Ubiquiti UniFi L3 Switch - L3 Network Isolation ACL

Рет қаралды 2,347

Күн бұрын

Пікірлер: 38

@Greg.M 7 ай бұрын

I really appreciate all your videos! You do an amazing job of running all sorts of examples. Please Keep Up The Good Work! Thank You! I think a fun and informative video to do would be on how Firewall Rules, ACL (on Layer 3 Switches), AND Client Device Isolation interact with each other. . . . Unifi has in the last month or so introduced basic ACL controls in the controller - (I am hoping they increase the detailed control to be more like the firewall rules). Correct me if I am wrong, but it seems like between those 3 ways we are able to 'manage' traffic on our networks that it depends on what device the packets touch on their journey through our unifi networks. For example, Firewall rules are ignored if the packets ONLY traverse the layer 3 switch. Could the same be said for ACL rules if: 1) We have 2 VLANs set up on 2 different Networks; 2) Both VLANs are accessible via the Access Point; 3) ACL's are established on the layer 3 switch that won't allow the VLANs to talk to each other; 4) Client Device Isolation on the AP is NOT enabled; 5) The AP is connected to the layer 3 Switch. If I connect to one of the VLANs via the AP and I want to connect to another device on the OTHER VLAN that is also connected to the AP, would the devices still be able to talk to each other?

@hz777 7 ай бұрын

Wow! Thank you Greg for contributing the idea! I have also been thinking about a video to talk about firewall rule vs. L3 ACL vs. L2 ACL vs. wireless isolation. But I still need to work on a video regarding the L2 ACL, then to see whether Ubiquiti will release new ACL features in coming releases. Regarding the scenario described by you, let me do some testing before answering just based on the simulation in my mind:)

@hz777 7 ай бұрын

I set up a test environment and validated what I thought: the ACL isolation still works for the two wifi clients. Setup: - one L3 swtich - two VLANs managed by the switch: 66 and 88 - L3 isolation is enabled between 66 and 88 using ACL - one AP - two SSIDs for VLAN 66 and 88 respectively - client isolation is not enabled on AP - wifi client 1 connected to the SSID for VLAN 66 - wifi client 2 connected to the SSID for VLAN 88 Test: - ping client 2 from client 1 Result: - not reachable Analysis: - because the two clients are on two VLANs, the network traffic has to go to the switch - the switch has the ACL rules - the AP does not have the ACL rules, but it does not matter.

@Greg.M 5 ай бұрын

@@hz777 Out standing! Thanks for doing the test.

@Greg.M 5 ай бұрын

@@hz777 Here is a slight twist - rather than using: - two SSIDs for VLAN 66 and 88 respectively . . . use: - "ONE" SSID, and then use Private Pre-Shared Keys to define which device goes to which vlan! Would this change things?

@hz777 5 ай бұрын

@@Greg.M I don't think you can have two vlans for an ssid

@marc3793 7 ай бұрын

Having UniFi gear is both great and frustrating. Another half-baked piece of functionality. But at least we can do something at layer 3 now. Let's hope they add the direction piece. Thanks for doing the video on this, much appreciated!

@alienJIZ1990 7 ай бұрын

This is a fantastic video. One thing I really like about EdgeOS though that I hope Unifi adopts, is when you make a change in the Config Wizard section of the GUI, it tells you the exact commands that it's applying

@hz777 7 ай бұрын

Yes, I wish so as well, however in reality for switches it's technically possible in most cases but for routers it's impossible due to missing a CLI backend.

@MPHxthexLegend 7 ай бұрын

13:29 This hardly depends who is the gateway for the specific VLAN right? I mean, if the Router or the Switch is like the Gateway (IPAdress *.*.*.1), or the DHCP Server which hands out the IPs?

@hz777 7 ай бұрын

What is the context for the questions? I cannot find it at 13:29...

@valin0r Ай бұрын

@@hz777 I'm trying to move from managing my internal VLAN rules from Firewall to ACL. It is currently not possible for me to receive a DHCP-lease from DMP on a VLAN running on the layer 3 switch. Information is limited about whether this is due to FW-rules or ACL. I tried to remove all the FW rules and ACL and created a clean environment. Still, I don't receive DHCP from the DMP. If i switch the layer 3 from the switch to the router, the DHCP-request are working again. Can you maybe help with with this? Is it even possible to use the DMP as DHCP server?

@hz777 Ай бұрын

@@valin0r I have a video about dhcp replay for l3 switch. Even though it's about pfsense, the same concept should apply to unifi gatway.

@valin0r Ай бұрын

@@hz777 I will check it out, thanks for your reply!

@Greg.M 5 ай бұрын

At the 4:14 mark (kzbin.info/www/bejne/rKHPdKuDoLialZI) . . . where you create the "Firewall Rule" to block traffic from 66 to 88, is it possible the reason the firewall rule is ignored is that for those vlans the switch is selected as the gateway? If you were to select the Router as the gateway (on one . . . or both???) of the vlans (66 and/or 88), would the firewall rule then be respected then? (((For clarification, Can I assume that for vlan 66 and 88 that "L3 Network Migration" was selected, and that it was not for the other vlans?)))

