This is more in line with how a lot of the OEMs who are utilizing a Cisco style CLI. We’ve had to use this approach for years with them. While this is a little more work than the previous port profiles that unifi has had, it is very nice when you have a lot of custom port configs. We have a site where we were having to define an outrageous number of port configs - just for the way one switch needed to be. It made it a royal pain to find the configs that we normally needed. With the new UI, we’re down to three and all the custom stuff is isolated to just that switch. Thanks for the video.
BEWARE when upgrading from network controllers prior to 7.4 to newer versions. It can, and does mess up these restrictions when converting from the old port profiles method and you end up having ports missing VLANS. (The guest wifi doesn't work, or the voice VLAN is dropped and all the phones are dead etc is the typical end result) Backup your config before upgrade, roll back if you have to or document and fix all the ports that have switch profiles after upgrade is complete.
Excellent video, thanks for posting, I ran into this when deploying a new Unifi set-up fat my in-laws house (far bigger and more complex than it sounds)... I honestly don't understand why they felt the need to do this, fundamentally this is what the Port Group Profiles should have done.. and UBNT should have focus efforts there, to make them more prominent and fixed, instead we now this confused mish-mash.
For 5 years, I have extensively used Port Profiles in the legacy UI. -One of the profiles is called TRNK1, which is all of the VLANs, much like choosing No Traffic Restriction. -Another Port Profile is WiFiTRNK, which is just the VLANs that should go to the UAPs. -Another Port Profile is TRNK1-NBE5ac, which is just the VLANs that should go through the NanoBeam 5ac wireless bridges. The new UI respected most of these settings, except for the TRNK1-NBE5ac Port Profile. The NanoBeam 5ac needs 24v Passive power, which is a so-called Advanced PoE setting. The problem is that the Port Profile config screen will not allow a Port Profile configuration that uses 24v Passive (Only PoE+ or None is available). The solution is to set the Primary Network to "Default" and to check "Traffic Restriction" and to "Allow" and select the sub-set of VLANs that I want to traverse the NBE5ac links. I have three pairs of NBE5acs, and they do a good job. At first I didn't understand why VoIP phone VLANs were dropping in some buildings, but then I figured out that after upgrading the Unifi Controller and switch software/firmware a change had been made that was not consistent with earlier Port Profile configurations. Live and learn!
Are there any videos that show the new interface? I just got some switches and I dont understand how to setup vlans without my switches going offline. Ive been at this for days, it looks like Im the only person who has the new interface. Also if my controller (or whatever TF its called) is currently hosted on a windows machine does that machine HAVE to be on default vlan? If i change this machines network the switches go offline and they must be factory reset.
Yeah this didn't go well for me. The minute I tried setting my IOT AP to an IOT VLAN I created and Traffic Restrictions to allow only the same VLAN the AP showed up as unprovisioned. Only after a reverted back did it work. And I don't know if its because of something further "up stream" that I have configured WIFI or Networks section. VLAN's still are a pain in the ass for me. I have them setup for my work, IOT, and default but you can still VLAN hop and I've been hoping to get this working sooner rather than later as I REALLY want to get
I recently picked up a ubiquiti router/switch, an ap, and some unifi protect cameras. Could I follow this guide to make 3 vlans to secure my network? One for cameras, one for my local network, and one last vlan to put my homelab pc on so that I could securely self host? I've been looking for a tutorial on securely setting up a network to do so, but I'm having trouble finding on. I was really looking forward to setting up a properly secured network and deploy jellyfin for my family with my new purchases on black friday, but I'm beginning to think I was way in over my head. This video makes it seem so simple, but I feel like maybe I'm not understanding something...
Why is Unifi trying to reinvent the wheel with the confusing terminology? Traditional 802.1q and 802.1ad terminology have been easy to comprehend and research if you're new to networking.
