Question Which Ubiquiti Switch Do I Need and Am I Doing Things Properly with My Ubiquiti Network?

[Crag_Hack]

Hi I have a network as diagrammed below. Ideally I would like to use network isolation with blocking inter-VLAN routing using VLANs to separate the wired clients (the laundry card machine and surveillance computer) and the Asus Router from the Ubiquiti U6-Mesh's. That way people on the Uibquiti Wifi cannot communicate with the wired clients or Asus router for security purposes. Everything looks pretty straightforward with the Unifi OS i.e. apply VLAN to wifi instance and then setting the network isolation traffic rule. Is this a good way of setting things up or is there another/better way of doing things?

Also if this is a good approach, which non-ubiquiti switches do I need to replace to support Unifi VLANs and which Ubiquiti switches should I use? I heard the Flex Mini cannot support STP and therefore might not be a good choice. The Flex, Lite 8 PoE, and 8 PoE Gen 1 look like good candidates if the Flex Mini is not appropriate. And it looks like I might not need to replace switches 1 and 4 since all traffic on these guys is in the same VLAN.

Thanks for the help!

 

[kanewolf]

Hi I have a network as diagrammed below. Ideally I would like to use network isolation with blocking inter-VLAN routing using VLANs to separate the wired clients (the laundry card machine and surveillance computer) and the Asus Router from the Ubiquiti U6-Mesh's. That way people on the Uibquiti Wifi cannot communicate with the wired clients or Asus router for security purposes. Everything looks pretty straightforward with the Unifi OS i.e. apply VLAN to wifi instance and then setting the network isolation traffic rule. Is this a good way of setting things up or is there another/better way of doing things?

Also if this is a good approach, which non-ubiquiti switches do I need to replace to support Unifi VLANs and which Ubiquiti switches should I use? I heard the Flex Mini cannot support STP and therefore might not be a good choice. The Flex, Lite 8 PoE, and 8 PoE Gen 1 look like good candidates if the Flex Mini is not appropriate. And it looks like I might not need to replace switches 1 and 4 since all traffic on these guys is in the same VLAN.

Thanks for the help!

Do ALL the cables go to a single location or are all these unmanaged switches geographically separated ?

 

[bill001g]

You only need spanning tree protocol when you might have loops. This is done when you want redundant switches and/or cable paths. As long as you are careful how you hook the switches up you can't get loops. In a business you also run it to keep a stupid user from plugging a cable between 2 ports and in effect taking your whole network down.

The design is easier if you were to draw out the 2 networks separately and replace the common switches with a single switch using vlans. It logically will run as though you have separate switches and cables.

Note your asus router does not support vlans on factory software. If both networks need internet access you are going to have to replace the router or maybe run third party firmware.

 

[faalin]

We use an entire Ubiquiti network our local network is 192.168.0.0/22 , the guest network was put on its own Vlan and then set to 10.222.1.0/24, also check marked that its a guest network and client isolation so none of the guests can talk to each other or the network.


At most it looks like you have 16 devices 4 AP's, 10 network devices, 2 computers. Without seeing the full building layout I would put in a Dream Machine and a standard 24 pot PoE switch. I would run everything back to the one switch removing 3 switches and potential failure points ..... you could also run an NVR off the Dream machine or add the Ubiquiti NVR system to replace the surveillance computer down the road.

 

[Crag_Hack]

Just to give a little background... I was dealing with this guy on the official Ubiquiti help forum but he was so condescending/arrogant/egotistic I couldn't take it any more lol. He also kept giving inadequate responses dragging the thread on forever.

@kanewolf The UDR in the middle is the central router which serves as WAP/switch/router/Unifi controller. All the switches go there.

@bill001g I thought the same thing about STP but the guy I was dealing with said things were more complicated and you could run into link duplex issues and protocol failures.

One of the problems with the network is there is only 1 cable run to each different location. So the left, bottom, and right of the network diagram are all in different locations from each other and the main UDR router. The only way I can see to do things with VLANs is to have a Ubiquiti switch in each location other than the central one to mark devices with appropriate VLAN tags.

For the Asus router though we don't need VLANs in its subnet. The subnet would operate all on its own separate from the main network. I was thinking switch 2 would support VLANs and just mark the Asus router as a wired client of the UDR and all would be well. Am I wrong?

@faalin The guest network thing might be a great way of avoiding VLANs; I could just set all WAPs to guest networks and avoid the need for VLANs to separate the sensitive devices from the public wifi network right?

Currently I'm using the UDR instead of the dream machine since UDR can handle 4 and later maybe 5 APs easy.

The problem with using one switch is as mentioned before to Bill in this post, we only have 1 cable running form the central UDR to each location in the building. As far as I know I can't do just one switch.

Thanks guys!

 

[kanewolf]

The UDR in the middle is the central router which serves as WAP/switch/router/Unifi controller. All the switches go there.

My question was trying to determine if a larger (24 or 48) port switch could be used rather than the MANY smaller switches. That is only possible if the cabling comes back to a central location.

