UniFi: How to Securely Configure Switch Port VLAN Traffic Restrictions and Avoid VLAN Hopping

Поделиться
HTML-код
  • Опубликовано: 27 дек 2024

Комментарии • 102

  • @plrpilot
    @plrpilot Год назад +2

    This is more in line with how a lot of the OEMs who are utilizing a Cisco style CLI. We’ve had to use this approach for years with them. While this is a little more work than the previous port profiles that unifi has had, it is very nice when you have a lot of custom port configs. We have a site where we were having to define an outrageous number of port configs - just for the way one switch needed to be. It made it a royal pain to find the configs that we normally needed. With the new UI, we’re down to three and all the custom stuff is isolated to just that switch. Thanks for the video.

  • @petervandebeek5980
    @petervandebeek5980 Год назад +6

    Yeah, this is one of these things that I think I was getting right, but it is great to see this confirmed by you. Thanks Tom!

  • @UpcraftConsulting
    @UpcraftConsulting Год назад +5

    BEWARE when upgrading from network controllers prior to 7.4 to newer versions. It can, and does mess up these restrictions when converting from the old port profiles method and you end up having ports missing VLANS. (The guest wifi doesn't work, or the voice VLAN is dropped and all the phones are dead etc is the typical end result)
    Backup your config before upgrade, roll back if you have to or document and fix all the ports that have switch profiles after upgrade is complete.

  • @EViL3666
    @EViL3666 Год назад +1

    Excellent video, thanks for posting, I ran into this when deploying a new Unifi set-up fat my in-laws house (far bigger and more complex than it sounds)... I honestly don't understand why they felt the need to do this, fundamentally this is what the Port Group Profiles should have done.. and UBNT should have focus efforts there, to make them more prominent and fixed, instead we now this confused mish-mash.

    • @gregbrown4715
      @gregbrown4715 Год назад

      For 5 years, I have extensively used Port Profiles in the legacy UI.
      -One of the profiles is called TRNK1, which is all of the VLANs, much like choosing No Traffic Restriction.
      -Another Port Profile is WiFiTRNK, which is just the VLANs that should go to the UAPs.
      -Another Port Profile is TRNK1-NBE5ac, which is just the VLANs that should go through the NanoBeam 5ac wireless bridges.
      The new UI respected most of these settings, except for the TRNK1-NBE5ac Port Profile. The NanoBeam 5ac needs 24v Passive power, which is a so-called Advanced PoE setting. The problem is that the Port Profile config screen will not allow a Port Profile configuration that uses 24v Passive (Only PoE+ or None is available). The solution is to set the Primary Network to "Default" and to check "Traffic Restriction" and to "Allow" and select the sub-set of VLANs that I want to traverse the NBE5ac links. I have three pairs of NBE5acs, and they do a good job.
      At first I didn't understand why VoIP phone VLANs were dropping in some buildings, but then I figured out that after upgrading the Unifi Controller and switch software/firmware a change had been made that was not consistent with earlier Port Profile configurations.
      Live and learn!

  • @ryanbuster4626
    @ryanbuster4626 11 месяцев назад +1

    Are there any videos that show the new interface? I just got some switches and I dont understand how to setup vlans without my switches going offline. Ive been at this for days, it looks like Im the only person who has the new interface.
    Also if my controller (or whatever TF its called) is currently hosted on a windows machine does that machine HAVE to be on default vlan? If i change this machines network the switches go offline and they must be factory reset.