Is this Traffic Restriction feature, only on the newer cloud key, My 16 Port Gen2 switch does not have 'network' when I go into Port Management, only Port Profiles
I wish that after setting up ‘allow and restrict’ options for your first port, the settings were saved as a port profile for use in the future. Then on the next port, If you don’t like any of current profiles it will allow you to create a new one,
This irks me the most. Don't dumb it down it ends up confusing those that know what they're doing. Access ports, trunk ports, native, tagged and untagged these are basically industry standards. Don't make up your own terms Unifi!
I’m not sure if you will see this but I noticed when an AP is on the port, setting up traffic restrictions is different. I had to use default for default, then allow the VLAN I want to use for the AP. Is this the correct way to setup traffic restrictions for this case?
Turning on Traffic Restrictions and allowing only 1 other VLAN would be similar to a Voice VLAN setup on a Cisco switch. The selected VLAN would be untagged and the additional VLAN in the Traffic Restriction would be tagged. Is this correct?
Tom when you were changing the network on the VM was that just changing the nic to one with a different static IP? Is that vlan hopping? Just changing the IP to the same scheme as another vlan?
I do have switches that I don't forward all vlans to. For example, I've got a little 8 port switch on the back of my media cabinet that takes care of connectivity for the bluray player, the dish network, the AVR, the TV, a couple of printers, etc. etc. One thing that isn't clear to me is whether I should also change the management port of that switch to something that isn't on my management vlan. Is it considered best practice to restrict the management vlan to only those devices that are in your cabinet and let the physically remote switch live somewhere else, or???? I mean, it's a home, so it doesn't matter all that much, just a question I've been wondering about.
Be careful setting the MGMT vlan, the MGMT vlan must be able to reach the controller. This poses a problem if you run one outside the network because now your MGMT vlan needs Internet access, which isn't ideal.
@@dyerseve3001 In my case the little switch is just a Netgear 8-port, not a managed unifi switch. The process for setting the management vlan on those things is a giant pita, btw and definitely explains why a controller is a nice management tool.
Thanks this useful information however it seems for me it will not work correctly is that because the main vlan is not setup the same and is just set default with no traffic restrictions? I RDP into one of the pcs on the vlan and can ping the default network I thought it would be blocking it from reaching back
@@LAWRENCESYSTEMS Yeah I will have to look thru other videos you have done to show me how to stop the vlan being able to ping back to the other network no this was helpful tho :)
As a new Unifi switch user, why don't I have the Traffic Restriction shown on my screen? I am running an older Ubiquiti cloud key (debating on updating to the Ubiquiti UniFi Dream Machine Pro), but the switches are US-24-250W and USW-Pro-24-PoE. It says its Network 7.2.97 if that helps
How do you trunk Vlans on server hosted unifi controller with this switch adopted to that controller and without using a unifi gateway or UDM pro just a 3rd party gateway with Vlans trunked to the uplink of that switch from a Cisco switch. Dm maybe for more clarification?
@@LAWRENCESYSTEMS I meant when one using a hosted unifi controller on let's say a windows server. And your Vlans are coming from a 3rd part firewall and moving through Cisco switches. How do you integrate a Cisco switch in that setup and how do you tag and allow Vlans to pass?
@@dullysykes1 The UniFi switch will follow what ever route it has to the controller, does not matter what VLAN, it matters what IP the switch has based on it's settings.
I set up my unifi/ubiquiti with 4 vlans with one vlan for router/switch/UPS/NAS access, one for private networks (PCs), one for my cameras (hikvision), and one for IoT (alexas, google home devices, ESPs and everything else that is untrusted). My camera network cannot access the internet except the NVR which can access NTP and DNS, but all the other three VLANs are allowed all outbound.
You use them the same say,, Port Profiles are just a time saver because you can assignp a group of ports the same profile and then if a change needs to be done you can change the profile instead of all the ports.
