Thank god you made this video LOL. I was watching your old series and made it all the way up to the part 3, and have had a hell of a few hours trying to get things to work. Just finally adopted but was having a hard time following along on what to do as a direct translation to UniFi software, and then I stumble on this :D Thanks for the series of videos, they have been a great help for a (somewhat) networking noob!
Glad you found it helpful to see an alternate version! I’m planning to do a few others as well. One thing I can’t recall (without watching the video again) if I emphasized or not but I believe it’s recommended to set any ports that are not supposed to be a trunk port to access mode (Tom Lawrence did a UniFi video about that). I usually try to do that on my network as well since some newer switches from different vendors default all the ports to trunk by default to make things easier but there may be risk of VLAN hopping by malicious clients (perhaps certain switches are more vulnerable to that than others but I haven’t researched that further).
I enjoy seeing your video content mature! Great work. I still want to see this done in a OpenWRT switch! The videos that are out there, explaining Vlans, are a bit outdated due to some UI changes in that platform. Thru trial and 'hard-resets' I was able to figure it out. I am sure following your instructions would have been much easier!
Thanks! I haven’t played much with OpenWRT yet. I haven’t yet exhausted all of the OPNsense topics that I’ve wanted to cover (and I’ve been writing about it on my website for about 5 years, haha). I am hoping I can cover other areas more such as OpenWRT in the future.
Sweet you also have Unifi version of this tutorial! I already did your network setup based on the Cisco tutorial but I am not completely happy with it as I do not understand how the management network actually behaves now. I hope this will make it more clear.
I hope it helps as well! I'm planning to use a few more switch/AP vendors as additional examples whenever I get the chance to record/edit those videos.
Turns out you did almost everything the same way. Only different is that you only specified Primary Network for the USER & IOT vlans. What is the difference if in addition you do "Tagged VLAN Management" = "Block All"? (Your WEB console did look a bit different, maybe it was the 7.x and mine is 8.x?) Also, if my main computer is in the USER vlan port, how do I access the OPNsense and Unifi-Switch (via Console software running on main computer). Now it only works if I plug main comp into management port (1-2) or should I do extra firewall rules to allow traffic from main comp to these gateway IPs?
I really appreciate your videos and have been setting up my home network. I have Opnsense router and Unifi switch. I have two 10G ports on the router and created a LAGG to the two 10G ports on the switch. What I’m confused about is what drives untagged to Port 1 on the switch (connected to LAN on router) and what drives tagged to the LAGG. In Unifi, like you did in your video, both LAN and LAGG are set to “default”. Looking at the stats, I seem to have a lot of traffic on LAN and LAGG but thought I’d see much more on LAGG since most clients are tagged. I’m almost to the conclusion that I need to set up a mgmt VLAN and set it explicitly on port 1 of the Unifi switch. Thoughts?
Traffic isn’t necessarily “driving” to one the LAN interface vs the LAGG interfaces. So based on how you configure OPNsense, the LAN will handle all untagged traffic while the LAGG will handle all of the VLAN traffic if you don’t have the parent LAGG interface configured for untagged traffic in OPNsense. Because of that OPNsense configuration, the untagged and tagged (VLAN) networks are handled appropriately by the OPNsense router.
@@homenetworkguy Ah…so all traffic goes between the LAN port on the switch LAN port and all traffic goes between the LAGG on the switch and the LAGG on the router. It’s the router that decides which packets to process based on OpnSense config. Thanks for the quick and helpful reply!
@@brianbearden8328 Yes, OPNsense processes the untagged and tagged traffic on all of its interfaces. The switch configuration can also limit the traffic on each interface further (UniFi allows all traffic by default on the interfaces but some switches allow you to only allow tagged or untagged traffic on their interfaces- haven’t spent a lot of time with UniFi switches to know if that’s possible with UniFi because their interface and terminology is a bit different than other vendors. I don’t currently have a UniFi switch to play with). Don’t think it matters a whole lot because of how the OPNsense interfaces are configured.
