Reply
New Member
Posts: 1
Registered: ‎07-21-2017

Isolate VLANS on USG

I'm looking to configure VLAN isolation using my USG, but i'm not having any luck.

 

My configuration is quite simply and it's as follows:

IoT Network (corporate) - VLAN 22 (172.17.0.1/24)

Lab Network (corporate) - VLAN 10 (10.0.0.1/24)

 

I want to drop connections from my IoT Network to my Lab Network. After reading various post on this site, I've come up with the following Firewall configuration:

 

All in "LAN_IN"

2017-08-30 13_48_07-UniFi.png

 

The rule also shows up within the CLI when I list the FW rules for "LAN_IN"

2017-08-30 13_53_22-192.168.1.1 - PuTTY.png

 

I'm attempting all of this via the Cloud Key controller's GUI interface. The versions for the controller and USG are as follows:

 

Controller: 5.5.20_9565

USG: 4.3.49.5001150

 

Even with the rules above, when i'm on the IoT network, i'm still able to ping devices on the Lab network. Looking in the live firewall logs, there are NO 'drop' hits at all. I should add that my Guest networks are isolated from the networks mentioned above, and this works just fine. Seems that corportate to corporate network configurations are a bit tricker

 

I've read just about all of the post on this topic, and most of the folks who were able to get this working configured the rules above. Also, from my understanding, later versions of the controller state that I should be able to use the GUI to configure these rules instead of using the CLI. Being that I can see the rule after running the 'show firewall' command, I would think that configuration via the GUI is working.  

 

Is there a step that i'm missing here? Should I do this using the CLI instead?

Regular Member
Posts: 453
Registered: ‎07-22-2016
Kudos: 185
Solutions: 27

Re: Isolate VLANS on USG

Emerging Member
Posts: 60
Registered: ‎08-04-2014
Kudos: 17
Solutions: 2

Re: Isolate VLANS on USG

[ Edited ]

Why not just set the IoT Network as a Guest network.

Then members of that VLAN can't access other VLAN's.

And firewall rules is set automaticly.

Member
Posts: 242
Registered: ‎06-16-2017
Kudos: 113
Solutions: 5

Re: Isolate VLANS on USG

I am just starting my first network config using UniFi. I did not imagine I would be so unimpressed.

 

What kind of "Secure Gateway" will not allow a "default deny and allow explicitly" scenario for inter VLAN traffic?

 

The inter VLAN traffic policy must be GUI-configurable. All other "solutions" are ugly hacks at best.

 

 

Reply