I'm sure it adds more flexibility - but adding more places to go to configure different parts also makes more potential for frustration getting something wrong - great video thanks Willi
This is an improvement. However, I'd rather be able to specify Trunk and Access ports. Trunk ports, by default, should carry all VLANs, so no, you wouldn't have to update them every time you added a network. You would only have to update them if you've restricted them to only certain VLANs. An Access port should allow 1 untagged and 1 tagged (voice) VLAN. Sending all VLANs across every port when they aren't needed is a security risk. Anyone who plugs in and sets their NIC to pass a VLAN ID could put their self on any network, including ones you're wanting to keep secure, by using any port. I know that I'm mentioning Cisco's way of doing things, but they aren't the only ones that do it the way I'm suggesting here. Ubiquiti makes things easier, but in many cases, they hide too much, which later causes problems in more complicated setups. Of course, you're not paying as much either, so there's always a trade-off.
so I think this may be helpful, Primary + restrction (block all) = access port, Primary + no restrction = trunk all tags passed, and primary + restriction (whatever you pick) = custom trunk port for that 1 switch port, if you dont wish to do that 20 times use ethernet port option to build it once apply many times using the option for ethernet port profiles on the switch.
Great video. Still trying to understand how to take a switch port that feeds another switch, such as an outdoor switch, and isolate the entire (outdoor) switch without losing management of that switch. Keep up the great videos.
Great video, we kept our controller updated since the summer without touching vlan as we use several others brands and were perplex as we had to use it today, we even restored a backup from end of july with change already effective... you saved us a lot of time !
Personally I would prefer if "Allow" was displayed first/default instead of "Block". Mainly because 99% of the time when I need to check something I want to see if something is explicitly allowed. Having to click one more thing is kind of a pain. Overall I have not had any major issues. Just now with the update when the SSL certificate needs to be refreshed in Chrome I have to restart Chrome to get the "This is not a valid cert" warning to appear.
With 7.4, ThisThursday, I created a VLAN for one user on the network and made it the primary network for his port on this version. Was completely ignored when I renewed his IP. Created an ethernet profile and added that; still didn't work. As of right now, he's on the same LAN as everyone else. Never experienced this problem with VLANs before with Unifi.
Thanks Willie. I can create a VLAN-only network. Do I then set that as the default network on the port the Starlink router is connected to and also on another port on a switch near the UDM that I can jumper to the WAN2 port? Do I need to block other networks on those ports? Do I need to block the Starlink VLAN on other ports?
In the latest release (7.4.162) adding a new network automatically puts it in the allow-list of port traffic-restrictions. Is this a bug or intentional? Is there a way to create a new network and not have it added to the allow list for traffic restrictions? This seems to be the opposite of what ought to happen when creating a new network. Thanks.
I don't really like the new UNIFI interface and approach, but it takes some getting used to. Have you noticed that when adding a new VLAN, this network is added to the allow section for all swich profiles? Which causes customers to suddenly get a network that was not intended for them. Do you know any way to prevent it from doing this automatically?
My biggest complaint is that in port manager it shows the port profile. That USED to show what VLAN the port is on. But now it doesn't unless you only go into advanced and use the ethernet port profiles. Now it shows nothing. The only way to get the port profile column to show anything is to completely ignore the new VLAN settings outside of setting up profiles, and only assign profiles to ports. Which is exactly how we did it before, now with more steps.
Have a look at the switch overview tab. There is a list of every device currently connected to the switch showing Name, Network, Port. The port number is a clickable link that opens Port Manager with the port selected.
A non managed switch will accept all frames , usually but without specifying the VLAN on the device you're going to be on the default vlan of the UniFi port that's uplinked to the unmanaged switch.
I think its confusing AF.. I do see how it adds more flexibility and i do understand how you are describing it but, i also think Uniquiti screwed the pooch on deploying this without detailing its new functionality to the public first.
Do I understand that correctly, if I go under Devices and select a switch there, then select a specific network/VLAN under Ports (guest, default, staff, etc.), are all other tagged VLANS ALWAYS transferred as well?
What happens when you just make the "primary network" a certain VLAN? Would that make it how it used to be? and you don't have to deal with the block and allow?
That's the PVID and the device plugged into that port would be on that network. You could still use the blocked and allowed to manage the VLANs that are allowed to traverse the port.
It seems like I can also just make "port profiles" that have the native as the VLAN I want then I can still use the legacy interface and just select the port profile. @@WillieHowe
When I create ports profiles under v8.0.26 they do not appear underport manager, so I cannot apply them. I think you should create an updated video for this feature. UniFi is making confusing changes that have no real purpose
Let's say I have 7 custom port profiles in the previous version. Does the upgrade brokes my running configuration or it automatically translates the "old way" to the "new way"? Does anybody had test a similar scenario? Thanks!
Single ports take over a "Single Port config" on the specified ports. It is the same behaviour after switch Ing to the new version. But you'll miss it in the profiles... Seither This is only mandatory for a few ports and you Do it manually, or you creates a profile for the specific config and you configure each Port that needs it.