Very informative and well put together videos. I've watched all parts in this series. You are helping so many people. 1 question: if hooking up a proxmox server (that has 2 physical NICs) to the switch, is it ok for the 2 NICs to be connected via a LAG for LAG benefits or would it be more advisable to do 1 NIC for LAN (management traffic) and 1 NIC for tagged?
Thanks! Glad you found it helpful! I personally like dedicating 1 interface as the management interface and then use the other interface(s) for everything else I want to deploy on my network. You could LAGG them if you want. I don't think it would hurt if you used it. I did that when I had 4 1G interfaces (but I still used the motherboard NIC as the management interface) but now I have faster 2.5/10G interfaces on my Proxmox server so I don't have as much need to use LAGGs on my network.
First, your series is amazing and I could not have advanced through my home lab so quickly without your help. Second, I am using another type of switch and really putting my self through the wringer by forcing use of the CLI on the switch. Can you confirm that I should leave my management interface in the default (untagged) and all of my VLAN interfaces tagged. I have a disconnect when trying to learn VLAN tagging, untagging, access, trunk etc Thanks for your AWESOMENESS brother!
Thanks! Glad the series has helped you get your homelab set up. I understand that using a CLI only switch would be more challenging to configure especially if you are not familiar with all of the commands and how to use them. Even though I'm not afraid of the command line, I still prefer to configure my network switches via web interface so that is one reason why I never buy used enterprise grade switches (they can also be louder and potentially more power hungry). Some people like to put their management interfaces on its own VLAN but for a home network, I'm ok with using the untagged network because its easier to configure (most devices already default to the untagged network for the management interface) and my network is small enough to make sure I keep everything else off the management network. Plus, in OPNsense I separate the untagged and tagged traffic to different interfaces which should help minimize issues with incorrectly configured firewall rules which could make it possible for the untagged network to sniff traffic on the VLANs-- I don't know how difficult this scenario is and it might require a network switch with a poor VLAN implementation in order to exploit. Long story short, you can leave the management network as untagged (being careful to ensure all other non-network infrastructure devices are on the VLANs to keep them off the management network). You only need to tag interfaces with the VLAN IDs (often referred to as PVIDs) for the ports connected to routers, other switches, wireless access points, and other VLAN-aware devices (such as virtualization servers) where you want VLAN traffic to pass through. Think of "tagged" ports as an aggregation of 1 or more VLANs. To assign a port to a VLAN for your wired devices, you can set the VLAN ID on the port as an "untagged" member. This is confusing when learning VLANs since the native VLAN 1 is considered as "untagged" because it doesn't have a VLAN tag, but when you assign ports to VLANs for your devices, you create them as an "untagged" VLAN port because the devices themselves are usually not adding the VLAN tags. This allows any wired device to become a part of a single VLAN since the network switch adds the VLAN tags for that device. Any device that is VLAN-aware can be set as a "tagged" member because the device itself is adding/remove VLAN tags. Typically it is the router, switch, wireless access point that you set as tagged. If you are using a virtualization server such as Proxmox, you can also set that port/interface to "tagged" and then you can set the interface in Proxmox as VLAN-aware so you can put various containers/VMs on different VLANs.
Awesome guides! Works at home with my fiber. But at my company were I have ADSL connection(bad connection) i cant get any internet at all. Ive tried conecting cable from my modem to my opnsense desktop WAN then from LAN to unifi8p switch port 1. Switch is setup same as in the unifi guide. My opnsense desktop is setup same as this guide. Dunno whats wrong..
With ADSL, perhaps you need to switch the connection type for the WAN? I don’t know if ADSL supports DHCP on the WAN like cable modems/fiber ONTs. You may need to use PPPoE but you’d need to know the settings of your ISP and the required credentials to allow access. The nice thing about ISPs that support DHCP is that it’s simple to use your own router.
Thanks for this! I tried using this as a guide for the Omada Controller but might have miss configured something along the way. Anyway, great job and thanks!
