UniFi: How to Securely Configure Switch Port VLAN Traffic Restrictions and Avoid VLAN Hopping

Рет қаралды 49,688

Күн бұрын

Пікірлер: 102

@plrpilot Жыл бұрын

This is more in line with how a lot of the OEMs who are utilizing a Cisco style CLI. We’ve had to use this approach for years with them. While this is a little more work than the previous port profiles that unifi has had, it is very nice when you have a lot of custom port configs. We have a site where we were having to define an outrageous number of port configs - just for the way one switch needed to be. It made it a royal pain to find the configs that we normally needed. With the new UI, we’re down to three and all the custom stuff is isolated to just that switch. Thanks for the video.

@petervandebeek5980 Жыл бұрын

Yeah, this is one of these things that I think I was getting right, but it is great to see this confirmed by you. Thanks Tom!

@UpcraftConsulting Жыл бұрын

BEWARE when upgrading from network controllers prior to 7.4 to newer versions. It can, and does mess up these restrictions when converting from the old port profiles method and you end up having ports missing VLANS. (The guest wifi doesn't work, or the voice VLAN is dropped and all the phones are dead etc is the typical end result) Backup your config before upgrade, roll back if you have to or document and fix all the ports that have switch profiles after upgrade is complete.

@EViL3666 Жыл бұрын

Excellent video, thanks for posting, I ran into this when deploying a new Unifi set-up fat my in-laws house (far bigger and more complex than it sounds)... I honestly don't understand why they felt the need to do this, fundamentally this is what the Port Group Profiles should have done.. and UBNT should have focus efforts there, to make them more prominent and fixed, instead we now this confused mish-mash.

@gregbrown4715 Жыл бұрын

For 5 years, I have extensively used Port Profiles in the legacy UI. -One of the profiles is called TRNK1, which is all of the VLANs, much like choosing No Traffic Restriction. -Another Port Profile is WiFiTRNK, which is just the VLANs that should go to the UAPs. -Another Port Profile is TRNK1-NBE5ac, which is just the VLANs that should go through the NanoBeam 5ac wireless bridges. The new UI respected most of these settings, except for the TRNK1-NBE5ac Port Profile. The NanoBeam 5ac needs 24v Passive power, which is a so-called Advanced PoE setting. The problem is that the Port Profile config screen will not allow a Port Profile configuration that uses 24v Passive (Only PoE+ or None is available). The solution is to set the Primary Network to "Default" and to check "Traffic Restriction" and to "Allow" and select the sub-set of VLANs that I want to traverse the NBE5ac links. I have three pairs of NBE5acs, and they do a good job. At first I didn't understand why VoIP phone VLANs were dropping in some buildings, but then I figured out that after upgrading the Unifi Controller and switch software/firmware a change had been made that was not consistent with earlier Port Profile configurations. Live and learn!

@CharlesFair 6 ай бұрын

Thanks!

@LAWRENCESYSTEMS 6 ай бұрын

Thanks!

@justinyoung5348 Жыл бұрын

Why is Unifi trying to reinvent the wheel with the confusing terminology? Traditional 802.1q and 802.1ad terminology have been easy to comprehend and research if you're new to networking.

@mrman991 Жыл бұрын

Things like this are why I largely don't trust Unifi kit tbh, my experience with them has not been good.

@laukage Жыл бұрын

I wish they would just use Native and Allowed VLANs like in cisco devices, but i guess unifi needs to feel special 😂

@dyerseve3001 Жыл бұрын

This irks me the most. Don't dumb it down it ends up confusing those that know what they're doing. Access ports, trunk ports, native, tagged and untagged these are basically industry standards. Don't make up your own terms Unifi!

@laukage Жыл бұрын

@@dyerseve3001Exactly!!

@itandgeneral4308 Жыл бұрын

Great video, very useful. Thanks Tom!

@KellicTiger Жыл бұрын

Yeah this didn't go well for me. The minute I tried setting my IOT AP to an IOT VLAN I created and Traffic Restrictions to allow only the same VLAN the AP showed up as unprovisioned. Only after a reverted back did it work. And I don't know if its because of something further "up stream" that I have configured WIFI or Networks section. VLAN's still are a pain in the ass for me. I have them setup for my work, IOT, and default but you can still VLAN hop and I've been hoping to get this working sooner rather than later as I REALLY want to get

@kevin___ Жыл бұрын

Thanks for making this video. Could you make another one explaining when to use Traffic Restrictions over Ethernet Port Profiles?