Hello Willie and THX for your good job in unifi world :) I have a problem: how to do route to rich devices from one Unifi network to another (two UDM PRO with 48 pRO L3 swiches on both sides connected via fiber) and I don't want to use any other device just two SFP+ ports on each network PLEASE HELP ;)
@@WillieHowe I have 1 main network and 3 vlans. I want to create a profile to block all 3 vlans: So I set traffic restriction to block, and selected all 3 VLANs, which then causes the selection to automatically change to "block all". However when I then save this profile "restrict traffic" shows a "-" instead of a checkmark as if nothing was selected to get blocked. You can also try the other way: choose "allow" and do not select any additional network/vlan - you would think that this will also block all VLANs. However restrict traffic will still show "-" instead of a checkmark. You can also switch to the old UI and create a prort profile where you do not select any of the 3 VLANs, but again, no checkmark for "restrict traffic" on that profile just a "-". Is that an userinterface bug?
@@ChristianHolzer-q3j Possibly just a display issue. If you enable one VLAN and save, then Block All from the Block pull-down and save the tick appears.
This absolutely obliterated my FW rules. QOS is dope, thats cool. But the way that they don't do true VLAN trunking, hey we make up words for VLANs they are profiles "jazz hands" BUT WAIT. Now we are letting you see them they are ETHERNET PORT BUDDIES.
Sorry but unifi really messed this up. It is worse than it was with the old profiles. I hope they change it... why not just follow how everybody else is doing VLAN... Also now you cant event see in the post list what VLAN the ports is on you have to check each and every port to know that VLAN it is on.
There is a list of Device, VLAN and Port number on the switch overview tab. Clicking on the port number takes you to the port manager with the clicked port selected. "Open eyes, open mind".
I'm sure it adds more flexibility - but adding more places to go to configure different parts also makes more potential for frustration getting something wrong - great video thanks Willi
This is an improvement. However, I'd rather be able to specify Trunk and Access ports. Trunk ports, by default, should carry all VLANs, so no, you wouldn't have to update them every time you added a network. You would only have to update them if you've restricted them to only certain VLANs. An Access port should allow 1 untagged and 1 tagged (voice) VLAN. Sending all VLANs across every port when they aren't needed is a security risk. Anyone who plugs in and sets their NIC to pass a VLAN ID could put their self on any network, including ones you're wanting to keep secure, by using any port. I know that I'm mentioning Cisco's way of doing things, but they aren't the only ones that do it the way I'm suggesting here. Ubiquiti makes things easier, but in many cases, they hide too much, which later causes problems in more complicated setups. Of course, you're not paying as much either, so there's always a trade-off.
so I think this may be helpful, Primary + restrction (block all) = access port, Primary + no restrction = trunk all tags passed, and primary + restriction (whatever you pick) = custom trunk port for that 1 switch port, if you dont wish to do that 20 times use ethernet port option to build it once apply many times using the option for ethernet port profiles on the switch.
Great video. Still trying to understand how to take a switch port that feeds another switch, such as an outdoor switch, and isolate the entire (outdoor) switch without losing management of that switch. Keep up the great videos.
Great video, we kept our controller updated since the summer without touching vlan as we use several others brands and were perplex as we had to use it today, we even restored a backup from end of july with change already effective... you saved us a lot of time !
Thank you Willie, I really thought my Switch had died after a clean install.
Good video Willie. I like the LLDP-Med option. Saves you from having to configure the phone with a vlan tag. Nice!
Personally I would prefer if "Allow" was displayed first/default instead of "Block". Mainly because 99% of the time when I need to check something I want to see if something is explicitly allowed. Having to click one more thing is kind of a pain. Overall I have not had any major issues. Just now with the update when the SSL certificate needs to be refreshed in Chrome I have to restart Chrome to get the "This is not a valid cert" warning to appear.
Thanks for the video, and you should have added in the video to add the management VLAN ID to the Controller VLAN ID
With 7.4, ThisThursday, I created a VLAN for one user on the network and made it the primary network for his port on this version. Was completely ignored when I renewed his IP. Created an ethernet profile and added that; still didn't work. As of right now, he's on the same LAN as everyone else. Never experienced this problem with VLANs before with Unifi.
I need to create a VLAN to connect a Starlink router through two switches to WAN2 port.
That should be an easy trick. Just create a clan that is third party router and then the ports you're going to plug in need to be pvid that VLAN.
Thanks Willie. I can create a VLAN-only network. Do I then set that as the default network on the port the Starlink router is connected to and also on another port on a switch near the UDM that I can jumper to the WAN2 port? Do I need to block other networks on those ports? Do I need to block the Starlink VLAN on other ports?
@@softwarephil1709 yes on setting default
at 3:52, since you put "Guest" as the primary network, will it conflict with the Default/native vlan, making TWO native/untagged VLANs? Thanks.
There is only one native/untagged network - the one specified as "primary network". Traffic Restriction "Allow" list controls the tagged VLANs.