Thanks! I haven’t tried with the Omada controller but I have done it with TP-Link switches using the built-in web interface. If the controller is the same as the web interface, you have to make sure after you assign a port to a VLAN that you also change the PVID to the proper value to match the VLAN (which is on a different section/page). That is one easy to miss annoyance with TP-Link switches compared to UniFi and Grandstream, for example.
@@homenetworkguy I found it tricky with Omada, watched both UniFi and Cisco setups but it may be my inexperience or the software. It ended up being confusing, but thanks for such a great tutorial!
Great video's and awesome job helping people out on reddit. I don't get it, why the switch is giving you on the first plug-in (I think it was port 2) the ip adress 191.168.20.100 (USER VLAN) , shouldn't it set the IP on LAN DHCP, because this is the default Gateway? or at least on DMZ VLAN because of lower ip count?
I’m not sure which exact moment in the video you are referring to (without trying to rewatch it). It was either because I was plugged into the port for the USER VLAN or perhaps it was from when I was testing something during filming and I didn’t have the console cleared out showing the current IP address. Sometimes I have to go back during recording to make sure everything works as expected so I sometimes ending up testing something on the fly and going back to redo a scene to show it working properly.
I have a Dream Router setup with wifi, vlans and cameras but I have realized that I would like to offload everything regarding security to an opnsense box placed before the Dream Router. I still enjoy the UI and the client/camera management of the Dream Router so I would still like to keep it for that. How would I set it up so that OPNSense handles all the FW and IDS features and the Dream Router only manages the clients and cameras?
It may be possible to do all the routing/firewall with OPNsense and let the Dream Router handle the WiFi clients and cameras. I don’t have that hardware to test out that scenario. I know with consumer grade routers you can basically put it in AP mode and not do any routing. I’m just not sure with that UniFi device unless I tried it out and/or started digging deeper into the documentation.
@@homenetworkguy Thanks for the reply! Yeah that is my understanding as well, I'm gonna give it a go next weekend when I can afford to have some downtime on the internet without the girlfriend murdering me :D
If you want to use your native VLAN for your management network, I recommend changing all of your unused ports to be on a different VLAN (such as a guest VLAN) if you are concerned about random unsecure device will be plugged into an unused port in your switch or wall jack in your house (if you have Ethernet ran). Any port that’s connected to the router or another switch if you want that VLAN traffic to pass through. Many times you will want all of the VLANs to pass through so you would want to tag them all just for those ports.
I haven't been able to a unify switch working, I cannot change the vlan of the port where the server/controller is installed, once thats changed the switches are in a locked state as they cant communicate with the server, only factory reset will bring them back up. This has been 4 days of trying 12 hours a day.
Sorry you have been having so much trouble with the UniFi switch. I will note that in my video I left the management interface of the UniFi switch on the untagged VLAN which is the default behavior so it was easier for me to get things up and running (part of the reason why I use the untagged VLAN 1 as my management network- it is the default). I didn’t realize you are trying to change the management interface of the UniFi switch. I believe you need to get all your VLANs set up first and then once those are working, you can change the default management interface. It can get tricky to switch interfaces around to different VLANs. I haven’t actually tried that with a UniFi switch. I only had that one switch I used in the video for a short while since it wasn’t mine. My experience with setting VLANs on UniFi switches is currently limited. I thought about trying to buy a couple of cheap switches from different vendors (including UniFi) so I can show how to configure VLANs on like 8-10 different vendors in the same video/written guide.
I am now accidentally using the native vlan for management. I was wondering whether the UniFi controller can find new switches and acces points if it is on a vlan? My unifi controller is now a bunch of docker images setup with docker-compose in a proxmox container, not a vm! Should the vlans also be available to the docker container of the controller? It does work without. My Proxmox box is still on the native vlan. I am going to migrate this to TrueNAS.