  • @KellicTiger
    @KellicTiger Год назад +1

    Yeah this didn't go well for me. The minute I tried setting my IOT AP to an IOT VLAN I created and Traffic Restrictions to allow only the same VLAN the AP showed up as unprovisioned. Only after a reverted back did it work. And I don't know if its because of something further "up stream" that I have configured WIFI or Networks section. VLAN's still are a pain in the ass for me. I have them setup for my work, IOT, and default but you can still VLAN hop and I've been hoping to get this working sooner rather than later as I REALLY want to get

  • @Infinitay
    @Infinitay Год назад

    I recently picked up a ubiquiti router/switch, an ap, and some unifi protect cameras. Could I follow this guide to make 3 vlans to secure my network? One for cameras, one for my local network, and one last vlan to put my homelab pc on so that I could securely self host?
    I've been looking for a tutorial on securely setting up a network to do so, but I'm having trouble finding on. I was really looking forward to setting up a properly secured network and deploy jellyfin for my family with my new purchases on black friday, but I'm beginning to think I was way in over my head. This video makes it seem so simple, but I feel like maybe I'm not understanding something...

  • @justinyoung5348
    @justinyoung5348 Год назад +32

    Why is Unifi trying to reinvent the wheel with the confusing terminology? Traditional 802.1q and 802.1ad terminology have been easy to comprehend and research if you're new to networking.

    • @mrman991
      @mrman991 Год назад +2

      Things like this are why I largely don't trust Unifi kit tbh, my experience with them has not been good.

  • @accesser
    @accesser Год назад

    Is this Traffic Restriction feature, only on the newer cloud key, My 16 Port Gen2 switch does not have 'network' when I go into Port Management, only Port Profiles

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад +1

      It is in the latest version of the controller 7.5.X

    • @accesser
      @accesser Год назад

      Thankyou, looks like my GEN1 Cloudkey is due for decom, might try self hosting

  • @fishermansnook3415
    @fishermansnook3415 Год назад +1

    I wish that after setting up ‘allow and restrict’ options for your first port, the settings were saved as a port profile for use in the future.
    Then on the next port, If you don’t like any of current profiles it will allow you to create a new one,

  • @CharlesFair
    @CharlesFair 6 месяцев назад

    Thanks!

  • @laukage
    @laukage Год назад +8

    I wish they would just use Native and Allowed VLANs like in cisco devices, but i guess unifi needs to feel special 😂

    • @dyerseve3001
      @dyerseve3001 Год назад +8

      This irks me the most. Don't dumb it down it ends up confusing those that know what they're doing.
      Access ports, trunk ports, native, tagged and untagged these are basically industry standards. Don't make up your own terms Unifi!

    • @laukage
      @laukage Год назад

      @@dyerseve3001Exactly!!

  • @BenignComrade
    @BenignComrade Год назад

    I’m not sure if you will see this but I noticed when an AP is on the port, setting up traffic restrictions is different.
    I had to use default for default, then allow the VLAN I want to use for the AP.
    Is this the correct way to setup traffic restrictions for this case?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад +1

      Yes, sending the default when an AP is connected is correct because you do the restrictions on the AP itself when you set the SSID to choose the VLAN.

  • @wmcomprev
    @wmcomprev Год назад

    Turning on Traffic Restrictions and allowing only 1 other VLAN would be similar to a Voice VLAN setup on a Cisco switch. The selected VLAN would be untagged and the additional VLAN in the Traffic Restriction would be tagged. Is this correct?

  • @HisLoveArmy
    @HisLoveArmy Год назад

    Tom when you were changing the network on the VM was that just changing the nic to one with a different static IP? Is that vlan hopping? Just changing the IP to the same scheme as another vlan?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад

      Nope, that is not. I was changing the VLAN tag and you can only VLAN hop if that tag is available to that port.

  • @DavidCNavas
    @DavidCNavas Год назад

    I do have switches that I don't forward all vlans to. For example, I've got a little 8 port switch on the back of my media cabinet that takes care of connectivity for the bluray player, the dish network, the AVR, the TV, a couple of printers, etc. etc. One thing that isn't clear to me is whether I should also change the management port of that switch to something that isn't on my management vlan. Is it considered best practice to restrict the management vlan to only those devices that are in your cabinet and let the physically remote switch live somewhere else, or????
    I mean, it's a home, so it doesn't matter all that much, just a question I've been wondering about.