In the latest release (7.4.162) adding a new network automatically puts it in the allow-list of port traffic-restrictions. Is this a bug or intentional? Is there a way to create a new network and not have it added to the allow list for traffic restrictions? This seems to be the opposite of what ought to happen when creating a new network. Thanks.
I’m waiting for adding port POE power scheduler… which could disable some POE devices in night hours
I don't really like the new UNIFI interface and approach, but it takes some getting used to.
Have you noticed that when adding a new VLAN, this network is added to the allow section for all swich profiles? Which causes customers to suddenly get a network that was not intended for them. Do you know any way to prevent it from doing this automatically?
I tested this on the latest release (7.4.162) and new vlans are still added to the allow section for ports. I would think it should do the opposite.
My biggest complaint is that in port manager it shows the port profile. That USED to show what VLAN the port is on. But now it doesn't unless you only go into advanced and use the ethernet port profiles. Now it shows nothing. The only way to get the port profile column to show anything is to completely ignore the new VLAN settings outside of setting up profiles, and only assign profiles to ports. Which is exactly how we did it before, now with more steps.
Have a look at the switch overview tab.
There is a list of every device currently connected to the switch showing Name, Network, Port.
The port number is a clickable link that opens Port Manager with the port selected.
This is actually confusing to me because I’m wondering how it would work with not managed switches etc
A non managed switch will accept all frames , usually but without specifying the VLAN on the device you're going to be on the default vlan of the UniFi port that's uplinked to the unmanaged switch.
I think its confusing AF.. I do see how it adds more flexibility and i do understand how you are describing it but, i also think Uniquiti screwed the pooch on deploying this without detailing its new functionality to the public first.
Do I understand that correctly, if I go under Devices and select a switch there, then select a specific network/VLAN under Ports (guest, default, staff, etc.), are all other tagged VLANS ALWAYS transferred as well?
What happens when you just make the "primary network" a certain VLAN? Would that make it how it used to be? and you don't have to deal with the block and allow?
That's the PVID and the device plugged into that port would be on that network. You could still use the blocked and allowed to manage the VLANs that are allowed to traverse the port.
It seems like I can also just make "port profiles" that have the native as the VLAN I want then I can still use the legacy interface and just select the port profile. @@WillieHowe
When I create ports profiles under v8.0.26 they do not appear underport manager, so I cannot apply them. I think you should create an updated video for this feature. UniFi is making confusing changes that have no real purpose
Will upgrading from 7.3 > 7.4 still keep all the current port profiles working ?
Or do they need to be redone using the reworked way?
Should keep on working.
Let's say I have 7 custom port profiles in the previous version. Does the upgrade brokes my running configuration or it automatically translates the "old way" to the "new way"? Does anybody had test a similar scenario? Thanks!
Single ports take over a "Single Port config" on the specified ports. It is the same behaviour after switch Ing to the new version. But you'll miss it in the profiles... Seither This is only mandatory for a few ports and you Do it manually, or you creates a profile for the specific config and you configure each Port that needs it.
Like it more like normal enterprise switches now
Hello Willie and THX for your good job in unifi world :) I have a problem: how to do route to rich devices from one Unifi network to another (two UDM PRO with 48 pRO L3 swiches on both sides connected via fiber) and I don't want to use any other device just two SFP+ ports on each network PLEASE HELP ;)
What if I want just one VLAN active on a port? it seems like I cannot do that?
I explain it here.
@@WillieHowe I have 1 main network and 3 vlans.
I want to create a profile to block all 3 vlans:
So I set traffic restriction to block, and selected all 3 VLANs, which then causes the selection to automatically change to "block all".
However when I then save this profile "restrict traffic" shows a "-" instead of a checkmark as if nothing was selected to get blocked.
You can also try the other way:
choose "allow" and do not select any additional network/vlan - you would think that this will also block all VLANs.
However restrict traffic will still show "-" instead of a checkmark.
You can also switch to the old UI and create a prort profile where you do not select any of the 3 VLANs, but again, no checkmark for "restrict traffic" on that profile just a "-".
Is that an userinterface bug?
@@ChristianHolzer-q3j Possibly just a display issue. If you enable one VLAN and save, then Block All from the Block pull-down and save the tick appears.
Just a better granular method of operation.
This absolutely obliterated my FW rules. QOS is dope, thats cool. But the way that they don't do true VLAN trunking, hey we make up words for VLANs they are profiles "jazz hands" BUT WAIT. Now we are letting you see them they are ETHERNET PORT BUDDIES.
this was a awful change imo
Sorry but unifi really messed this up. It is worse than it was with the old profiles. I hope they change it... why not just follow how everybody else is doing VLAN... Also now you cant event see in the post list what VLAN the ports is on you have to check each and every port to know that VLAN it is on.
There is a list of Device, VLAN and Port number on the switch overview tab. Clicking on the port number takes you to the port manager with the clicked port selected.
"Open eyes, open mind".
I think it is just stupid, old way and old interface was way better