I personally use the native VLAN 1 for management but I’m careful to separate the untagged and tagged traffic on OPNsense on 2 different interfaces as well as assigning all of my unused interfaces on my network switch to be on my guest network (to ensure nobody randomly plugs into any wall jack to get on my management network). So it’s not necessarily a bad thing if you are careful with VLAN assignments (it’s easy enough to manage on a small home network). You may have to adopt the APs on the native VLAN and then change the settings for the APs to use a different VLAN for management. This means you may need to make the UniFi Controller available on both the native VLAN and the management VLAN. I found a post describing at a high level what would need done: www.stephenwagner.com/2019/10/05/change-management-vlan-on-ubiquiti-unifi-hardware-and-controller/amp/ It’s definitely easiest to use the native VLAN as the management network but I know there are reasons for using a dedicated management VLAN.
So for the lan port AND the LAGG ports...all traffic should be tagged right, unless someone connects a new device to a port that has the default vlan assigned. So we should tag the LAGG ports with vlans. Leaving the lag at default also passes vlan 1. Something is redundant, I'm somewhat confused on why we even need the lan interface>switch if all 3 ports are left as default. Every time I tag my lagg ports with all my vlans my switches go offline an have to be factory reset. It must be there's no iP assigned to the lag interface, but I'm not sure what one woukd put there?
The LAN port I’m using as untagged for the default VLAN 1. I don’t have the parent LAGG interface configured in OPNsense so even if the switch allows VLAN 1 on the LAGG, OPNsense is not configured to use it on the LAGG. I took the time on my writtten guide with a TP-Link switch and also on my first video with the Cisco switch to make sure the switch itself doesn’t pass VLAN 1 traffic on the LAGG but with UniFi it seemed less clear how to actually do this. I think I tried and might’ve had issues so I just left it at the default. Since OPNsense ignores the parent LAGG interface untagged traffic, that leaves only the LAN as the interface where the untagged traffic will be handled. There shouldn’t be any redundancy with the untagged traffic because only the LAN is untagged and the parent physical interface of the LAGG is not configured in OPNsense. Try ensuring the port connected to the LAN is not tagged and the ports connected for the LAGG are tagged with all the VLANs. Also make sure the system you are configuring everything with is plugged into the untagged LAN network.
@@homenetworkguy By this logic (and its very likely I'm wrong) wouldn't we set the LAN interface to default for the native vlan and then block all under tagged? This way it ensures we only pass untagged/mgmt traffic? Again im not challenging you by any means just trying to wrap my head around it. If we blocked everything and made the default native, then tagged the LAGG ports with all the vlans....doesn't that keep everything nice and neat? Or do I have it all backwards. The way unifi does vlan assignments is confusing AF.
Yeah I made sure to say it wasn’t mine, haha. Funny story- when I first turned it on and tried to adopt the switch, it tried doing a firmware update or something at the same time it was being adopted which caused the adoption to fail for some reason. I had to factory reset it before it would let me adopt it again. Worked fine after that. Never had a problem with their APs doing that.
@@MegaMaskedrider I've never had issues with their APs in using them for 6 years, but I don't have any experience with their switches other than the one I had for a short while to do this video. I haven't heard of many issues with their switches or APs as much as I have had heard with their UniFi gateway devices. Botched updates, etc can be one issue with their devices. I know Jason is not a fan so I was telling him that I did not purchase that switch for my network, haha. I feel like their newer generation products are more expensive in general than their older generation. I've found other good alternatives (but I'm not obsessed with having everything managed from a single dashboard-- I don't have THAT many devices to manage for my home network).
@@homenetworkguy Thx for the response. Do you have any recommodations for a 16-24 port managed switch? my old networks professor said never buy tplink or dlink, go at least for netgear or cisco if you can, he didn´t mention unifi devices bc back then it wasn´t that popular in europe... I´m considering buying the 16 port poe lite switch from ubiquiti and use my 8 port for the living room, since there are plenty devices with physical connection. if you know anything more priceworthy plz let me know.
![[Full] 4 ต่อ 4 Celebrity EP.920 | 3 พ.ย. 67 | one31](http://i.ytimg.com/vi/KwiW2M_kAg4/mqdefault.jpg)
Thank god you made this video LOL. I was watching your old series and made it all the way up to the part 3, and have had a hell of a few hours trying to get things to work. Just finally adopted but was having a hard time following along on what to do as a direct translation to UniFi software, and then I stumble on this :D Thanks for the series of videos, they have been a great help for a (somewhat) networking noob!
