07-12-2018 07:25 PM
Quite some time ago I set up a group of unifi UAP-LRs with 2 SSIDs
a private SSID with key. They would get a 192.168.1.0 IP address
public SSID with guest portal, they woudl get 192.168.2.0 IP address
The controller is running on AWS
The router is a Cisco RV-110 (Several years old, liek the access points
I muddied through getting the wifi / router working to do that - setting up 3 VLANS
1 for the private employee network 192.168.1.0
1 for the public 192.168.2.0
1 for the devices 192.168.3.0
There's 2 cables coming out of the RV110 - on LAN port 1, that cable goes to an unmanaged switch for the private network
Another cable, on LAN port 2 goes to another unmanaged switch that the Unifi's connect to.
The RV110 died.
What's the best / right device to use as the replacement router? Unifi Security Gateway?
Again, I want to keep the private network (server, company printers, etc) from prying eyes on the public network. I guess that's the goal. What would you recommend?
07-12-2018 08:17 PM
Sounds like you've got the guest control and guest VLAN setup correctly already.
I'd happily reccomend a USG or USG pro4 depending on how many clients they're looking to service.
Then setup your 3 Networks in the controller and you'll be done.
07-13-2018 06:17 AM
Thanks! using USG with unifi access points - are the concepts for guest / private networks any different than the cisco low end RV-110? Still VLAN numbering?
And as I was describing - coming off the router I am using 2 of the 4 LAN ports. 1 is private traffic only (wired desktops) and the other is the Wireless devices where the UAPs are tagging the data depending on the SSID the client devices are using.
I'd want? need? to use the LAN1 and LAN2 ports on the USG for that same arrangement? LAN1 would be private only and LAN2 would be the wireless devices with both public and private traffic?
I didn't mention also, we have 7 UAPs - older units that don't take the 802 PoE protocol. We have 7 injectors in the computer room. Is there a cleaner way to deal with the older UAPs with capability to migrate to newer AC-Lites down the road and how many more UAPs could we support? The private LAN has 14 wired devices.
07-13-2018 07:18 AM
Yes still just number you vlans, just make sure they match between your network and wireless settings.
Id just VLAN the whole lot out of the one LAN port, saves a cable and I believe vlans are more flexible, especially for remote service and support.
Ubiquiti sell little dongles that change it from 802.3af to 24v passive, they’ll tidy up your rack and free up some power points.
07-13-2018 08:01 AM
Use 1 LAN cable?
That's where things for me get confusing.
Port 1 of the router , connected to the unmanaged switch and the wired devices for the office, is set up to treat all traffic as the private VLAN (call that vlan Y)
Port 2 of the router, connected to an unmanaged switch with the unifi units connected to that, sees traffic that is already tagged from the unifi devices (the unifi tags the traffic using the public network as VLAN X and traffic using the private SSID as VLAN Y).
Without a dedicated port for the wired devices and an unmanaged switch, how do you get the private data from the wired devices tagged as a VLAN?
Is that why you'd use a managed switch? The wired devices would be connected to ports that are set to tag the traffic as VLAN Y?
The USG, using 1 port, needs all data tagged with a vlan to know what to do with it?
I've thought about this and thought that saying 'untagged data belongs on the secure VLAN' is a security issue - secure data shuld be tagged? But I guess my way with the unmanaged switch, all that wired data is untagged ?
sorryt for my ignorance <g>
07-13-2018 08:22 AM
You would need a Unifi managed switch to do what you are talking about.
But, get this... the Unifi access points have the ability to segregate off guest network traffic without VLANs or a managed switch or USG...
07-13-2018 08:31 AM
Managed switch OR 2 ports on the USG would accomplish the same thing? Like I was using 2 ports on the RV-110?
And the unifis being able to segregate, that keeps them from accessing services of the other machines, but can still ping them / see them on the same network, right? Everyone is on the same IP submet, but guests can't talk to the other devices. it works, but riskier than VLANS, right? There's the potential that the unifi's blocking capability could break or stop working?
07-13-2018 08:33 AM
Correct, same network.
Anything has the potential to break. VLANs have the potential to break, too. If you are worried about something breaking, segregate the guest network onto their own physical network.
07-13-2018 08:37 AM
Thanks. yeah, vlans are software separation also.
so what's your thoughts on vlans vs. the unifi 'way' to keep guests from the private network
07-13-2018 08:50 AM
I ran them without VLANs for a while, but I have VLANs now mainly just to keep in practice. I moved out of operations into InfoSec audit a while back and don't want to be hands-off, if you know what I mean.
I was comfortable with it the way it was, but if I were doing it in a PCI or other sensitive environment, I'd have it at least VLAN'd off, if not totally separate. At the last financial institution I worked for, the guest network was physically segregated on their own ISP.
07-13-2018 09:43 PM
I too agree vlans are the way to go with a LAN IN fireawall rule blocking traffic from guest to private network or enable the guest policy on the guest network and that will enable client isolation and not require another vlan.
SOME unmanaged switches do pass 802.1q traffic (vlan tagging) so it is worth a shot to setup your first network on that vlan and see if your switch will pass the traffic to the USG. Ideally everything is running through the single lan port. Good luck!