VLAN hopping is being able to change what network you are plugged into, and inter VLAN firewall rules keep the traffic on each network flowing or not flowing between them depending on the rules.
Great video. BTW, you can also change the name of the default network in the iOS UniFi Network app. I'm fairly confident that you can do this in the Android app as well, but I don't have an Android phone, so I cannot say for sure. I have also heard through the EA channel that they will be bringing this option back to the "New UI" in the near future, so we won't have to use the Legacy interface.
We need ipv6 for inter vlan routing on unifi L3 switches, currently not supported. Who would have though we are in 2023 and unifi don't fully support IPv6 and barely support IPv4. Good video Mr Lawrence 😊
I'd argue you didn't perform your due diligence when you purchased those switches. Anyone worth their salt should being doing DD before making a purchase of any hardware. Ubiquiti is not at fault here.
@@FTLNI mean that’s fair, but this is prosumer equipment. The low cost of their equipment means caveats, their slow roll out of features being one of them.
@@l00tur Here in Europe ISP's are rolling out IPv6 only networks. Unifi need to adapt to what the prosumer market need here. In USA, you ISP are old and outdated, so perfectly fine for UNIFI equipment which is also running old and outdated software stack.
I see in the latest versions of the network software they've changed the terminology from "primary network" to "native network" which is good because this is standard vlan speak.
@Tom I opened a ticket with UniFi about the default network issue last week which is still under investigation they said…. Let’s see if they fix it !!! They asked me to grab a video as they were not able to repro/understand the problem 😮😮😮
That scroll bar problem 4:42 might be simply a feature from OS or browser. At least Windows has used that dumb feature making those scroll bars very unusable just making them hidden you can find that setting somewhere in the control panel, ease of access or something like that. There might be people who like that setting, but at least for me that is one of the few settings which must be always corrected back to how it has always been - visible and enough so - every time when making new user account to Windows.
Great video Tom. I use UniFi APs but I think they have essentially made things more complex that it really needs to be on the switching side of things. On Cisco and many others it’s a recommended good security practice to refrain from using the default VLAN (VLAN 1) by ensuring you are only allowing the required tagged VLANs on your trunk ports and removing VLAN 1 where you can We disable the VLAN 1 on all our switches a create a dummy native VLAN in its place which doesn’t pass any traffic which we use on switch-to-switch trunk links and we also only tag the VLANs we require on the trunk links from our core to access switches such end-user VLANs rather than having them all. For example, there’s no need for our server VLAN IDs to be trunked to user access switches. Yes you can tag all VLANs on trunk links going to order switches but it’s recommended to limit this and be especially careful about the native untagged VLAN to prevent against double tagging attacks.
Yeah, these changes made a complete mess of my network; because if you have a lot of Flex Mini switches like I do, then post upgrade it as such didn't keep the same setup. So I ended up with ports on "default" which were supposed to be trunks. My VLAN traffic was really intermittent, which is a bit worrying tbh, my IoT devices should not really have been working at all, but were on and off. ...Until I set all of the appropriate ports to None. If all your switches are not Flex minis then it kinda makes sense. But if you have Flex minis, then it's confusing due to not having the "restriction" section. So, for a trunk, you have to set "None", but for other switches you'd typically set "default" with "no restrictions" for a trunk.
It's unfortunate the FlexMinis are somewhat crippled on VLAN configuration, the port either sends everything (all the tagged VLANs) or just a single VLAN. Setting the primary network to "None" could be confusing, as it actually means send "Everything" tagged. Standard terminology would be better, so instead of "Primary Network", how about "Untagged Network" or "Primary VLAN", and instead of just "None", something that conveys "None/All tagged VLANs".
Once a upon a time: On a GUESTS network, it would isolate this network and stop their devices seeing rest. Sadly, has been broken for ages and blocks internet access.