Glad you found it helpful to see an alternate version! I’m planning to do a few others as well.
One thing I can’t recall (without watching the video again) if I emphasized or not but I believe it’s recommended to set any ports that are not supposed to be a trunk port to access mode (Tom Lawrence did a UniFi video about that).
I usually try to do that on my network as well since some newer switches from different vendors default all the ports to trunk by default to make things easier but there may be risk of VLAN hopping by malicious clients (perhaps certain switches are more vulnerable to that than others but I haven’t researched that further).
@@homenetworkguy good to know, thanks for the tip! I’ll make sure to set those on my switch.
I enjoy seeing your video content mature! Great work. I still want to see this done in a OpenWRT switch! The videos that are out there, explaining Vlans, are a bit outdated due to some UI changes in that platform. Thru trial and 'hard-resets' I was able to figure it out. I am sure following your instructions would have been much easier!
Thanks! I haven’t played much with OpenWRT yet. I haven’t yet exhausted all of the OPNsense topics that I’ve wanted to cover (and I’ve been writing about it on my website for about 5 years, haha). I am hoping I can cover other areas more such as OpenWRT in the future.
Sweet you also have Unifi version of this tutorial! I already did your network setup based on the Cisco tutorial but I am not completely happy with it as I do not understand how the management network actually behaves now. I hope this will make it more clear.
I hope it helps as well! I'm planning to use a few more switch/AP vendors as additional examples whenever I get the chance to record/edit those videos.
Turns out you did almost everything the same way. Only different is that you only specified Primary Network for the USER & IOT vlans. What is the difference if in addition you do "Tagged VLAN Management" = "Block All"? (Your WEB console did look a bit different, maybe it was the 7.x and mine is 8.x?) Also, if my main computer is in the USER vlan port, how do I access the OPNsense and Unifi-Switch (via Console software running on main computer). Now it only works if I plug main comp into management port (1-2) or should I do extra firewall rules to allow traffic from main comp to these gateway IPs?
I really appreciate your videos and have been setting up my home network. I have Opnsense router and Unifi switch. I have two 10G ports on the router and created a LAGG to the two 10G ports on the switch. What I’m confused about is what drives untagged to Port 1 on the switch (connected to LAN on router) and what drives tagged to the LAGG. In Unifi, like you did in your video, both LAN and LAGG are set to “default”. Looking at the stats, I seem to have a lot of traffic on LAN and LAGG but thought I’d see much more on LAGG since most clients are tagged. I’m almost to the conclusion that I need to set up a mgmt VLAN and set it explicitly on port 1 of the Unifi switch. Thoughts?
Traffic isn’t necessarily “driving” to one the LAN interface vs the LAGG interfaces. So based on how you configure OPNsense, the LAN will handle all untagged traffic while the LAGG will handle all of the VLAN traffic if you don’t have the parent LAGG interface configured for untagged traffic in OPNsense. Because of that OPNsense configuration, the untagged and tagged (VLAN) networks are handled appropriately by the OPNsense router.
@@homenetworkguy Ah…so all traffic goes between the LAN port on the switch LAN port and all traffic goes between the LAGG on the switch and the LAGG on the router. It’s the router that decides which packets to process based on OpnSense config. Thanks for the quick and helpful reply!
@@brianbearden8328 Yes, OPNsense processes the untagged and tagged traffic on all of its interfaces. The switch configuration can also limit the traffic on each interface further (UniFi allows all traffic by default on the interfaces but some switches allow you to only allow tagged or untagged traffic on their interfaces- haven’t spent a lot of time with UniFi switches to know if that’s possible with UniFi because their interface and terminology is a bit different than other vendors. I don’t currently have a UniFi switch to play with). Don’t think it matters a whole lot because of how the OPNsense interfaces are configured.