@LAWRENCESYSTEMS Жыл бұрын

You use them the same say,, Port Profiles are just a time saver because you can assignp a group of ports the same profile and then if a change needs to be done you can change the profile instead of all the ports.

@kevin___ Жыл бұрын

@@LAWRENCESYSTEMS well, that didn't need an entire video. Thanks for the explanation!

@Infinitay Жыл бұрын

I recently picked up a ubiquiti router/switch, an ap, and some unifi protect cameras. Could I follow this guide to make 3 vlans to secure my network? One for cameras, one for my local network, and one last vlan to put my homelab pc on so that I could securely self host? I've been looking for a tutorial on securely setting up a network to do so, but I'm having trouble finding on. I was really looking forward to setting up a properly secured network and deploy jellyfin for my family with my new purchases on black friday, but I'm beginning to think I was way in over my head. This video makes it seem so simple, but I feel like maybe I'm not understanding something...

@fishermansnook3415 Жыл бұрын

I wish that after setting up ‘allow and restrict’ options for your first port, the settings were saved as a port profile for use in the future. Then on the next port, If you don’t like any of current profiles it will allow you to create a new one,

@dannythomas7902 Жыл бұрын

Thanks Tom, always learn something off you

@ryanbuster4626 10 ай бұрын

Are there any videos that show the new interface? I just got some switches and I dont understand how to setup vlans without my switches going offline. Ive been at this for days, it looks like Im the only person who has the new interface. Also if my controller (or whatever TF its called) is currently hosted on a windows machine does that machine HAVE to be on default vlan? If i change this machines network the switches go offline and they must be factory reset.

@captainhappy Жыл бұрын

That scroll bar problem 4:42 might be simply a feature from OS or browser. At least Windows has used that dumb feature making those scroll bars very unusable just making them hidden you can find that setting somewhere in the control panel, ease of access or something like that. There might be people who like that setting, but at least for me that is one of the few settings which must be always corrected back to how it has always been - visible and enough so - every time when making new user account to Windows.

@l00tur Жыл бұрын

Definitely a Win11 problem, and now a Win10 problem with the latest 22H2 update.

@Mitchell7790 Жыл бұрын

Great video Tom. I use UniFi APs but I think they have essentially made things more complex that it really needs to be on the switching side of things. On Cisco and many others it’s a recommended good security practice to refrain from using the default VLAN (VLAN 1) by ensuring you are only allowing the required tagged VLANs on your trunk ports and removing VLAN 1 where you can We disable the VLAN 1 on all our switches a create a dummy native VLAN in its place which doesn’t pass any traffic which we use on switch-to-switch trunk links and we also only tag the VLANs we require on the trunk links from our core to access switches such end-user VLANs rather than having them all. For example, there’s no need for our server VLAN IDs to be trunked to user access switches. Yes you can tag all VLANs on trunk links going to order switches but it’s recommended to limit this and be especially careful about the native untagged VLAN to prevent against double tagging attacks.

@kc0eks Жыл бұрын

Glad I watched this. Definitely some big vlan changes

@MicheIIePucca Жыл бұрын

I set up my unifi/ubiquiti with 4 vlans with one vlan for router/switch/UPS/NAS access, one for private networks (PCs), one for my cameras (hikvision), and one for IoT (alexas, google home devices, ESPs and everything else that is untrusted). My camera network cannot access the internet except the NVR which can access NTP and DNS, but all the other three VLANs are allowed all outbound.

@Polkster13 Жыл бұрын

Great video. BTW, you can also change the name of the default network in the iOS UniFi Network app. I'm fairly confident that you can do this in the Android app as well, but I don't have an Android phone, so I cannot say for sure. I have also heard through the EA channel that they will be bringing this option back to the "New UI" in the near future, so we won't have to use the Legacy interface.

@VierPuntNul Жыл бұрын

Fixed my switch settings :) Thanks!

@HisLoveArmy Жыл бұрын

Tom when you were changing the network on the VM was that just changing the nic to one with a different static IP? Is that vlan hopping? Just changing the IP to the same scheme as another vlan?

@LAWRENCESYSTEMS Жыл бұрын

Nope, that is not. I was changing the VLAN tag and you can only VLAN hop if that tag is available to that port.

