a sidenote, I have a USG, but it’s not currently being used, since I’m trying to get the basic VLAN functionality figured out first.

 

With my ports set to “All”, everything works fine, and all devices on the network are being assigned IPs by the router. The trouble is, as soon as I tag any single port on the US8 to a VLAN-only network (let’s call it VLAN6, on Port 5), that device loses connectivity, the router no longer see it, and it doesn’t get an IP address.

 

This happens whether my “trunks” (ports 1 and 2 on US24, and port 1 on US8) are configured for “All” or whether I try a custom profile where I check both the default LAN and VLAN6. For instance, I created a “Master trunk” profile that includes the default LAN and VLAN6, and assigned it to uplink and downlink ports on the switches, plus the feed port (connected to the ISP router) on the US24.

 

I can’t figure out why the ISP router doesn’t see it and assign an IP. A typical router should be vlan-oblivious, and since the trunk ports all include VLAN6, I don’t understand why I can’t get traffic to/from the device on that port. By connecting a windows PC and running ipconfig, I confirmed that devices on that Port 5 basically don’t see the router and is simply self-assigning an IP in the 169.x.x.x range. Also, on the router’s splage page, I can confirm that the device isn’t being seen either. Curiously though, my controller on the US24 does recognize and identify it, as a device with no IP address.

 

What am I missing?

 

Thanks

Hresna


Accepted Solutions
Emerging Member
Posts: 94
Registered: ‎12-21-2016
Kudos: 20
Solutions: 9

Re: Help with VLANs

Your 2 switches (assuming they are Unifi products), are level 2 network devices. You need a level 3 device to route VLAN traffic. This is a function normally handled by the router on a typical 'router on a stick' configuration. It does not appear that your ISP provided router is providing the DHCP and DNS services needed in this case. If you replace the ISP router with the USG and configure it correctly, you will have working VLANs.

ER 4, USG, US-16 150W, US-8, US-8 PoE 60W, US-AP-AC Pro, US-AP-AC Lite, US-AP M, US-AP LR, US-AP-IW, NanoHD, UCK, UCK G2+

View solution in original post


All Replies
Emerging Member
Posts: 94
Registered: ‎12-21-2016
Kudos: 20
Solutions: 9

Re: Help with VLANs

Your 2 switches (assuming they are Unifi products), are level 2 network devices. You need a level 3 device to route VLAN traffic. This is a function normally handled by the router on a typical 'router on a stick' configuration. It does not appear that your ISP provided router is providing the DHCP and DNS services needed in this case. If you replace the ISP router with the USG and configure it correctly, you will have working VLANs.

ER 4, USG, US-16 150W, US-8, US-8 PoE 60W, US-AP-AC Pro, US-AP-AC Lite, US-AP M, US-AP LR, US-AP-IW, NanoHD, UCK, UCK G2+
New Member
Posts: 7
Registered: ‎04-24-2019

Re: Help with VLANs

Thanks for the response novadog.

To be clear, I'm not trying to get connectivity between the VLAN and other devices on th enetwork, just give the VLAN6 device connectivity to the internet.

I thought that the ISP router should be "oblivious" to the VLANs configured in the switches and treat the VLAN6 device as a piece of kit wired to it on a different port of its own switch [basically allowing me to use the single run between the two switches to carry the ISP's IPTV traffic, and later insert the USG for all "trusted" traffic] but if the VLAN tag is making my ISP router not see the device at all, that won't work.

I was hoping to configure it so it was basically like I had separate cable runs throughout the building for the ISP router and the USG when I insert it, but I guess I can't use VLANs to do that.

Emerging Member
Posts: 43
Registered: ‎12-05-2017
Kudos: 4
Solutions: 2

Re: Help with VLANs

Your router needs to be VLAN aware otherwise this won't work without a L3 switch as mentioned above.

Member
Posts: 721
Registered: ‎11-21-2018
Kudos: 172
Solutions: 34

Re: Help with VLANs

Check to see if your ISP can place their modem in bridge mode, than connect USG between it and your switches.

 

Determine how your ISP is delivering your public IP address; DHCP or Static, and apply those settings to your USG WAN interface.

https://help.ubnt.com/hc/en-us/articles/236281367-UniFi-USG-How-to-Adopt-a-USG-into-an-Existing-Netw...

 

The USG will give you support for 802.1q router sub-interfaces for each VLAN subnet and allow each VLAN to be configured for internet access, (or not), and inter-Vlan routing, (or not).