Very informative and well put together videos. I've watched all parts in this series. You are helping so many people. 1 question: if hooking up a proxmox server (that has 2 physical NICs) to the switch, is it ok for the 2 NICs to be connected via a LAG for LAG benefits or would it be more advisable to do 1 NIC for LAN (management traffic) and 1 NIC for tagged?
Thanks! Glad you found it helpful! I personally like dedicating 1 interface as the management interface and then use the other interface(s) for everything else I want to deploy on my network. You could LAGG them if you want. I don't think it would hurt if you used it. I did that when I had 4 1G interfaces (but I still used the motherboard NIC as the management interface) but now I have faster 2.5/10G interfaces on my Proxmox server so I don't have as much need to use LAGGs on my network.
First, your series is amazing and I could not have advanced through my home lab so quickly without your help. Second, I am using another type of switch and really putting my self through the wringer by forcing use of the CLI on the switch. Can you confirm that I should leave my management interface in the default (untagged) and all of my VLAN interfaces tagged. I have a disconnect when trying to learn VLAN tagging, untagging, access, trunk etc
Thanks for your AWESOMENESS brother!
Thanks! Glad the series has helped you get your homelab set up.
I understand that using a CLI only switch would be more challenging to configure especially if you are not familiar with all of the commands and how to use them. Even though I'm not afraid of the command line, I still prefer to configure my network switches via web interface so that is one reason why I never buy used enterprise grade switches (they can also be louder and potentially more power hungry).
Some people like to put their management interfaces on its own VLAN but for a home network, I'm ok with using the untagged network because its easier to configure (most devices already default to the untagged network for the management interface) and my network is small enough to make sure I keep everything else off the management network. Plus, in OPNsense I separate the untagged and tagged traffic to different interfaces which should help minimize issues with incorrectly configured firewall rules which could make it possible for the untagged network to sniff traffic on the VLANs-- I don't know how difficult this scenario is and it might require a network switch with a poor VLAN implementation in order to exploit.
Long story short, you can leave the management network as untagged (being careful to ensure all other non-network infrastructure devices are on the VLANs to keep them off the management network).
You only need to tag interfaces with the VLAN IDs (often referred to as PVIDs) for the ports connected to routers, other switches, wireless access points, and other VLAN-aware devices (such as virtualization servers) where you want VLAN traffic to pass through. Think of "tagged" ports as an aggregation of 1 or more VLANs.
To assign a port to a VLAN for your wired devices, you can set the VLAN ID on the port as an "untagged" member. This is confusing when learning VLANs since the native VLAN 1 is considered as "untagged" because it doesn't have a VLAN tag, but when you assign ports to VLANs for your devices, you create them as an "untagged" VLAN port because the devices themselves are usually not adding the VLAN tags. This allows any wired device to become a part of a single VLAN since the network switch adds the VLAN tags for that device.
Any device that is VLAN-aware can be set as a "tagged" member because the device itself is adding/remove VLAN tags. Typically it is the router, switch, wireless access point that you set as tagged. If you are using a virtualization server such as Proxmox, you can also set that port/interface to "tagged" and then you can set the interface in Proxmox as VLAN-aware so you can put various containers/VMs on different VLANs.
Awesome guides!
Works at home with my fiber. But at my company were I have ADSL connection(bad connection) i cant get any internet at all. Ive tried conecting cable from my modem to my opnsense desktop WAN then from LAN to unifi8p switch port 1. Switch is setup same as in the unifi guide. My opnsense desktop is setup same as this guide. Dunno whats wrong..
With ADSL, perhaps you need to switch the connection type for the WAN? I don’t know if ADSL supports DHCP on the WAN like cable modems/fiber ONTs.
You may need to use PPPoE but you’d need to know the settings of your ISP and the required credentials to allow access. The nice thing about ISPs that support DHCP is that it’s simple to use your own router.
Thanks for this! I tried using this as a guide for the Omada Controller but might have miss configured something along the way.
Anyway, great job and thanks!