@@gandalf1783 Broken, it should when enabled remove the UBNT slutty VLAN bridging that USG/UDM/UXG's do by default by blocking it in the firewall. Currently broken, has been for past few controller / firmware versiosn. Now, when enabled, kills internet access for the network. The clients get DHCP but because there is no Internet access, many just won't connect.
I’m running a 48 port Unifi at mo, but also have a Cisco CBS350 and it’s much nicer to config via cli than this nonsense. Many thanks Tom for clarification, but ubiquiti what are you doing..
Hi Tom, You uploaded these videos under creative common licence. But When we used your video and re-uploaded it on my channel you giving us a copyright strike. I don't get why you do that. It feels like a trap. We respect your work. But If your not happy to using you content, consider changing the license type from creative commons to standard, which would help clear up any misunderstandings. If you have any specific conditions for the use of your creative commons content, please inform me, and I'll be sure to adhere to them.
@@LAWRENCESYSTEMS Thanks for your reply. As far as I know creative commons videos are allowed to make profit. Since you not happy using your video, I respect it andI will remove all your videos from my channel. ( If you allow me keep it as non-monitized , I will do som. Please retract those strikes. And please make future upload as standerd. Thank in advance
Why do they keep changing and moving settings around in Unifi?!? It's such a pain in the ass to find new settings for simple things after every update.
having some functionalities on the older UI and others on the new UI is pain in the fucking ass. let alone renaming native, tagged, untagged, access and trunk ports... what is the mindset behind all this??? wtf
I don't like it either, my only guess is they think it's easier for someone new to VLANs to understand. Right now, their audience is largely people who understand, and prefer, standard nomenclature. Maybe they are trying to reach a less technical market, but I really don't expect less technical people will be using VLANs. Those folks are happy to see "it's working" and call it a day (flat LAN, one router/firewall to the internet).
Vlans are very confusing in Unifi. They need to remove all this "restrictions" nonsense and revert to standard terminology. Native vlan, tagged and untagged. It's a system that has worked well for decades. Why complicate it??
This is more in line with how a lot of the OEMs who are utilizing a Cisco style CLI. We’ve had to use this approach for years with them. While this is a little more work than the previous port profiles that unifi has had, it is very nice when you have a lot of custom port configs. We have a site where we were having to define an outrageous number of port configs - just for the way one switch needed to be. It made it a royal pain to find the configs that we normally needed. With the new UI, we’re down to three and all the custom stuff is isolated to just that switch. Thanks for the video.
Yeah, this is one of these things that I think I was getting right, but it is great to see this confirmed by you. Thanks Tom!
BEWARE when upgrading from network controllers prior to 7.4 to newer versions. It can, and does mess up these restrictions when converting from the old port profiles method and you end up having ports missing VLANS. (The guest wifi doesn't work, or the voice VLAN is dropped and all the phones are dead etc is the typical end result)
Backup your config before upgrade, roll back if you have to or document and fix all the ports that have switch profiles after upgrade is complete.
Excellent video, thanks for posting, I ran into this when deploying a new Unifi set-up fat my in-laws house (far bigger and more complex than it sounds)... I honestly don't understand why they felt the need to do this, fundamentally this is what the Port Group Profiles should have done.. and UBNT should have focus efforts there, to make them more prominent and fixed, instead we now this confused mish-mash.
For 5 years, I have extensively used Port Profiles in the legacy UI.
-One of the profiles is called TRNK1, which is all of the VLANs, much like choosing No Traffic Restriction.
-Another Port Profile is WiFiTRNK, which is just the VLANs that should go to the UAPs.
-Another Port Profile is TRNK1-NBE5ac, which is just the VLANs that should go through the NanoBeam 5ac wireless bridges.
The new UI respected most of these settings, except for the TRNK1-NBE5ac Port Profile. The NanoBeam 5ac needs 24v Passive power, which is a so-called Advanced PoE setting. The problem is that the Port Profile config screen will not allow a Port Profile configuration that uses 24v Passive (Only PoE+ or None is available). The solution is to set the Primary Network to "Default" and to check "Traffic Restriction" and to "Allow" and select the sub-set of VLANs that I want to traverse the NBE5ac links. I have three pairs of NBE5acs, and they do a good job.
