Professional Documents
Culture Documents
S TO R E
Home
http://community.ubnt.com/t5/airOS-Software-Con...
COMMUNITY
Forums
Knowledge Base
Subscriptions
Forums
Blogs
Bookmarks
airMAX
Stories
Unread posts
SIGN IN
REGISTER
SEARCH
Board
Mark as Read
Recent posts
Recent Topics
FAQ
Topic Options
Message Listing
Previous Topic
Next Topic
feisley
New Member
01-18-2013 11:21 PM
Previous
Next
Options
We are getting ready to launch our first Ubiquiti network. We currently have two existing networks and this new network will overlay
and supplement the service area.
Posts: 18
Kudos: 10
Registered: 10-01-2012
During the testing and planning process one of the key items was to plan how to integrate this into our existing network topology,
primarily the VLANs for customer access and management traffic.
After searching the forums to see how others did it, I decided to set this up in the lab to see which scenarios worked best. In the end I
settled on a VLAN configuration that closely mimics how we manage our Canopy network. Since I did not see anything like this
posted, I wanted to share the configuration and notes as others may find it useful.
The goals were as follows:
1. Provide a VLAN from the core network to manage individual stations based on either a static IP or a DHCP reservation. The
customer should not be able to see or access this VLAN or subnet.
2. Allow a technician connected directly to the radio to access the management interface by a common ip (in this example
192.168.1.20). The technician should not need any VLAN aware equipment.
3. Provide an access VLAN that will be exposed to the user on the station ethernet port. The user should not need any VLAN aware
equipment.
Lab Setup:
VLAN 10 - 192.168.10.X - Management Network
VLAN 12 - 192.168.12.X - Customer Access Network
Wiring Setup:
Cisco Switch <-----> AP ((((((())))))) STA <-----> Laptop
Configuration Steps:
0. A Few Assumptions are made
This assumes the Cisco (or other) switch is tagging both VLAN 10 and 12 on the port connected to the AP. The laptop is just a
standard device with no VLAN configuration.
1. Add VLANs under Advanced Network Configuration
2. Assign WLAN0.10 to the Management Interface
By doing this, the management IP is exposed only via VLAN 10 to the core network. It cannot be accessed by the local LAN0
interface.
3. On BRIDGE0, remove WLAN0 and add WLAN0.12
Doing this bridges the customer VLAN 12 to the wired interface, thus connecting the customer to the appropriate network. As an
added bonus, for customers that are behind on payments, we simply change this to a captive portal VLAN that provides them an
interface to pay their bill. Ideally we want to make this switch automatic.
4. Add the IP Alias of 192.168.1.20 to the BRIDGE0
This exposes 192.168.1.20 as a way of managing the device from the local lan port. This is useful if a station falls off line and we
need to roll a truck to repair the modem. The technician simply plugs a laptop into the LAN port and is able to manage the device.
1 de 9
14/01/16 08:40
http://community.ubnt.com/t5/airOS-Software-Con...
NOTE: Due to the fact this is on the BRIDGE0, that 192.168.1.20 IP is also bridged to the Wireless VLAN 12 (That the customers are
on). Based on our testing, this did not cause an issue as any attempt to access the 192.168.1.20 interface is handled by the local
station rather than bridging to another device. Additionally if you employ client isolation this is further mitigated. The biggest thing to
understand is that you could not access 192.168.1.20 from the core network side of VLAN 12. Doing so would not work due to the
conflict between the devices bridged to it. Finally if this is a concern, you could assign a unique IP Alias, however, we felt this
defeated the purpose of having a single easy to remember management IP. I welcome your input on this.
I have included a screen shot of the configuration for reference. It shows the resulting network settings after following the above
steps.
Again, I hope some may find this useful and I welcome a discussion if you feel there are any ways this could be improved.
Cheers,
Jacob
7 Kudos
1 of 51
2 de 9
REPLY
sjackson909
Regular Member
01-19-2013 06:02 AM
Posts: 690
Jacob,
Great write up. This is the same exact way we setup all our CPE's in one of my markets. The network is a mix of canopy and UNBT
and completely bridged all the way back to the core. The setup is not as easy as setting a untagged ingress like canopy but at least it
Options
14/01/16 08:40
http://community.ubnt.com/t5/airOS-Software-Con...
REPLY
0 Kudos
2 of 51
feisley
New Member
01-21-2013 09:03 PM
Options
We added the following rules to the AP firewall to block the discovery and CDP packets from the 192.168.1.20 interface:
Posts: 18
Kudos: 10
Registered: 10-01-2012
REPLY
0 Kudos
3 of 51
Mathieu
Regular Member
01-26-2013 09:31 PM
Options
We added the following rules to the AP firewall to block the discovery and CDP packets from the 192.168.1.20 interface:
Posts: 544
Kudos: 37
Solutions: 4
Registered: 06-29-2010
what appen if a customer plug their router into the lan port ?
i will never run a network witout a station in router mode.