Thanks! I haven’t tried with the Omada controller but I have done it with TP-Link switches using the built-in web interface. If the controller is the same as the web interface, you have to make sure after you assign a port to a VLAN that you also change the PVID to the proper value to match the VLAN (which is on a different section/page). That is one easy to miss annoyance with TP-Link switches compared to UniFi and Grandstream, for example.
@@homenetworkguy I found it tricky with Omada, watched both UniFi and Cisco setups but it may be my inexperience or the software. It ended up being confusing, but thanks for such a great tutorial!
Great video's and awesome job helping people out on reddit.
I don't get it, why the switch is giving you on the first plug-in (I think it was port 2) the ip adress 191.168.20.100 (USER VLAN) , shouldn't it set the IP on LAN DHCP, because this is the default Gateway? or at least on DMZ VLAN because of lower ip count?
I’m not sure which exact moment in the video you are referring to (without trying to rewatch it). It was either because I was plugged into the port for the USER VLAN or perhaps it was from when I was testing something during filming and I didn’t have the console cleared out showing the current IP address. Sometimes I have to go back during recording to make sure everything works as expected so I sometimes ending up testing something on the fly and going back to redo a scene to show it working properly.
I have a Dream Router setup with wifi, vlans and cameras but I have realized that I would like to offload everything regarding security to an opnsense box placed before the Dream Router. I still enjoy the UI and the client/camera management of the Dream Router so I would still like to keep it for that.
How would I set it up so that OPNSense handles all the FW and IDS features and the Dream Router only manages the clients and cameras?
It may be possible to do all the routing/firewall with OPNsense and let the Dream Router handle the WiFi clients and cameras. I don’t have that hardware to test out that scenario. I know with consumer grade routers you can basically put it in AP mode and not do any routing. I’m just not sure with that UniFi device unless I tried it out and/or started digging deeper into the documentation.
@@homenetworkguy Thanks for the reply! Yeah that is my understanding as well, I'm gonna give it a go next weekend when I can afford to have some downtime on the internet without the girlfriend murdering me :D
Should the '1' 'native' vlan be all tagged or untagged for most ports? Should the vlans be tagged on the router/lag ports for every one? Im new sorry
If you want to use your native VLAN for your management network, I recommend changing all of your unused ports to be on a different VLAN (such as a guest VLAN) if you are concerned about random unsecure device will be plugged into an unused port in your switch or wall jack in your house (if you have Ethernet ran).
Any port that’s connected to the router or another switch if you want that VLAN traffic to pass through. Many times you will want all of the VLANs to pass through so you would want to tag them all just for those ports.
I haven't been able to a unify switch working, I cannot change the vlan of the port where the server/controller is installed, once thats changed the switches are in a locked state as they cant communicate with the server, only factory reset will bring them back up. This has been 4 days of trying 12 hours a day.
Sorry you have been having so much trouble with the UniFi switch. I will note that in my video I left the management interface of the UniFi switch on the untagged VLAN which is the default behavior so it was easier for me to get things up and running (part of the reason why I use the untagged VLAN 1 as my management network- it is the default).
I didn’t realize you are trying to change the management interface of the UniFi switch. I believe you need to get all your VLANs set up first and then once those are working, you can change the default management interface. It can get tricky to switch interfaces around to different VLANs.
I haven’t actually tried that with a UniFi switch. I only had that one switch I used in the video for a short while since it wasn’t mine. My experience with setting VLANs on UniFi switches is currently limited. I thought about trying to buy a couple of cheap switches from different vendors (including UniFi) so I can show how to configure VLANs on like 8-10 different vendors in the same video/written guide.
I am now accidentally using the native vlan for management. I was wondering whether the UniFi controller can find new switches and acces points if it is on a vlan? My unifi controller is now a bunch of docker images setup with docker-compose in a proxmox container, not a vm! Should the vlans also be available to the docker container of the controller? It does work without. My Proxmox box is still on the native vlan. I am going to migrate this to TrueNAS.