@hz777 5 ай бұрын

right, the firewall rule at 4:14 will never be effective because there won't be that type of traffic going through uxg-pro. If one or two of the vlans are managed by uxg-pro, yes, the firewall rule will be effective. Regarding "L3 Network Migration", it's for different purpose instead of firewall. In fact, I have never used "L3 Network Migration". What it is supposed to do is to change the router for that vlan from gateway to L3 swtich.

@Greg.M 5 ай бұрын

@@hz777 I have been confused by that "L3 Network Migration" option for some time and I am guessing that others are too. I don't understand why selecting "L3 Network migration" would change the router for that vlan from the gateway to the L3 switch . . . I can do that already in the "Router" dropdown menu above that link even without selecting the "L3 Network Migration" link/option. I guess I still don't understand what that "L3 Network Migration" link is for. I selected it once and it was a mess . . . my topology was ALL messed up - it ended up putting my switch above my UDM pro and clients were connected in places that they were not actually connected. I have NO idea why anyone would select this option! Maybe it would be good to mention it in future videos that "L3 Network Migration" was never selected as part of your setup. I think that would be very helpful to others - your videos are already SO good . . . I don't want to make them harder for you to make - this is just a suggestion.

@hz777 5 ай бұрын

@Greg.M I GUESS the "L3 Network Migration" does more than simply changing the router option for the VALN. It may change firewall rules to ACL,... When I have time, I will look into it, and if I find anything interesting, I may come up with a video :)

@Greg.M 5 ай бұрын

@@hz777 Ok. Thank You.

@ryanbuster4626 Ай бұрын

Forgive me I'm not very experienced in network. But for a simple home setup with say 4-5 Vlans a NAS, a server or 2 and just a bunch of clients mostly needing internet connectivity what is the case to have any networks on the router except for the default or management network for your appliances and server IMPI etc...wouldn't you want to have most everything you could created on the L3 switch to avoid that traffic ever routing to the gateway/FW just to be sent back down the stack? Furthermore for this video wouldn't it just be wise to use IPV4 ACLs if you want one way or directional separation for VLAN seeing as how the L3 isolation is both directions? I don't understand the need for the L3 isolation option unless its just there for people who may not understand how to create IPV4 ACL?

@hz777 Ай бұрын

Mac ACL, IP ACL, firewall rules, they work differently from technical perspective, they were introduced to the unifi network controller in different time for different reasons. So today if you see an option as an seemingly overlap with another option, it can either be because those two options were introduced at different time, or because they are for different types of target users: one-click-then-call-it-done users or explore-all-and-understand-all users :)

@LeoShi-w3i 7 ай бұрын

I tried this function since days ago. I found sometimes enable blocking takes a couple of hours to take effect. Users complain the vlan is not accessible after half day after I ticked it. But remove blocking was immediate.

@hz777 7 ай бұрын

That's strange because as soon as the changes are provisioned to the switch, they should be effective right away.

@stone22121978 7 ай бұрын

You have to change the firewall rule from 88 to 66 (you define 66 to 88) Change it and it works

@hz777 7 ай бұрын

Do you mean when 66 and 88 are managed by L3 Switch instead of router, firewall rules work???

@mcury85 8 ай бұрын

There are rumors that new switches will be launched later this year..

@hz777 8 ай бұрын

G3?

@mcury85 8 ай бұрын

@@hz777 I think so, Lawrence system made a comment about it.. no details given.

@hz777 8 ай бұрын

@mcury85 Let me guess… they will follow Apple, and ivory white and space gray rackmount switches are coming :) My only wish is they upgrade the aggregation pro to support 100GbE. But based on their previous unsuccessful and unreleased one, it won’t be affordable.

@mcury85 8 ай бұрын

@@hz777 I want a new 8 ports enterprise, without cooler :)

@sobik2433 7 ай бұрын

HI, coould you do some experiment and try to use 2 different unifi networks with ex. UDM PRO on each network and try to configure intervilan to access ex. VLAN10 in one network from VLAN 20 in other UNIFI network? This scenario assume that UDM PROs are connected via LAN not WAN example two buldings two commpanies has UNIFI network and want to share some IT resources between them. They want very fast connetion so they want 2x 10Gbit\s LACP but their Internet WAN is verry slow. Is it even possible to achieve?

@hz777 7 ай бұрын

Two unifi routers on the same lan is problematic... Udm pro does have two wan ports, have you considered using the other wan port and configure routing between the two udm pros?

@sobik2433 7 ай бұрын

@@hz777 VLAN 4040 is intervilan routing in unifi right? So teoreticaly it can be done via LAN. Static route etc?

@hz777 7 ай бұрын

The problem is still one vlan 4040 but two routers connected via lan. Idk...

@sobik2433 7 ай бұрын

@@hz777 edge roter?

@hz777 7 ай бұрын

Yes, as in my first reply (which was deleted by me later), what you need is simply routing between two routers, so any router should do. The only problem is the requirement about "through lan".