At first I didn't understand why VoIP phone VLANs were dropping in some buildings, but then I figured out that after upgrading the Unifi Controller and switch software/firmware a change had been made that was not consistent with earlier Port Profile configurations.
Live and learn!
Are there any videos that show the new interface? I just got some switches and I dont understand how to setup vlans without my switches going offline. Ive been at this for days, it looks like Im the only person who has the new interface.
Also if my controller (or whatever TF its called) is currently hosted on a windows machine does that machine HAVE to be on default vlan? If i change this machines network the switches go offline and they must be factory reset.
Yeah this didn't go well for me. The minute I tried setting my IOT AP to an IOT VLAN I created and Traffic Restrictions to allow only the same VLAN the AP showed up as unprovisioned. Only after a reverted back did it work. And I don't know if its because of something further "up stream" that I have configured WIFI or Networks section. VLAN's still are a pain in the ass for me. I have them setup for my work, IOT, and default but you can still VLAN hop and I've been hoping to get this working sooner rather than later as I REALLY want to get
I recently picked up a ubiquiti router/switch, an ap, and some unifi protect cameras. Could I follow this guide to make 3 vlans to secure my network? One for cameras, one for my local network, and one last vlan to put my homelab pc on so that I could securely self host?
I've been looking for a tutorial on securely setting up a network to do so, but I'm having trouble finding on. I was really looking forward to setting up a properly secured network and deploy jellyfin for my family with my new purchases on black friday, but I'm beginning to think I was way in over my head. This video makes it seem so simple, but I feel like maybe I'm not understanding something...
Why is Unifi trying to reinvent the wheel with the confusing terminology? Traditional 802.1q and 802.1ad terminology have been easy to comprehend and research if you're new to networking.
Things like this are why I largely don't trust Unifi kit tbh, my experience with them has not been good.
Is this Traffic Restriction feature, only on the newer cloud key, My 16 Port Gen2 switch does not have 'network' when I go into Port Management, only Port Profiles
It is in the latest version of the controller 7.5.X
Thankyou, looks like my GEN1 Cloudkey is due for decom, might try self hosting
I wish that after setting up ‘allow and restrict’ options for your first port, the settings were saved as a port profile for use in the future.
Then on the next port, If you don’t like any of current profiles it will allow you to create a new one,
Thanks!
Thanks!
I wish they would just use Native and Allowed VLANs like in cisco devices, but i guess unifi needs to feel special 😂
This irks me the most. Don't dumb it down it ends up confusing those that know what they're doing.
Access ports, trunk ports, native, tagged and untagged these are basically industry standards. Don't make up your own terms Unifi!
@@dyerseve3001Exactly!!
I’m not sure if you will see this but I noticed when an AP is on the port, setting up traffic restrictions is different.
I had to use default for default, then allow the VLAN I want to use for the AP.
Is this the correct way to setup traffic restrictions for this case?
Yes, sending the default when an AP is connected is correct because you do the restrictions on the AP itself when you set the SSID to choose the VLAN.
Turning on Traffic Restrictions and allowing only 1 other VLAN would be similar to a Voice VLAN setup on a Cisco switch. The selected VLAN would be untagged and the additional VLAN in the Traffic Restriction would be tagged. Is this correct?
Tom when you were changing the network on the VM was that just changing the nic to one with a different static IP? Is that vlan hopping? Just changing the IP to the same scheme as another vlan?
Nope, that is not. I was changing the VLAN tag and you can only VLAN hop if that tag is available to that port.
