Nice in depth video, thank you. Just one question, 13:00 when you are explaining the Tagged VLANs. Do you add 'default' so if for example you needed a second switch for your phones, it would get plugged into for example port 20 (uplink) so this means that the switch would be part of the PBX VLAN - but as you say, for adoption purposes it needs to communicate with the network controller contained on the 'default' VLAN. I would also be interested in seeing the behaviour with access points. I guess it's the same principle, the access point would display the VLAN from the tagged port as an SSID (if you have it configured). Thanks.
Hi - You're very welcome, pleased you found the video helpful. I believe you should be setting the 'Tagged VLAN Management' option to 'Custom' and select the Default network so that the switch can talk back to the UniFi controller on the main LAN. In theory I think the Access Point could go in to a Tagged VLAN, however I wonder if it's just best to keep it in the main/default LAN/VLAN and just have 'Private Pre-Shared Keys' setup against the various VLANS so that you just provide the relevant person with the correct 'Private Pre-Shared Key' password depending on which VLAN you wish to put those WiFi clients in to, that way they would get allocated to whichever VLAN depending on which password you provided them with from the passwords in the list of 'Private Pre-Shared Key's. I did do a video on Private Pre-Shared Keys, here's the link on how to set that up - th-cam.com/video/cp7_95hlY2I/w-d-xo.html I use Private Pre-Shared Keys which works well and just auto puts them in the relevant VLAN without having to put the Access Point in another VLAN away from the main LAN/VLAN.
you need to read up what tagged and untagged means, by putting a vlan into native, that is an untagged vlan on that port, and will be the default vlan used when a device is plugged into that port, where it will be given an ip address if dhcp is running on that vlan. if you then tag another vlan on that same port, then network traffic for that vlan is sent over that port as tagged, however an ip address would not automatically be given out and you would need to manually give that device an ip address in that tagged vlan. just a very slight difference on what you said, but if you are going to provide educational videos, make sure you are giving out the correct information.
Hi @rizlah01 - Thanks so much for the clarification and correcting my slight error on my part. I thought I had understood it correctly before the video but obviously not, so thank you for providing the correction and clarification on this. Certainly noted for future videos.
Hi there! Thx for that video. I already have around 5 different VLAN in my udmp configured. Till today I have manage the permissions via firewall rules, e.g. IoT network is blocked to default/mgmt. I left the ports to default what means, all ports are trunks. If I getting you and unifi right, I dont need that firewall rules by using the "block all" function - is that right? That you :)
Hi @heftigcool - Thanks for your comment. Glad you liked the VLAN Tagging video. I did some research on this for clarification but couldn't find a definative answer to your question. So I decided to test it myself and if I don't have the firewall rules added then I am still able to ping devices say in the PBX VLAN from a device operating in the Multimedia VLAN. So I'm sure you would still need the firewall rules in place that I explain in my 'UniFi Network - Firewall Rules for VLANS' video - link - th-cam.com/video/yqDhs3Lg-gY/w-d-xo.html To confirm I had the 'Native VLAN/Network' set as PBX (VLAN 30) IP range is 192.168.30.x and the device I pinged 192.168.30.5 from was in the 'Multimedia VLAN' (VLAN 20) IP range 192.168.20.x and I could ping 192.168.30.5 from 192.168.20.93 So I would suggest still applying the firewall rules as it shouldn't cause any problems having them applied as well as VLAN tagging.
@@MrTimTech2022 many thanks for your reply and your effort. I think, I won't use the port profile function then. Don't see a benefit if I still have to configure firewall rules.
@@heftigcool As I understand the VLAN tagging has more to do with routing. When broadcast packets go out the have the tag attached to the packet. Making packets only with the matching VLAN tags to be passed down the port to the client. If the VLAN configuration is set to only allow to allowed tagged packets on that VLAN then any packets will have to be switched upstream at the router. Thus if you have a LAN to LAN communication that is routed. The routing is where the firewall configuration comes in. You probably would benefit at that point in using Traffic rules rather than full blown firewall rules. You would deny any traffic from LAN A to LAN B. Those type of rules are much easier using Traffic rules rather than true firewall rules. Please correct me if I am wrong but I believe that is how it works.
I am pretty sure in Lawrence from Lawrence Systems said the current versions of Unifi by default create blocked traffic rules between the VLANs but that only works if you tag almost every used port otherwise all the ports will be trunked by default.
Hey @paulharding1172 - Great couple of posts their, thanks for the detailed explanation which I have to say also makes total sense in my thinking too. That Port Tagging is just for matching data packets as you explain but firewall rules are for the actual routing of data. Umm I'm not sure that my system auto created the firewall rules, but I will double check. Maybe it needs a reset to recreate VLANS etc from scratch before the firewall rules get auto created/applied. Anyway thanks again for those 2 informative posts you typed up here. Happy New Year to you for 2024!