    • @dyerseve3001
      @dyerseve3001 Год назад

      Be careful setting the MGMT vlan, the MGMT vlan must be able to reach the controller. This poses a problem if you run one outside the network because now your MGMT vlan needs Internet access, which isn't ideal.

    • @DavidCNavas
      @DavidCNavas Год назад

      @@dyerseve3001 In my case the little switch is just a Netgear 8-port, not a managed unifi switch. The process for setting the management vlan on those things is a giant pita, btw and definitely explains why a controller is a nice management tool.

  • @cluelessfish
    @cluelessfish Год назад

    Thanks this useful information however it seems for me it will not work correctly is that because the main vlan is not setup the same and is just set default with no traffic restrictions? I RDP into one of the pcs on the vlan and can ping the default network I thought it would be blocking it from reaching back

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад

      This video did not cover firewall rules, just VLAN settings.

    • @cluelessfish
      @cluelessfish Год назад

      @@LAWRENCESYSTEMS Yeah I will have to look thru other videos you have done to show me how to stop the vlan being able to ping back to the other network no this was helpful tho :)

  • @lithgowlights859
    @lithgowlights859 Год назад

    As a new Unifi switch user, why don't I have the Traffic Restriction shown on my screen? I am running an older Ubiquiti cloud key (debating on updating to the Ubiquiti UniFi Dream Machine Pro), but the switches are US-24-250W and USW-Pro-24-PoE. It says its Network 7.2.97 if that helps

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад +1

      As I said in the beginning of the video, this started their mid 2023 release which was 7.4 and I am using 7.5 in the demo

  • @dullysykes1
    @dullysykes1 Год назад

    How do you trunk Vlans on server hosted unifi controller with this switch adopted to that controller and without using a unifi gateway or UDM pro just a 3rd party gateway with Vlans trunked to the uplink of that switch from a Cisco switch. Dm maybe for more clarification?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад

      Not clear on the question, you should post in the forums for a better discussion.

    • @dullysykes1
      @dullysykes1 Год назад

      @@LAWRENCESYSTEMS I meant when one using a hosted unifi controller on let's say a windows server. And your Vlans are coming from a 3rd part firewall and moving through Cisco switches. How do you integrate a Cisco switch in that setup and how do you tag and allow Vlans to pass?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад

      @@dullysykes1 The UniFi switch will follow what ever route it has to the controller, does not matter what VLAN, it matters what IP the switch has based on it's settings.

  • @MicheIIePucca
    @MicheIIePucca Год назад

    I set up my unifi/ubiquiti with 4 vlans with one vlan for router/switch/UPS/NAS access, one for private networks (PCs), one for my cameras (hikvision), and one for IoT (alexas, google home devices, ESPs and everything else that is untrusted). My camera network cannot access the internet except the NVR which can access NTP and DNS, but all the other three VLANs are allowed all outbound.

  • @kevin___
    @kevin___ Год назад +1

    Thanks for making this video. Could you make another one explaining when to use Traffic Restrictions over Ethernet Port Profiles?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад +3

      You use them the same say,, Port Profiles are just a time saver because you can assignp a group of ports the same profile and then if a change needs to be done you can change the profile instead of all the ports.

    • @kevin___
      @kevin___ Год назад

      @@LAWRENCESYSTEMS well, that didn't need an entire video. Thanks for the explanation!

  • @KellyKleinOG
    @KellyKleinOG Год назад

    Would firewall rules preventing inter-VLAN routing stop the VLAN hoping regardless of whether you had traffic restrictions set?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад +1

      VLAN hopping is being able to change what network you are plugged into, and inter VLAN firewall rules keep the traffic on each network flowing or not flowing between them depending on the rules.