@axreds Жыл бұрын

@Tom I opened a ticket with UniFi about the default network issue last week which is still under investigation they said…. Let’s see if they fix it !!! They asked me to grab a video as they were not able to repro/understand the problem 😮😮😮

@Chris-hy6jy Жыл бұрын

I see in the latest versions of the network software they've changed the terminology from "primary network" to "native network" which is good because this is standard vlan speak.

@cableguy2103 Жыл бұрын

Can you do a video off of this one that shows how to apply network profiles within unifi.

@marc3793 Жыл бұрын

Yeah, these changes made a complete mess of my network; because if you have a lot of Flex Mini switches like I do, then post upgrade it as such didn't keep the same setup. So I ended up with ports on "default" which were supposed to be trunks. My VLAN traffic was really intermittent, which is a bit worrying tbh, my IoT devices should not really have been working at all, but were on and off. ...Until I set all of the appropriate ports to None. If all your switches are not Flex minis then it kinda makes sense. But if you have Flex minis, then it's confusing due to not having the "restriction" section. So, for a trunk, you have to set "None", but for other switches you'd typically set "default" with "no restrictions" for a trunk.

@timezonewall Жыл бұрын

It's unfortunate the FlexMinis are somewhat crippled on VLAN configuration, the port either sends everything (all the tagged VLANs) or just a single VLAN. Setting the primary network to "None" could be confusing, as it actually means send "Everything" tagged. Standard terminology would be better, so instead of "Primary Network", how about "Untagged Network" or "Primary VLAN", and instead of just "None", something that conveys "None/All tagged VLANs".

@DavidCNavas Жыл бұрын

I do have switches that I don't forward all vlans to. For example, I've got a little 8 port switch on the back of my media cabinet that takes care of connectivity for the bluray player, the dish network, the AVR, the TV, a couple of printers, etc. etc. One thing that isn't clear to me is whether I should also change the management port of that switch to something that isn't on my management vlan. Is it considered best practice to restrict the management vlan to only those devices that are in your cabinet and let the physically remote switch live somewhere else, or???? I mean, it's a home, so it doesn't matter all that much, just a question I've been wondering about.

@dyerseve3001 Жыл бұрын

Be careful setting the MGMT vlan, the MGMT vlan must be able to reach the controller. This poses a problem if you run one outside the network because now your MGMT vlan needs Internet access, which isn't ideal.

@DavidCNavas Жыл бұрын

@@dyerseve3001 In my case the little switch is just a Netgear 8-port, not a managed unifi switch. The process for setting the management vlan on those things is a giant pita, btw and definitely explains why a controller is a nice management tool.

@skorpion1298 Жыл бұрын

It was set to this even I did not change anything. Maybe it got updated with updates over time. I haven’t noticed. That’s cool!

@cluelessfish Жыл бұрын

Thanks this useful information however it seems for me it will not work correctly is that because the main vlan is not setup the same and is just set default with no traffic restrictions? I RDP into one of the pcs on the vlan and can ping the default network I thought it would be blocking it from reaching back

@LAWRENCESYSTEMS Жыл бұрын

This video did not cover firewall rules, just VLAN settings.

@cluelessfish Жыл бұрын

@@LAWRENCESYSTEMS Yeah I will have to look thru other videos you have done to show me how to stop the vlan being able to ping back to the other network no this was helpful tho :)

@FTLN Жыл бұрын

We need ipv6 for inter vlan routing on unifi L3 switches, currently not supported. Who would have though we are in 2023 and unifi don't fully support IPv6 and barely support IPv4. Good video Mr Lawrence 😊

@l00tur Жыл бұрын

I'd argue you didn't perform your due diligence when you purchased those switches. Anyone worth their salt should being doing DD before making a purchase of any hardware. Ubiquiti is not at fault here.

@FTLN Жыл бұрын

@@l00tur Not saying anybodys at fault, just saying Unifi are living in the 90s...

@l00tur Жыл бұрын

@@FTLNI mean that’s fair, but this is prosumer equipment. The low cost of their equipment means caveats, their slow roll out of features being one of them.

@FTLN Жыл бұрын

@@l00tur Here in Europe ISP's are rolling out IPv6 only networks. Unifi need to adapt to what the prosumer market need here. In USA, you ISP are old and outdated, so perfectly fine for UNIFI equipment which is also running old and outdated software stack.