 

[bill001g]

Yes if the vlan does not need to leave the location it does not need any connection to the router....or it could have its own router I guess.

Note even the cheap "smart" tplink switches can do vlans and they all support the standard 802.1q tags so they could inter operate with the ubiquiti ones if you wanted to save a bit on some of the smaller devices.

 

[Crag_Hack]

@kanewolf The cabling does come back to the central UDR/wiring room. Problem is there are multiple clients at each location in the diagram top left and bottom and only one wire to connect to the center UDR/wiring room so I think we need switches at each of those locations. And if I use two VLANs one for wifi one for hard-wired those switches will have to support VLANs as well.

@bill001g

Yes if the vlan does not need to leave the location it does not need any connection to the router....or it could have its own router I guess.

Lost you there... are you saying the Asus router will be happy on its own subnet without VLANs?

Also the Flex Mini switches are cheap so I've got no problem using them if they will be sufficient. They have as many ports as necessary.

I think the guest wifi is a no go it looks like guest wifi depends on VLANs so I might as well just set up two VLANs with network isolation.

 

[bill001g]

The asus router has no concept of vlan.

Lets say you plug it into a switch on port x assign that port to vlan 10 in the switch. The router can then talk to any other device that is plugged into a port with vlan 10.

If a port is say assigned to vlan 20 no data will cross over to vlan 10 so it isolated from the router.

The problem I see is you are now talking about a guest vlan. I assume this guest vlan needs internet access. Since it has a different vlan tag than your router is on it can not use the router to access the internet.

The router would need to support vlag tags..ie 802.1q. It would also have to support multiple router subnets so it could assign a different subnet and maybe do dhcp.

You need a actual router to do this type of function. There are some layer 3 switches that can do it. You might consider also consider microtik switches since they can load a rotueros firmware.

 

[Crag_Hack]

Hi guys I found a setting in Unifi OS for Wifi instances called Client Device Isolation. Anybody familiar with this? It says it prevents inter-wireless client communication. I'm wondering if it also prevents wireless clients from communicating with the rest of the subnet.

 

[bill001g]

So unless ubiquiti has some very special software my guess would be no. In general this is a feature of the wifi chipset. It prevents traffic from going between devices without leaving the wifi chip. It then gives the traffic to the switch/router chip which in theory could prevent the traffic from going to lan device.

BUT even on routers that work this way it is only on the same hardware device. When traffic goes to another switch/router there is no way to know if it started on wifi. So in your case that has multiple device it would be a extreme technical challenge to somehow keep track of what came into the network on wifi.

This is more of a guest wifi or some kind of layer 2 firewall rule rather than the simple concept of wifi isolation.

Ubiquiti AP are very advanced. You could have mulitple SSID assigned to different vlans. No traffic could flow between the devices connected to different SSID even with this feature not turned on. If you turn it on it would also prevent wifi devices connected to the same SSID also not be able to talk to each other.

 

[Crag_Hack]

@bill001g I'll check the feature when I have time. It applies to the whole wifi instance regardless of if there's a switch between one WAP and the main controller and also between another WAP and the controller if they use the same wifi instance. Who knows maybe maybe not I'll let you know....

Also maybe I'm being a bit of a perfectionist with the whole VLAN network isolation thing. The only two devices I worry about are the surveillance computer and its cameras and the laundry card machine. I'm sure the surveillance computer runs Windows and thus has a firewall and the laundry card machine is secure for sure. I don't think it would be a huge deal to have these computers visible on the main LAN. Can anybody think of another way of isolating these devices including the security monitors from the Ubiquiti wifi network?

 

[bill001g]

This again all depends on if your "guest" network does not need internet.

The standard solution is to run a different vlan. Ubiquiti make it quite easy to have multiple wifi vlans that are the same over the whole network.

It is actually very simple to set up.

With your current setup you can have as many wifi and ethernet networks all isolated from each other that you want. Your main problem is only 1 of those networks can have internet access. This is a limitation of the router.

What most people mean by "guest" network is one that some visitor could use to get internet access but not have any access to local devices. This is a simple "hack" firewall when you only have single router but when you have a network of devices there is not simple way to implement this feature.

 

[faalin]

How big is the building this is going in? is there multi floors? Are there any walls separating areas?

Do a quick microsoft paint of the building layout and where each device is at.

Does the internet come in at the UDR or the asus router?


Just from your layout and not knowing the building size. The way i would build it with all Ubiquiti stuff,

Internet into a UDM SE
Use the 8 port PoE switch from the SE and run all new direct cables to power and control any AP's
install a standard 24 port, in ether switch 3 or 4 location, to control the 10 internet devices and 2 computers, once again running dedicated cables to all of them.
I would then get 2 SFP or SFP+ adaptors to RJ45 and run a cable off port 11 on the SE to port 25 on the switch.


for our work setup we use
192.168.0.0/22 for our default network and internal wifi
Vlan 2 10.222.1.0/24 for our guest network which covers our guest wifi and shop employees wifi
Vlan 3 10.222.20.0/24 this controls our blink cameras

None of these 3 networks can talk to each other, and vlan 2 has full client isolation so none of the clients can talk to each other inside that vlan.