  • @Polkster13
    @Polkster13 Год назад

    Great video. BTW, you can also change the name of the default network in the iOS UniFi Network app. I'm fairly confident that you can do this in the Android app as well, but I don't have an Android phone, so I cannot say for sure. I have also heard through the EA channel that they will be bringing this option back to the "New UI" in the near future, so we won't have to use the Legacy interface.

  • @Jordan-hz1wr
    @Jordan-hz1wr Год назад

    What’s the difference between setting a traffic restriction vs hitting that “advanced” button and setting a port profile instead?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад

      Port profiles are so you can make it easy to set groups of ports to a profile and adjust from there profile setting.

  • @FTLN
    @FTLN Год назад +2

    We need ipv6 for inter vlan routing on unifi L3 switches, currently not supported. Who would have though we are in 2023 and unifi don't fully support IPv6 and barely support IPv4. Good video Mr Lawrence 😊

    • @l00tur
      @l00tur Год назад

      I'd argue you didn't perform your due diligence when you purchased those switches. Anyone worth their salt should being doing DD before making a purchase of any hardware. Ubiquiti is not at fault here.

    • @FTLN
      @FTLN Год назад

      @@l00tur Not saying anybodys at fault, just saying Unifi are living in the 90s...

    • @l00tur
      @l00tur Год назад

      @@FTLNI mean that’s fair, but this is prosumer equipment. The low cost of their equipment means caveats, their slow roll out of features being one of them.

    • @FTLN
      @FTLN Год назад

      @@l00tur Here in Europe ISP's are rolling out IPv6 only networks. Unifi need to adapt to what the prosumer market need here. In USA, you ISP are old and outdated, so perfectly fine for UNIFI equipment which is also running old and outdated software stack.

  • @Chris-hy6jy
    @Chris-hy6jy Год назад

    I see in the latest versions of the network software they've changed the terminology from "primary network" to "native network" which is good because this is standard vlan speak.

  • @axreds
    @axreds Год назад

    @Tom I opened a ticket with UniFi about the default network issue last week which is still under investigation they said…. Let’s see if they fix it !!! They asked me to grab a video as they were not able to repro/understand the problem 😮😮😮

  • @ThWind81
    @ThWind81 23 дня назад

    Not working at all for me. Set a port to vlan 2, set to block all, can still ping and login to the device on that port from the default (vlan 1).

  • @itandgeneral4308
    @itandgeneral4308 Год назад +2

    Great video, very useful. Thanks Tom!

  • @captainhappy
    @captainhappy Год назад +1

    That scroll bar problem 4:42 might be simply a feature from OS or browser. At least Windows has used that dumb feature making those scroll bars very unusable just making them hidden you can find that setting somewhere in the control panel, ease of access or something like that. There might be people who like that setting, but at least for me that is one of the few settings which must be always corrected back to how it has always been - visible and enough so - every time when making new user account to Windows.

    • @l00tur
      @l00tur Год назад

      Definitely a Win11 problem, and now a Win10 problem with the latest 22H2 update.

  • @skorpion1298
    @skorpion1298 Год назад

    It was set to this even I did not change anything. Maybe it got updated with updates over time. I haven’t noticed. That’s cool!

  • @cableguy2103
    @cableguy2103 Год назад +1

    Can you do a video off of this one that shows how to apply network profiles within unifi.

  • @Mitchell7790
    @Mitchell7790 Год назад

    Great video Tom. I use UniFi APs but I think they have essentially made things more complex that it really needs to be on the switching side of things.
    On Cisco and many others it’s a recommended good security practice to refrain from using the default VLAN (VLAN 1) by ensuring you are only allowing the required tagged VLANs on your trunk ports and removing VLAN 1 where you can
    We disable the VLAN 1 on all our switches a create a dummy native VLAN in its place which doesn’t pass any traffic which we use on switch-to-switch trunk links and we also only tag the VLANs we require on the trunk links from our core to access switches such end-user VLANs rather than having them all. For example, there’s no need for our server VLAN IDs to be trunked to user access switches.
    Yes you can tag all VLANs on trunk links going to order switches but it’s recommended to limit this and be especially careful about the native untagged VLAN to prevent against double tagging attacks.