@sstubbby Жыл бұрын

Tom as usual; infomative

@artal03 Жыл бұрын

Nice video, Tom! Thanks!

@accesser Жыл бұрын

Is this Traffic Restriction feature, only on the newer cloud key, My 16 Port Gen2 switch does not have 'network' when I go into Port Management, only Port Profiles

@LAWRENCESYSTEMS Жыл бұрын

It is in the latest version of the controller 7.5.X

@accesser Жыл бұрын

Thankyou, looks like my GEN1 Cloudkey is due for decom, might try self hosting

@wmcomprev Жыл бұрын

Turning on Traffic Restrictions and allowing only 1 other VLAN would be similar to a Voice VLAN setup on a Cisco switch. The selected VLAN would be untagged and the additional VLAN in the Traffic Restriction would be tagged. Is this correct?

@jacksoncremean1664 Жыл бұрын

one thing you forgot to mention is to set the native vlan to an black hole vlan to prevent double tagging attacks

@dullysykes1 Жыл бұрын

How do you trunk Vlans on server hosted unifi controller with this switch adopted to that controller and without using a unifi gateway or UDM pro just a 3rd party gateway with Vlans trunked to the uplink of that switch from a Cisco switch. Dm maybe for more clarification?

@LAWRENCESYSTEMS Жыл бұрын

Not clear on the question, you should post in the forums for a better discussion.

@dullysykes1 Жыл бұрын

@@LAWRENCESYSTEMS I meant when one using a hosted unifi controller on let's say a windows server. And your Vlans are coming from a 3rd part firewall and moving through Cisco switches. How do you integrate a Cisco switch in that setup and how do you tag and allow Vlans to pass?

@LAWRENCESYSTEMS Жыл бұрын

@@dullysykes1 The UniFi switch will follow what ever route it has to the controller, does not matter what VLAN, it matters what IP the switch has based on it's settings.

@BenignComrade Жыл бұрын

I’m not sure if you will see this but I noticed when an AP is on the port, setting up traffic restrictions is different. I had to use default for default, then allow the VLAN I want to use for the AP. Is this the correct way to setup traffic restrictions for this case?

@LAWRENCESYSTEMS Жыл бұрын

Yes, sending the default when an AP is connected is correct because you do the restrictions on the AP itself when you set the SSID to choose the VLAN.

@bentheguru4986 Жыл бұрын

Once a upon a time: On a GUESTS network, it would isolate this network and stop their devices seeing rest. Sadly, has been broken for ages and blocks internet access.

@gandalf1783 Жыл бұрын

Hm? Doesnt that functionality still exist or is it just broken?

@bentheguru4986 Жыл бұрын

@@gandalf1783 Broken, it should when enabled remove the UBNT slutty VLAN bridging that USG/UDM/UXG's do by default by blocking it in the firewall. Currently broken, has been for past few controller / firmware versiosn. Now, when enabled, kills internet access for the network. The clients get DHCP but because there is no Internet access, many just won't connect.

@lithgowlights859 Жыл бұрын

As a new Unifi switch user, why don't I have the Traffic Restriction shown on my screen? I am running an older Ubiquiti cloud key (debating on updating to the Ubiquiti UniFi Dream Machine Pro), but the switches are US-24-250W and USW-Pro-24-PoE. It says its Network 7.2.97 if that helps

@LAWRENCESYSTEMS Жыл бұрын

As I said in the beginning of the video, this started their mid 2023 release which was 7.4 and I am using 7.5 in the demo

@mikescott4008 Жыл бұрын

I’m running a 48 port Unifi at mo, but also have a Cisco CBS350 and it’s much nicer to config via cli than this nonsense. Many thanks Tom for clarification, but ubiquiti what are you doing..

@KellyKleinOG Жыл бұрын

Would firewall rules preventing inter-VLAN routing stop the VLAN hoping regardless of whether you had traffic restrictions set?

@LAWRENCESYSTEMS Жыл бұрын

VLAN hopping is being able to change what network you are plugged into, and inter VLAN firewall rules keep the traffic on each network flowing or not flowing between them depending on the rules.

@Jordan-hz1wr Жыл бұрын

What’s the difference between setting a traffic restriction vs hitting that “advanced” button and setting a port profile instead?

@LAWRENCESYSTEMS Жыл бұрын

Port profiles are so you can make it easy to set groups of ports to a profile and adjust from there profile setting.