 

Read the doc below to make sure you understand how deploying each different network type will effect VLAN use.

https://help.ubnt.com/hc/en-us/articles/115008206708-UniFi-Network-Types

 

Eric

New Member
Posts: 7
Registered: ‎04-24-2019

Re: Help with VLANs

Thanks Eric (@lcire1),

Thanks kinda where I am going with the setup. Most people trying this have FTTH or FTTN access so they can bypass the ISP's device entirely, but I am slaved to the DSL modem. The one issue the FFTx people seem to run into is that the feed from the ISP comes pre-configured (tagged?) on VLANs 35 (internet) and 36 (IPTV). Both are needed for the STBs to work properly. I was trying to trunk that stuff off the ISP's switch portion, through my unifi switches, to the STBs... but there might be something going on in the black-box that the tagging disapears at that switch, and since I can't access the feed of the DSL modem, I'm a bit stuck there and will have to play around with it.

I know I'm in for several hours of fussing once I get the USG in there to try and set up the right config and put the ISP's device into bridge properly so I'm not getting double-DHCP or NAT, while preserving the functianlity for the STBs.

Emerging Member
Posts: 43
Registered: ‎12-05-2017
Kudos: 4
Solutions: 2

Re: Help with VLANs

What speed is your broadband? You may be dissapointed by the USG performance depending on which model you have.

Member
Posts: 1,019
Registered: ‎02-03-2019
Kudos: 298
Solutions: 47

Re: Help with VLANs

I don’t know why many are so afraid of double NAT?

Besides some usecases it will mostly work without problems and at least for starters you could hook up the USG between your ISP-Router and your internal network. Put ISP-LAN to USG-WAN and USG-LAN to a switch. Happy VLAN playground!

New Member
Posts: 7
Registered: ‎04-24-2019

Re: Help with VLANs

Thanks everyone for the helpful feedback. If nothing else it renews my confidence in my choice of equipment family that this forum is well-staffed of knowledgable helpful people.

 

I guess I'll just have to put the USG in the mix and start breaking connectivity for a while before I have it working the way I envisioned. It's a bit of a drag that I need the USG for the VLANs to work, but the network isn't so big as to cause too much bottlenecking I don't think. And the WAN connection is only 50/10 (it is pair-bonded DSL after all).

 

Though, it does seem to fly in the face of everythign I thought I understood about VLANs from non-Ubiquiti/Unifi literature: that they are a switch-specific function, and can be used to make a large switch behave as separate switches in big networks for segregation, while the devices on either end are none-the-wiser that they are sharing physical topology with other network segments. And maybe some of that is being obfuscated in the Unifi GUI where the tagged/untagging settings live, but in any case, I will figure it out eventually.

 

The interim step for me will definitely be to have the USG off the ISP's router in a "two routers" situation, with the STBs likely fed off the ISP one in some way, because they are fussy. If I can find a way to do it with only one trunk breaching the floors of the building, that would be ideal.

Highlighted
Established Member
Posts: 814
Registered: ‎12-05-2016
Kudos: 263
Solutions: 82

Re: Help with VLANs


@Hresna wrote:

Though, it does seem to fly in the face of everythign I thought I understood about VLANs from non-Ubiquiti/Unifi literature: that they are a switch-specific function, and can be used to make a large switch behave as separate switches in big networks for segregation, while the devices on either end are none-the-wiser that they are sharing physical topology with other network segments. And maybe some of that is being obfuscated in the Unifi GUI where the tagged/untagging settings live, but in any case, I will figure it out eventually.


Your not "wrong" in this understanding, as "dumb" devices certainly work with VLAN aware devices. There are limitations (VLAN Traffic cannot pass through a non-vlan aware device as an example), but what I think your VLAN understanding is missing, is that each VLAN needs a Layer 3 exit/entrance device, usually a router. The USG fits the bill in the UniFi lineup, as all of the current switches are Layer 2 only.

Cain Tech Solutions | Hosted UniFi/UNMS | Other Services | Serving Eastern NC and more!

New Member
Posts: 7
Registered: ‎04-24-2019

Re: Help with VLANs

Just following up for posterity.

I have it all working now - once the USG was inserted to the topology, VLAN traffic started to flow just fine. I have the ISP's router segregated on its own VLAN with the two set-top-boxes, and it is allowing passthrough PPPoE to the USG for a separate WAN IP fed to the rest of the devices.

This somehow suggests to me that packets between the ISP's devices are still flowing through the USG for their ingress-outgress of their VLAN, but the segregation I was going for appears to function as the ISP router doesn't "see" the rest of the network and can't ping any of its devices.

Thanks again to everyone that helped out.