  • @marc3793
    @marc3793 Год назад

    Yeah, these changes made a complete mess of my network; because if you have a lot of Flex Mini switches like I do, then post upgrade it as such didn't keep the same setup. So I ended up with ports on "default" which were supposed to be trunks.
    My VLAN traffic was really intermittent, which is a bit worrying tbh, my IoT devices should not really have been working at all, but were on and off.
    ...Until I set all of the appropriate ports to None.
    If all your switches are not Flex minis then it kinda makes sense.
    But if you have Flex minis, then it's confusing due to not having the "restriction" section. So, for a trunk, you have to set "None", but for other switches you'd typically set "default" with "no restrictions" for a trunk.

    • @timezonewall
      @timezonewall Год назад +1

      It's unfortunate the FlexMinis are somewhat crippled on VLAN configuration, the port either sends everything (all the tagged VLANs) or just a single VLAN. Setting the primary network to "None" could be confusing, as it actually means send "Everything" tagged. Standard terminology would be better, so instead of "Primary Network", how about "Untagged Network" or "Primary VLAN", and instead of just "None", something that conveys "None/All tagged VLANs".

  • @jacksoncremean1664
    @jacksoncremean1664 Год назад +1

    one thing you forgot to mention is to set the native vlan to an black hole vlan to prevent double tagging attacks

  • @dannythomas7902
    @dannythomas7902 Год назад

    Thanks Tom, always learn something off you

  • @bentheguru4986
    @bentheguru4986 Год назад +5

    Once a upon a time: On a GUESTS network, it would isolate this network and stop their devices seeing rest. Sadly, has been broken for ages and blocks internet access.

    • @gandalf1783
      @gandalf1783 Год назад +1

      Hm?
      Doesnt that functionality still exist or is it just broken?

    • @bentheguru4986
      @bentheguru4986 Год назад

      @@gandalf1783 Broken, it should when enabled remove the UBNT slutty VLAN bridging that USG/UDM/UXG's do by default by blocking it in the firewall. Currently broken, has been for past few controller / firmware versiosn. Now, when enabled, kills internet access for the network. The clients get DHCP but because there is no Internet access, many just won't connect.

  • @BenGillam
    @BenGillam Год назад +2

    Am I missing something but isn't this why we use untagged ports? It seems like this means UniFi ports are always trunks regardless.

  • @VierPuntNul
    @VierPuntNul Год назад

    Fixed my switch settings :) Thanks!

  • @RK-ly5qj
    @RK-ly5qj Год назад +2

    This great example how to invent a wheel with "tagged, untagged and native vlan xD

  • @kc0eks
    @kc0eks Год назад

    Glad I watched this. Definitely some big vlan changes

  • @seanwoods1526
    @seanwoods1526 Год назад

    Nice!!! But still waiting for ACLs on L3.

  • @mikescott4008
    @mikescott4008 Год назад

    I’m running a 48 port Unifi at mo, but also have a Cisco CBS350 and it’s much nicer to config via cli than this nonsense. Many thanks Tom for clarification, but ubiquiti what are you doing..

  • @artal03
    @artal03 Год назад

    Nice video, Tom! Thanks!

  • @sstubbby
    @sstubbby Год назад

    Tom as usual; infomative

  • @valin0r
    @valin0r Год назад

    Thanks for this video!

  • @fbarielnh
    @fbarielnh Год назад

    Can you do a video where you show how to combine pfsense with UniFi switches and aps?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад

      I have one here ruclips.net/video/WMyz7SVlrgc/видео.html

  • @gjkrisa
    @gjkrisa Год назад

    don’t you always want to not use port 1 to prevent vlan hopping?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад

      The port number does not matter, what matters is how the ports are configured.