I personally use the native VLAN 1 for management but I’m careful to separate the untagged and tagged traffic on OPNsense on 2 different interfaces as well as assigning all of my unused interfaces on my network switch to be on my guest network (to ensure nobody randomly plugs into any wall jack to get on my management network). So it’s not necessarily a bad thing if you are careful with VLAN assignments (it’s easy enough to manage on a small home network).
You may have to adopt the APs on the native VLAN and then change the settings for the APs to use a different VLAN for management. This means you may need to make the UniFi Controller available on both the native VLAN and the management VLAN. I found a post describing at a high level what would need done: www.stephenwagner.com/2019/10/05/change-management-vlan-on-ubiquiti-unifi-hardware-and-controller/amp/
It’s definitely easiest to use the native VLAN as the management network but I know there are reasons for using a dedicated management VLAN.
So for the lan port AND the LAGG ports...all traffic should be tagged right, unless someone connects a new device to a port that has the default vlan assigned. So we should tag the LAGG ports with vlans. Leaving the lag at default also passes vlan 1. Something is redundant, I'm somewhat confused on why we even need the lan interface>switch if all 3 ports are left as default.
Every time I tag my lagg ports with all my vlans my switches go offline an have to be factory reset. It must be there's no iP assigned to the lag interface, but I'm not sure what one woukd put there?
The LAN port I’m using as untagged for the default VLAN 1. I don’t have the parent LAGG interface configured in OPNsense so even if the switch allows VLAN 1 on the LAGG, OPNsense is not configured to use it on the LAGG. I took the time on my writtten guide with a TP-Link switch and also on my first video with the Cisco switch to make sure the switch itself doesn’t pass
VLAN 1 traffic on the LAGG but with UniFi it seemed less clear how to actually do this. I think I tried and might’ve had issues so I just left it at the default. Since OPNsense ignores the parent LAGG interface untagged traffic, that leaves only the LAN as the interface where the untagged traffic will be handled. There shouldn’t be any redundancy with the untagged traffic because only the LAN is untagged and the parent physical interface of the LAGG is not configured in OPNsense.
Try ensuring the port connected to the LAN is not tagged and the ports connected for the LAGG are tagged with all the VLANs. Also make sure the system you are configuring everything with is plugged into the untagged LAN network.
@@homenetworkguy By this logic (and its very likely I'm wrong) wouldn't we set the LAN interface to default for the native vlan and then block all under tagged? This way it ensures we only pass untagged/mgmt traffic? Again im not challenging you by any means just trying to wrap my head around it. If we blocked everything and made the default native, then tagged the LAGG ports with all the vlans....doesn't that keep everything nice and neat? Or do I have it all backwards. The way unifi does vlan assignments is confusing AF.
EWWWW a Unifi Switch :(. Good video though :)
Yeah I made sure to say it wasn’t mine, haha.
Funny story- when I first turned it on and tried to adopt the switch, it tried doing a firmware update or something at the same time it was being adopted which caused the adoption to fail for some reason. I had to factory reset it before it would let me adopt it again. Worked fine after that. Never had a problem with their APs doing that.
Are they so bad? Or just not worth the price?
@@MegaMaskedrider I've never had issues with their APs in using them for 6 years, but I don't have any experience with their switches other than the one I had for a short while to do this video. I haven't heard of many issues with their switches or APs as much as I have had heard with their UniFi gateway devices. Botched updates, etc can be one issue with their devices. I know Jason is not a fan so I was telling him that I did not purchase that switch for my network, haha. I feel like their newer generation products are more expensive in general than their older generation. I've found other good alternatives (but I'm not obsessed with having everything managed from a single dashboard-- I don't have THAT many devices to manage for my home network).
@@homenetworkguy Thx for the response. Do you have any recommodations for a 16-24 port managed switch? my old networks professor said never buy tplink or dlink, go at least for netgear or cisco if you can, he didn´t mention unifi devices bc back then it wasn´t that popular in europe...
I´m considering buying the 16 port poe lite switch from ubiquiti and use my 8 port for the living room, since there are plenty devices with physical connection.
if you know anything more priceworthy plz let me know.