I do have switches that I don't forward all vlans to. For example, I've got a little 8 port switch on the back of my media cabinet that takes care of connectivity for the bluray player, the dish network, the AVR, the TV, a couple of printers, etc. etc. One thing that isn't clear to me is whether I should also change the management port of that switch to something that isn't on my management vlan. Is it considered best practice to restrict the management vlan to only those devices that are in your cabinet and let the physically remote switch live somewhere else, or????
I mean, it's a home, so it doesn't matter all that much, just a question I've been wondering about.
Be careful setting the MGMT vlan, the MGMT vlan must be able to reach the controller. This poses a problem if you run one outside the network because now your MGMT vlan needs Internet access, which isn't ideal.
@@dyerseve3001 In my case the little switch is just a Netgear 8-port, not a managed unifi switch. The process for setting the management vlan on those things is a giant pita, btw and definitely explains why a controller is a nice management tool.
Thanks this useful information however it seems for me it will not work correctly is that because the main vlan is not setup the same and is just set default with no traffic restrictions? I RDP into one of the pcs on the vlan and can ping the default network I thought it would be blocking it from reaching back
This video did not cover firewall rules, just VLAN settings.
@@LAWRENCESYSTEMS Yeah I will have to look thru other videos you have done to show me how to stop the vlan being able to ping back to the other network no this was helpful tho :)
As a new Unifi switch user, why don't I have the Traffic Restriction shown on my screen? I am running an older Ubiquiti cloud key (debating on updating to the Ubiquiti UniFi Dream Machine Pro), but the switches are US-24-250W and USW-Pro-24-PoE. It says its Network 7.2.97 if that helps
As I said in the beginning of the video, this started their mid 2023 release which was 7.4 and I am using 7.5 in the demo
How do you trunk Vlans on server hosted unifi controller with this switch adopted to that controller and without using a unifi gateway or UDM pro just a 3rd party gateway with Vlans trunked to the uplink of that switch from a Cisco switch. Dm maybe for more clarification?
Not clear on the question, you should post in the forums for a better discussion.
@@LAWRENCESYSTEMS I meant when one using a hosted unifi controller on let's say a windows server. And your Vlans are coming from a 3rd part firewall and moving through Cisco switches. How do you integrate a Cisco switch in that setup and how do you tag and allow Vlans to pass?
@@dullysykes1 The UniFi switch will follow what ever route it has to the controller, does not matter what VLAN, it matters what IP the switch has based on it's settings.
I set up my unifi/ubiquiti with 4 vlans with one vlan for router/switch/UPS/NAS access, one for private networks (PCs), one for my cameras (hikvision), and one for IoT (alexas, google home devices, ESPs and everything else that is untrusted). My camera network cannot access the internet except the NVR which can access NTP and DNS, but all the other three VLANs are allowed all outbound.
Thanks for making this video. Could you make another one explaining when to use Traffic Restrictions over Ethernet Port Profiles?
You use them the same say,, Port Profiles are just a time saver because you can assignp a group of ports the same profile and then if a change needs to be done you can change the profile instead of all the ports.
@@LAWRENCESYSTEMS well, that didn't need an entire video. Thanks for the explanation!
Would firewall rules preventing inter-VLAN routing stop the VLAN hoping regardless of whether you had traffic restrictions set?
VLAN hopping is being able to change what network you are plugged into, and inter VLAN firewall rules keep the traffic on each network flowing or not flowing between them depending on the rules.
Great video. BTW, you can also change the name of the default network in the iOS UniFi Network app. I'm fairly confident that you can do this in the Android app as well, but I don't have an Android phone, so I cannot say for sure. I have also heard through the EA channel that they will be bringing this option back to the "New UI" in the near future, so we won't have to use the Legacy interface.
What’s the difference between setting a traffic restriction vs hitting that “advanced” button and setting a port profile instead?
Port profiles are so you can make it easy to set groups of ports to a profile and adjust from there profile setting.