Nice in depth video, thank you. Just one question, 13:00 when you are explaining the Tagged VLANs. Do you add 'default' so if for example you needed a second switch for your phones, it would get plugged into for example port 20 (uplink) so this means that the switch would be part of the PBX VLAN - but as you say, for adoption purposes it needs to communicate with the network controller contained on the 'default' VLAN.
I would also be interested in seeing the behaviour with access points. I guess it's the same principle, the access point would display the VLAN from the tagged port as an SSID (if you have it configured).
Thanks.
Hi - You're very welcome, pleased you found the video helpful. I believe you should be setting the 'Tagged VLAN Management' option to 'Custom' and select the Default network so that the switch can talk back to the UniFi controller on the main LAN.
In theory I think the Access Point could go in to a Tagged VLAN, however I wonder if it's just best to keep it in the main/default LAN/VLAN and just have 'Private Pre-Shared Keys' setup against the various VLANS so that you just provide the relevant person with the correct 'Private Pre-Shared Key' password depending on which VLAN you wish to put those WiFi clients in to, that way they would get allocated to whichever VLAN depending on which password you provided them with from the passwords in the list of 'Private Pre-Shared Key's. I did do a video on Private Pre-Shared Keys, here's the link on how to set that up - th-cam.com/video/cp7_95hlY2I/w-d-xo.html
I use Private Pre-Shared Keys which works well and just auto puts them in the relevant VLAN without having to put the Access Point in another VLAN away from the main LAN/VLAN.
you need to read up what tagged and untagged means, by putting a vlan into native, that is an untagged vlan on that port, and will be the default vlan used when a device is plugged into that port, where it will be given an ip address if dhcp is running on that vlan. if you then tag another vlan on that same port, then network traffic for that vlan is sent over that port as tagged, however an ip address would not automatically be given out and you would need to manually give that device an ip address in that tagged vlan. just a very slight difference on what you said, but if you are going to provide educational videos, make sure you are giving out the correct information.
Hi @rizlah01 - Thanks so much for the clarification and correcting my slight error on my part. I thought I had understood it correctly before the video but obviously not, so thank you for providing the correction and clarification on this. Certainly noted for future videos.
Hi there!
Thx for that video. I already have around 5 different VLAN in my udmp configured. Till today I have manage the permissions via firewall rules, e.g. IoT network is blocked to default/mgmt. I left the ports to default what means, all ports are trunks. If I getting you and unifi right, I dont need that firewall rules by using the "block all" function - is that right? That you :)
Hi @heftigcool - Thanks for your comment. Glad you liked the VLAN Tagging video. I did some research on this for clarification but couldn't find a definative answer to your question. So I decided to test it myself and if I don't have the firewall rules added then I am still able to ping devices say in the PBX VLAN from a device operating in the Multimedia VLAN. So I'm sure you would still need the firewall rules in place that I explain in my 'UniFi Network - Firewall Rules for VLANS' video - link - th-cam.com/video/yqDhs3Lg-gY/w-d-xo.html
To confirm I had the 'Native VLAN/Network' set as PBX (VLAN 30) IP range is 192.168.30.x and the device I pinged 192.168.30.5 from was in the 'Multimedia VLAN' (VLAN 20) IP range 192.168.20.x and I could ping 192.168.30.5 from 192.168.20.93
So I would suggest still applying the firewall rules as it shouldn't cause any problems having them applied as well as VLAN tagging.
@@MrTimTech2022 many thanks for your reply and your effort. I think, I won't use the port profile function then. Don't see a benefit if I still have to configure firewall rules.
@@heftigcool As I understand the VLAN tagging has more to do with routing. When broadcast packets go out the have the tag attached to the packet. Making packets only with the matching VLAN tags to be passed down the port to the client. If the VLAN configuration is set to only allow to allowed tagged packets on that VLAN then any packets will have to be switched upstream at the router. Thus if you have a LAN to LAN communication that is routed. The routing is where the firewall configuration comes in. You probably would benefit at that point in using Traffic rules rather than full blown firewall rules. You would deny any traffic from LAN A to LAN B. Those type of rules are much easier using Traffic rules rather than true firewall rules. Please correct me if I am wrong but I believe that is how it works.
I am pretty sure in Lawrence from Lawrence Systems said the current versions of Unifi by default create blocked traffic rules between the VLANs but that only works if you tag almost every used port otherwise all the ports will be trunked by default.
Hey @paulharding1172 - Great couple of posts their, thanks for the detailed explanation which I have to say also makes total sense in my thinking too. That Port Tagging is just for matching data packets as you explain but firewall rules are for the actual routing of data. Umm I'm not sure that my system auto created the firewall rules, but I will double check. Maybe it needs a reset to recreate VLANS etc from scratch before the firewall rules get auto created/applied. Anyway thanks again for those 2 informative posts you typed up here. Happy New Year to you for 2024!