  • @Peelonion
    @Peelonion Год назад +1

    Hi Tom, You uploaded these videos under creative common licence. But When we used your video and re-uploaded it on my channel you giving us a copyright strike. I don't get why you do that. It feels like a trap. We respect your work. But If your not happy to using you content, consider changing the license type from creative commons to standard, which would help clear up any misunderstandings. If you have any specific conditions for the use of your creative commons content, please inform me, and I'll be sure to adhere to them.

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад +4

      You take other peoples videos to profit from their work so you can expect more take down notices from other creators as well.

    • @Peelonion
      @Peelonion Год назад

      @@LAWRENCESYSTEMS Thanks for your reply. As far as I know creative commons videos are allowed to make profit. Since you not happy using your video, I respect it andI will remove all your videos from my channel. ( If you allow me keep it as non-monitized , I will do som. Please retract those strikes. And please make future upload as standerd. Thank in advance

    • @JordansTechJunk
      @JordansTechJunk Год назад +2

      Ripping off other people’s work and defending it with this argument while acting like a victim is just trashy. Get a grip man

  • @TheycalllmeTim
    @TheycalllmeTim 10 месяцев назад

    Why do they keep changing and moving settings around in Unifi?!? It's such a pain in the ass to find new settings for simple things after every update.

  • @bentheguru4986
    @bentheguru4986 Год назад +1

    Another Note: You can go to Legacy Settings and rename the "DEFAULT" network to a propper name. Can't do this from the turdy new interface.

  • @hedikintheoriginal
    @hedikintheoriginal Год назад +1

    its like they are thinking "less is more" which is annoying

  • @fataugie
    @fataugie Год назад

    And....like clockwork.....ver 8.0.2 of the controller changes everything.

    • @TheDillio187
      @TheDillio187 Год назад

      lol, really? FFS....this is why I won't buy these switches. Just give me normal ACLs

  • @loco4375
    @loco4375 Год назад

    Now if only this would work seemlessly with IPV6 tho

  • @Jason-kk4uh
    @Jason-kk4uh Год назад

    its like a firewall filter

  • @Mr.Leeroy
    @Mr.Leeroy Год назад +1

    they have the worst UI for VLAN settings.
    Even cheap old D-Link is a better experience.

  • @adminema6116
    @adminema6116 Год назад

    having some functionalities on the older UI and others on the new UI is pain in the fucking ass. let alone renaming native, tagged, untagged, access and trunk ports...
    what is the mindset behind all this???
    wtf

    • @timezonewall
      @timezonewall Год назад

      I don't like it either, my only guess is they think it's easier for someone new to VLANs to understand. Right now, their audience is largely people who understand, and prefer, standard nomenclature. Maybe they are trying to reach a less technical market, but I really don't expect less technical people will be using VLANs. Those folks are happy to see "it's working" and call it a day (flat LAN, one router/firewall to the internet).

    • @adminema6116
      @adminema6116 Год назад

      @@timezonewall not too bright...

  • @niikon
    @niikon Год назад +3

    I full on HATE the way you are supposed to configure VLANs on Unifi switch ports - just tell me which are tagged and untagged ffs!!!!

    • @TheDillio187
      @TheDillio187 Год назад +1

      100%. Tagged, untagged end of story.

  • @Turbo_David
    @Turbo_David Год назад

    And.... network 8.0.2 has changed this again

  • @lavavex
    @lavavex Год назад

    Thank frick, this is what I’ve been trying to do for weeks with no success

  • @Chris-hy6jy
    @Chris-hy6jy Год назад

    Vlans are very confusing in Unifi. They need to remove all this "restrictions" nonsense and revert to standard terminology. Native vlan, tagged and untagged. It's a system that has worked well for decades. Why complicate it??

  • @HisLoveArmy
    @HisLoveArmy Год назад

    The UI is stupid, most the screen is taken up by a view of the switch which is just for clicking on a switch port

  • @wamba3973
    @wamba3973 5 месяцев назад

    did not understand a thing.