We need ipv6 for inter vlan routing on unifi L3 switches, currently not supported. Who would have though we are in 2023 and unifi don't fully support IPv6 and barely support IPv4. Good video Mr Lawrence 😊
I'd argue you didn't perform your due diligence when you purchased those switches. Anyone worth their salt should being doing DD before making a purchase of any hardware. Ubiquiti is not at fault here.
@@l00tur Not saying anybodys at fault, just saying Unifi are living in the 90s...
@@FTLNI mean that’s fair, but this is prosumer equipment. The low cost of their equipment means caveats, their slow roll out of features being one of them.
@@l00tur Here in Europe ISP's are rolling out IPv6 only networks. Unifi need to adapt to what the prosumer market need here. In USA, you ISP are old and outdated, so perfectly fine for UNIFI equipment which is also running old and outdated software stack.
I see in the latest versions of the network software they've changed the terminology from "primary network" to "native network" which is good because this is standard vlan speak.
@Tom I opened a ticket with UniFi about the default network issue last week which is still under investigation they said…. Let’s see if they fix it !!! They asked me to grab a video as they were not able to repro/understand the problem 😮😮😮
Not working at all for me. Set a port to vlan 2, set to block all, can still ping and login to the device on that port from the default (vlan 1).
Great video, very useful. Thanks Tom!
That scroll bar problem 4:42 might be simply a feature from OS or browser. At least Windows has used that dumb feature making those scroll bars very unusable just making them hidden you can find that setting somewhere in the control panel, ease of access or something like that. There might be people who like that setting, but at least for me that is one of the few settings which must be always corrected back to how it has always been - visible and enough so - every time when making new user account to Windows.
Definitely a Win11 problem, and now a Win10 problem with the latest 22H2 update.
It was set to this even I did not change anything. Maybe it got updated with updates over time. I haven’t noticed. That’s cool!
Can you do a video off of this one that shows how to apply network profiles within unifi.
Great video Tom. I use UniFi APs but I think they have essentially made things more complex that it really needs to be on the switching side of things.
On Cisco and many others it’s a recommended good security practice to refrain from using the default VLAN (VLAN 1) by ensuring you are only allowing the required tagged VLANs on your trunk ports and removing VLAN 1 where you can
We disable the VLAN 1 on all our switches a create a dummy native VLAN in its place which doesn’t pass any traffic which we use on switch-to-switch trunk links and we also only tag the VLANs we require on the trunk links from our core to access switches such end-user VLANs rather than having them all. For example, there’s no need for our server VLAN IDs to be trunked to user access switches.
Yes you can tag all VLANs on trunk links going to order switches but it’s recommended to limit this and be especially careful about the native untagged VLAN to prevent against double tagging attacks.
Yeah, these changes made a complete mess of my network; because if you have a lot of Flex Mini switches like I do, then post upgrade it as such didn't keep the same setup. So I ended up with ports on "default" which were supposed to be trunks.
My VLAN traffic was really intermittent, which is a bit worrying tbh, my IoT devices should not really have been working at all, but were on and off.
...Until I set all of the appropriate ports to None.
If all your switches are not Flex minis then it kinda makes sense.
But if you have Flex minis, then it's confusing due to not having the "restriction" section. So, for a trunk, you have to set "None", but for other switches you'd typically set "default" with "no restrictions" for a trunk.
It's unfortunate the FlexMinis are somewhat crippled on VLAN configuration, the port either sends everything (all the tagged VLANs) or just a single VLAN. Setting the primary network to "None" could be confusing, as it actually means send "Everything" tagged. Standard terminology would be better, so instead of "Primary Network", how about "Untagged Network" or "Primary VLAN", and instead of just "None", something that conveys "None/All tagged VLANs".
one thing you forgot to mention is to set the native vlan to an black hole vlan to prevent double tagging attacks
Thanks Tom, always learn something off you
Once a upon a time: On a GUESTS network, it would isolate this network and stop their devices seeing rest. Sadly, has been broken for ages and blocks internet access.
