Reply
New Member
Posts: 3
Registered: ‎07-14-2018

LAN 2 and VLAN mystery

Hi everyone,

 

I am trying to set something up that sounds simple, but I keep hitting a dead end, so thought I seek some help.

 

UniFi-1.jpg

 

LAN 1 on the USG goes to a Unifi Switch

LAN 2 on the USG goes to a non-smart switch where my IOT devices reside

 

Due to the separate networks, my WD TV Live is unable to "see" my Synology (bittenbak, connected to LAN 1). It relies on discovery of the NFS share, I cannot enter the IP Address for it, which is a bit of a pita.

 

My Synology has two network interfaces, so I thought I would dedicate one interface to the IOT network and use the firewall on the Synology to only allow NFS traffic from the WD TV and drop everything else. Pretty safe right?

 

All my attempts however fail.

  • I am unable to make the LAN 2 network also show up accross the LAN 1 interface where the Synology is connected.
  • I figured I could solve this with VLANs and Port ptofiles, but as soon as I apply a VLAN to LAN 2 it will no longer show up in the topology view. All clients are blocked off from everything (don't know why that is)

I would love to know why LAN 2 effectively gets 100% isolated (even from the USG itself it seems) when I add a VLAN to the LAN 2 network.

 

I realized that having the devices on separate networks is the real issue, as this is a broadcast domain and discovery would never work. Firewall rules do not solve this either.

 

How would you advise setting up a safe IOT network if one or two devices do need to communicate with your private network?

 

Regular Member
Posts: 394
Registered: ‎08-07-2016
Kudos: 201
Solutions: 27

Re: LAN 2 and VLAN mystery

Is Enable Multicast DNS enabled?
New Member
Posts: 3
Registered: ‎07-14-2018

Re: LAN 2 and VLAN mystery

Yes, that is enabled

New Member
Posts: 7
Registered: ‎10-02-2018
Kudos: 1

Re: LAN 2 and VLAN mystery

 There was a thread about this a few weeks ago. The first  lan on lan 1 and lan 2 cannot be a VLAN.

New Member
Posts: 7
Registered: ‎10-02-2018
Kudos: 1
Regular Member
Posts: 394
Registered: ‎08-07-2016
Kudos: 201
Solutions: 27

Re: LAN 2 and VLAN mystery

The USG is not a switch. By all means LAN2 should be a dead port without VLANs assigned to it. But they (Ubnt) hacked it to work. Sounds you need to get off depending on untagged LAN2.

 

  1. Make sure you have an IoT network defined in the controller instead of depending on the magical default LAN2 config.
  2. Connect LAN2 into a spare port on “Meterkast Switch”. USG is not a switch so it we’ll not create a loop. Make sure that port is set to “All” profile.
  3. Assign a VLAN to the IoT network and assign it to LAN2.
  4. Configure another port on Meterkast Switch as untagged <VLAN of IoT>. This port is now configured to act like the old LAN2 but with VLANs behind it.
  5. Plug IoT non-smart switch into that port.

If all goes well this should act exactly the same as your current configuration. But LAN2 is now using VLANs. Though you need 2 spare ports on your switch and it is only 99% isolated. The VLANs will securely keep the IoT separate but they will share the same switch.

New Member
Posts: 3
Registered: ‎07-14-2018

Re: LAN 2 and VLAN mystery

Thanks all,

 

Thanks @dlow

As I didn't have the space on my switch, I changed the network to go over LAN1, obviously put firewall rules in place to sort out 

 

Would there be any (security) advantage to doing this over a separate Router port? I just thought to use LAN 2 as I am low on switch ports.

The USG already routes between the different network segments where needed, so don't think I will reduce load with a separate switch and using LAN 2, correct?

Reply