@valin0r Жыл бұрын

Thanks for this video!

@RK-ly5qj Жыл бұрын

This great example how to invent a wheel with "tagged, untagged and native vlan xD

@BenGillam Жыл бұрын

Am I missing something but isn't this why we use untagged ports? It seems like this means UniFi ports are always trunks regardless.

@ThWind81 12 күн бұрын

Not working at all for me. Set a port to vlan 2, set to block all, can still ping and login to the device on that port from the default (vlan 1).

@seanwoods1526 Жыл бұрын

Nice!!! But still waiting for ACLs on L3.

@fbarielnh Жыл бұрын

Can you do a video where you show how to combine pfsense with UniFi switches and aps?

@LAWRENCESYSTEMS Жыл бұрын

I have one here kzbin.info/www/bejne/jX7cq2qJi9GlncU

@bentheguru4986 Жыл бұрын

Another Note: You can go to Legacy Settings and rename the "DEFAULT" network to a propper name. Can't do this from the turdy new interface.

@gjkrisa Жыл бұрын

don’t you always want to not use port 1 to prevent vlan hopping?

@LAWRENCESYSTEMS Жыл бұрын

The port number does not matter, what matters is how the ports are configured.

@hedikintheoriginal Жыл бұрын

its like they are thinking "less is more" which is annoying

@Peelonion Жыл бұрын

Hi Tom, You uploaded these videos under creative common licence. But When we used your video and re-uploaded it on my channel you giving us a copyright strike. I don't get why you do that. It feels like a trap. We respect your work. But If your not happy to using you content, consider changing the license type from creative commons to standard, which would help clear up any misunderstandings. If you have any specific conditions for the use of your creative commons content, please inform me, and I'll be sure to adhere to them.

@LAWRENCESYSTEMS Жыл бұрын

You take other peoples videos to profit from their work so you can expect more take down notices from other creators as well.

@Peelonion Жыл бұрын

@@LAWRENCESYSTEMS Thanks for your reply. As far as I know creative commons videos are allowed to make profit. Since you not happy using your video, I respect it andI will remove all your videos from my channel. ( If you allow me keep it as non-monitized , I will do som. Please retract those strikes. And please make future upload as standerd. Thank in advance

@JordansTechJunk Жыл бұрын

Ripping off other people’s work and defending it with this argument while acting like a victim is just trashy. Get a grip man

@TheycalllmeTim 10 ай бұрын

Why do they keep changing and moving settings around in Unifi?!? It's such a pain in the ass to find new settings for simple things after every update.

@fataugie Жыл бұрын

And....like clockwork.....ver 8.0.2 of the controller changes everything.

@TheDillio187 Жыл бұрын

lol, really? FFS....this is why I won't buy these switches. Just give me normal ACLs

@lavavex Жыл бұрын

Thank frick, this is what I’ve been trying to do for weeks with no success

@loco4375 Жыл бұрын

Now if only this would work seemlessly with IPV6 tho

@Jason-kk4uh Жыл бұрын

its like a firewall filter

@adminema6116 Жыл бұрын

having some functionalities on the older UI and others on the new UI is pain in the fucking ass. let alone renaming native, tagged, untagged, access and trunk ports... what is the mindset behind all this??? wtf

@timezonewall Жыл бұрын

I don't like it either, my only guess is they think it's easier for someone new to VLANs to understand. Right now, their audience is largely people who understand, and prefer, standard nomenclature. Maybe they are trying to reach a less technical market, but I really don't expect less technical people will be using VLANs. Those folks are happy to see "it's working" and call it a day (flat LAN, one router/firewall to the internet).

@adminema6116 Жыл бұрын

@@timezonewall not too bright...

@Mr.Leeroy Жыл бұрын

they have the worst UI for VLAN settings. Even cheap old D-Link is a better experience.

@Turbo_David Жыл бұрын

And.... network 8.0.2 has changed this again

@niikon Жыл бұрын

I full on HATE the way you are supposed to configure VLANs on Unifi switch ports - just tell me which are tagged and untagged ffs!!!!

@TheDillio187 Жыл бұрын

100%. Tagged, untagged end of story.

@Chris-hy6jy Жыл бұрын

Vlans are very confusing in Unifi. They need to remove all this "restrictions" nonsense and revert to standard terminology. Native vlan, tagged and untagged. It's a system that has worked well for decades. Why complicate it??