Hm?
Doesnt that functionality still exist or is it just broken?
@@gandalf1783 Broken, it should when enabled remove the UBNT slutty VLAN bridging that USG/UDM/UXG's do by default by blocking it in the firewall. Currently broken, has been for past few controller / firmware versiosn. Now, when enabled, kills internet access for the network. The clients get DHCP but because there is no Internet access, many just won't connect.
Am I missing something but isn't this why we use untagged ports? It seems like this means UniFi ports are always trunks regardless.
Fixed my switch settings :) Thanks!
This great example how to invent a wheel with "tagged, untagged and native vlan xD
Glad I watched this. Definitely some big vlan changes
Nice!!! But still waiting for ACLs on L3.
I’m running a 48 port Unifi at mo, but also have a Cisco CBS350 and it’s much nicer to config via cli than this nonsense. Many thanks Tom for clarification, but ubiquiti what are you doing..
Nice video, Tom! Thanks!
Tom as usual; infomative
Thanks for this video!
Can you do a video where you show how to combine pfsense with UniFi switches and aps?
I have one here ruclips.net/video/WMyz7SVlrgc/видео.html
don’t you always want to not use port 1 to prevent vlan hopping?
The port number does not matter, what matters is how the ports are configured.
Hi Tom, You uploaded these videos under creative common licence. But When we used your video and re-uploaded it on my channel you giving us a copyright strike. I don't get why you do that. It feels like a trap. We respect your work. But If your not happy to using you content, consider changing the license type from creative commons to standard, which would help clear up any misunderstandings. If you have any specific conditions for the use of your creative commons content, please inform me, and I'll be sure to adhere to them.
You take other peoples videos to profit from their work so you can expect more take down notices from other creators as well.
@@LAWRENCESYSTEMS Thanks for your reply. As far as I know creative commons videos are allowed to make profit. Since you not happy using your video, I respect it andI will remove all your videos from my channel. ( If you allow me keep it as non-monitized , I will do som. Please retract those strikes. And please make future upload as standerd. Thank in advance
Ripping off other people’s work and defending it with this argument while acting like a victim is just trashy. Get a grip man
Why do they keep changing and moving settings around in Unifi?!? It's such a pain in the ass to find new settings for simple things after every update.
Another Note: You can go to Legacy Settings and rename the "DEFAULT" network to a propper name. Can't do this from the turdy new interface.
its like they are thinking "less is more" which is annoying
And....like clockwork.....ver 8.0.2 of the controller changes everything.
lol, really? FFS....this is why I won't buy these switches. Just give me normal ACLs
Now if only this would work seemlessly with IPV6 tho
its like a firewall filter
they have the worst UI for VLAN settings.
Even cheap old D-Link is a better experience.
having some functionalities on the older UI and others on the new UI is pain in the fucking ass. let alone renaming native, tagged, untagged, access and trunk ports...
what is the mindset behind all this???
wtf
I don't like it either, my only guess is they think it's easier for someone new to VLANs to understand. Right now, their audience is largely people who understand, and prefer, standard nomenclature. Maybe they are trying to reach a less technical market, but I really don't expect less technical people will be using VLANs. Those folks are happy to see "it's working" and call it a day (flat LAN, one router/firewall to the internet).
@@timezonewall not too bright...
I full on HATE the way you are supposed to configure VLANs on Unifi switch ports - just tell me which are tagged and untagged ffs!!!!
100%. Tagged, untagged end of story.
And.... network 8.0.2 has changed this again
Thank frick, this is what I’ve been trying to do for weeks with no success
Vlans are very confusing in Unifi. They need to remove all this "restrictions" nonsense and revert to standard terminology. Native vlan, tagged and untagged. It's a system that has worked well for decades. Why complicate it??
The UI is stupid, most the screen is taken up by a view of the switch which is just for clicking on a switch port
did not understand a thing.