 

[kanewolf]

None of these 3 networks can talk to each other, and vlan 2 has full client isolation so none of the clients can talk to each other inside that vlan.

The DEFAULT behavior with UniFI routers is to allow inter-VLAN traffic. You have to manually add firewall rules to prevent it. There are lots of tutorials to show you how, but remember that the default is to ALLOW.

 

[faalin]

The DEFAULT behavior with UniFI routers is to allow inter-VLAN traffic. You have to manually add firewall rules to prevent it. There are lots of tutorials to show you how, but remember that the default is to ALLOW.

That is correct, but they have made it easier with a network Isolation check box now. When checking the box it automatically applies the guest hotspot profile to the guest network. Connected clients will be isolated from all other internal networks.

If i put a laptop on the Floor SSID which is on Vlan 2 no mater what i try i cant get on the default network. If i uncheck the network isolation box i can then start seeing everything on the network, being we are a domain it asks for credentials to gain access to anything but still it can see the network.

 

[Crag_Hack]

@bill001g When you say limitation of the router are you referring to the UDR dream router in the center? So this guy can only accommodate internet for one vlan? Those "sensitive" devices that I'd like on a separate VLAN need Internet access as well as the wireless clients.

I did a google on "ubiquiti guest network" and my initial research showed it depended on VLANs so if this is correct I'd need VLAN aware switches.

@faalin This network is on the ground floor of the building and all access points are almost entirely isolated from each other with a tiny bit of overlap at most. There are thick concrete walls all over the place thus the small overlap at most. I can do a picture later if you'd like, thanks.

Internet comes in at the UDR through a Comcast modem/router.

Also when you talk about the network isolation check box are you referring to the Client Device Isolation option in the wifi instance settings? If so does this option depend on VLANs? And does it prevent wireless devices from seeing hard-wired devices on the same network?

 

[kanewolf]

Also when you talk about the network isolation check box are you referring to the Client Device Isolation option in the wifi instance settings? If so does this option depend on VLANs? And does it prevent wireless devices from seeing hard-wired devices on the same network?

No. "Network Isolation" is a check box that is part of the settings-networks tab. When you choose a network you have created (which will be associated with some VLAN) you have the option of setting the network isolation feature.

 

[bill001g]

I guess I saw the asus and assumed that was your only router.

As long as the ubiquiti router has only a single "wan" type of connection to the asus router it will work fine. You really shouldn't need the asus router unless it has some kind of modem in it.

 

[Crag_Hack]

@bill001g Ahhh that's what was up. I was confused about a lot of your replies. No biggie (I should have made the diagram clearer) The Asus router is for the employee wifi network and is separate from the public Ubiquiti wifi. Sounds like the Asus wifi will behave if I assign a VLAN to the Uibquiti wifi and just hardwire the Asus router to the switch as diagrammed. Of course I'll have to have Ubiquiti VLAN supporting switches in that case.

Also considering the UDR supports VLANs I can have multiple VLANs all with Internet access correct?

And to me this seems very straightforward; just set up the Wifi vlan, block inter-vlan traffic, and bingo we are good to go. And it looks like the Flex Mini switch will be sufficient right?

I updated the original diagram for clarity. Thanks!

 

[Crag_Hack]

@kanewolf @faalin @bill001g Do you guys think the Flex Mini suffices to replace switches 1, 2, and 3?
And multiple VLANs will all have Internet access right?
And finally this is straightforward; just set up the Wifi vlan and block inter-vlan traffic right?
Thanks guys.

 

[kanewolf]

@kanewolf @faalin @bill001g Do you guys think the Flex Mini suffices to replace switches 1, 2, and 3?
And multiple VLANs will all have Internet access right?
And finally this is straightforward; just set up the Wifi vlan and block inter-vlan traffic right?
Thanks guys.

The flex mini do not supply POE, so your APs would require separate POE adapters. You could use the flex (no mini). I use them in my attic for cameras. Power the flex with 60W POE injectors and you have plenty of POE power.

 

[Crag_Hack]

@kanewolf @bill001g @faalin Thanks guys I'll let you know how things go.

 

[Crag_Hack]

@kanewolf @bill001g @faalin Hi I'm finally getting around to setting up the VLANs tomorrow. Everything is finalized except VLANs and Flex Mini Switch 1. I wanted to double-check one thing... Flex Mini Switch 1 should be able to handle the static IP surveillance computer, laundry card machine, and ~23 static IP cameras, all of which are hooked up to the two non-ubiquiti unmanaged switches correct? I'm just wondering since those unmanaged switches obviously don't support VLANs; this won't be a problem correct? As a refresher I'm using VLAN1 for management network/Unifi devices, VLAN2 for Wifi, and VLAN3 for the security computer/cameras and laundry card machine.
Thanks!

 

[kanewolf]

Flex Mini switches have limited support for VLANs. You should research the limitations on Ubiquiti website groups.
You will have to have a POE injector on the AP off the FlexMini switches, they don't provide POE.