Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Unifi protect

  1. #1
    Master Untangler
    Join Date
    Oct 2017
    Posts
    153

    Default Unifi protect

    Iím debating how I want to separate my home network. Thinking about vlans for each data, IoT, UniFi protect and guest. One idea was to utilize my additional Nicís for my unifi protect then vlans for the others. What rule would I need for protect to see the cloudkey gen 2+ on a different Nic if the cameras are on 192.168.2.* and the cloudkey is on 192.168.1.*?

    Would it be better to have it on its own VLAN instead?

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,605

    Default

    Hi, this was a little off topic, so I shelved it for a while. But I have a few thoughts:

    I am not familiar with Unifi Protect, or it's cloudkey.

    Hardwired segmentation is better than Vlans.

    A Unifi AP can take tagged VLANs and assign segmented traffic to separate SSIDs. That is useful at the individual AP level, as only one Ethernet cable is needed between the AP and an interface on NGFW, which can do the VLAN tagging as you like.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,240

    Default

    A 100% unifi stack behind Untangle is something of a magical thing honestly...

    I've recently picked up an US-48 switch,and an US-8 switch, to go along with my AC Lite WAP to swap out everything that was behind my Untangle.

    I don't use a cloud key, the controller runs on my Server 2016 VM as a service, with OpenJRE supporting it. Untangle provides DHCP, and has the unifi. DNS record aimed at my server, all Unifi gear simply finds it and works.

    After that, all I had to do was define a corporate network, set the tag number, and start assigning switch ports to the appropriate VLAN membership. The SSIDs also have VLAN tags, and they just "go" to the appropriate VLAN. After that, creating the virtual interfaces on Untangle was a snap.

    There are a few limitations to this reality to keep in mind:

    1.) Each WAP can only support 4 SSIDs and therefore can only connect wireless clients to a maximum of 4 specific VLANs.
    2.) The default port configuration for all Unifi switches has each port set to be a member of VLAN1, and VLAN1 has permission to receive frames from all other VLANs.

    So, as long as you take the approach of network gear being on VLAN1, and everything else going onto other VLANs, it's all but trivial to slide in the Unifi gear as default, keep things working as is, then slide devices as you want or need off VLAN1 and into their vlans for isolation.

    Untangle lives in VLAN1, and interfaces from it just need configured to received tagged frames and it all "just works".

    Honestly, it's EASIER than Meraki... The solution provides greater visibility too... not to mention costs buckets less. The only real snag in comparison is the setup of the controller itself, something the cloud key simplifies. But personally again I prefer to run the controller on a VM I built myself, or simply Azure host it, it's pretty easy stuff once you've done it a couple times.

    I don't recommend Unifi's routers... because there are too many unknowns when you start trying to be creative. But, if you want to do so all you need to ensure is DHCP is handing out a known DNS suffix, and you have a DNS service resolving unifi.dnssuffix.here to whatever IP your controller lives on, and there are no ACLs that prevent access to at very least the inform port to the controller itself. After that, the controller will see the devices, be able to adopt them, and everything "just works". List of ports here: https://help.ubnt.com/hc/en-us/artic...iFi-Ports-Used

    *Edit* I REALLY should bust out my camera and make a video how to on all this, it's pretty magical.
    Last edited by sky-knight; 02-27-2020 at 02:59 PM.
    mtarbox, pprior and wbennett77 like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler
    Join Date
    Oct 2017
    Posts
    153

    Default

    Thank you both. Everything I have is unifi except for my router/appliance which runs untangled. I to like the ease of use that unifi has. I just got a little confused on how to keep the cloud key connected to protect while still running all the access points and switches on vlan1.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,240

    Default

    The cloud key doesn't stay connected to anything, everything else resolves unifi.whatever.com to find the cloud key.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Master Untangler
    Join Date
    Oct 2013
    Posts
    202

    Default

    I was able to deploy 7 VLANs (7 SSIDs) onto all four UAP-AC access points (three AC-LR and one AC-Pro). I understand the performance hit but it had to be done.

    Inter-VLAN routing is done via a Cisco L-3 switch. Untangle is connected upstream, together with the DHCP and DNS server, in their own VLAN. A DD-WRT router runs as an OpenVPN client to access geo-locked sites. So, Rokus or set-top boxes requiring access to Netflix US just connects to VLAN 80 (or the appropriate SSID) and they're automatically routed to a US server.

    My UniFi Controller is running on another Windows Server (which is also running Plex), on VLAN 20. For all intents and purposes, VLAN 20 is also the Management VLAN. In other words, both the UniFi Controller and APs have IP addresses that is on the VLAN 20 subnet (192.168.20.x) to make sure they can talk to each other.... so does the switches' and ESXi Management IPs.

    For visualization:
    Last edited by oj88; 02-28-2020 at 02:44 AM.
    Jim.Alles and mtarbox like this.

  7. #7
    Untangler
    Join Date
    Oct 2018
    Location
    Upstate NY.
    Posts
    48

    Default

    I concur with sky-knight on this.
    I have a full unifi stack behind my untangle. Everything is separated out onto vlans. It just works.
    I do have a few rules and groups in the unifi controller, but otherwise everything else is done through my untangle instance.
    Screenshot_20200228_150305.png
    Jim.Alles likes this.

  8. #8
    Untanglit
    Join Date
    Feb 2020
    Posts
    25

    Default

    Quote Originally Posted by sky-knight View Post
    A 100% unifi stack behind Untangle is something of a magical thing honestly...

    ...


    *Edit* I REALLY should bust out my camera and make a video how to on all this, it's pretty magical.
    Why yes, yes you should!

  9. #9
    Master Untangler
    Join Date
    Oct 2017
    Posts
    153

    Default

    Quote Originally Posted by pprior View Post
    Why yes, yes you should!
    I agree. It would be nice to learn from the experts.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,240

    Default

    Quote Originally Posted by Loudog2 View Post
    I agree. It would be nice to learn from the experts.
    You have no idea how terrifying it is to see comments like that aimed at me...
    mtarbox likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2