0 Kudos
4 of 51
feisley
New Member
01-26-2013 10:16 PM
REPLY
Options
what appen if a customer plug their router into the lan port ?
Posts: 18
Kudos: 10
Registered: 10-01-2012
Our market is primarily business customers where we handle the installation of their equipment, thus this is unlikely to occur for our
use case.
However, we do take preventative measures in case of mistakes. We have the firewall enabled on the station which blocks DHCP,
SMB, and other applications that should not extend into our network. We also block traffic not part of our customer IP ranges, to
further inhibit a reversed router from causing any problems (other than the customer not getting internet until the router is installed
properly)
0 Kudos
5 of 51
3 de 9
sjackson909
Regular Member
01-27-2013 06:24 AM
Posts: 690
This is where canopys protocol filter page would be nice. I requested a while back but didn't catch on.
forum.ubnt.com/showthread.php?t=65738
Thanks
REPLY
Options
14/01/16 08:40
http://community.ubnt.com/t5/airOS-Software-Con...
-Seth
0 Kudos
6 of 51
adairw
Regular Member
01-27-2013 09:10 AM
Posts: 326
Kudos: 145
Solutions: 3
Registered: 07-11-2010
REPLY
Options
what appen if a customer plug their router into the lan port ?
i will never run a network witout a station in router mode.
I use bridge filters on the mikrotik. I can show my code if anyone cares.
1 Kudo
7 of 51
adairw
Regular Member
01-27-2013 09:12 AM
Posts: 326
Kudos: 145
Solutions: 3
Registered: 07-11-2010
Options
1 Kudo
8 of 51
feisley
New Member
01-27-2013 12:38 PM
Posts: 18
Kudos: 10
Registered: 10-01-2012
REPLY
REPLY
Options
This is where canopys protocol filter page would be nice. I requested a while back but didn't catch on.
forum.ubnt.com/showthread.php?t=65738
Thanks
-Seth
Seth,
Yea, the ease of simply checking the filtered protocols is nice, however, if what you want to block doesn't fit in that list or in the 3
extra spaces they give you then you are out of luck.
So I guess AirOS sacrifices some of the simplicity in exchange for a bit more power/flexibility. The ability to add any number of rules
per device is handy. The firewall page could be expanded to allow raw ebtables/iptables rule entry for advanced configuration
(eliminating the need to manually edit the config on the device)
On a slightly unrelated subject... One thing I would like to see from Canopy is the separate rate limit for broadcast.
0 Kudos
9 of 51
feisley
New Member
01-27-2013 12:40 PM
REPLY
Options
I use bridge filters on the mikrotik. I can show my code if anyone cares.
Posts: 18
Kudos: 10
Registered: 10-01-2012
4 de 9
I would be interested in this. I have just started looking at some of the MikroTik devices.
14/01/16 08:40
http://community.ubnt.com/t5/airOS-Software-Con...
0 Kudos
10 of 51
adairw
Regular Member
01-27-2013 01:05 PM
REPLY
Options
I would be interested in this. I have just started looking at some of the MikroTik devices.
Posts: 326
Kudos: 145
Solutions: 3
Registered: 07-11-2010
I use this rule on each tower router where I have a bridge from a VPLS tunnel to a VLAN.
Using client isolation on the AP this basically allows dhcp responses to only be received by/from my server (99.254) that's in the
core.
Again, I do like you and bridge the CPE LAN interface to a VLAN that's bridged in the mikrotik to a VPLS tunnel that terminates back
at my core router. I use VPLS as route-able vlan's so to speak. Currently there is a VPLS tunnel from my core router out to each
tower router and all my towers are bridged together(in the core). But I think I'm about to break the bridge and terminate each tunnel
at the core with it's own subnet and do routing/natting on each. Which will make the above filter a little useless but for now it works.
0 Kudos
11 of 51
truverman
Local Management
Newbie
01-28-2013 09:51 AM
REPLY
Options
i attached a photo of my config, it seems everything works EXCEPT the local management, can anyone notice why? thanks for any
advise.
16028
5 de 9
14/01/16 08:40
http://community.ubnt.com/t5/airOS-Software-Con...
0 Kudos
12 of 51
feisley
New Member
01-28-2013 10:00 AM
REPLY
Options
i attached a photo of my config, it seems everything works EXCEPT the local management, can anyone notice why? thanks
for any advise.
16028
For local management, you need to be plugged directly into the wired interface (i.e. no router, NAT, etc). Additionally the computer
must have an IP in that subnet (192.168.1.X) assigned to it.
The other thing that could cause issues but is less likely is that both your WAN Management VLAN and the Local one are using the
same subnet. The gateway interface for this subnet is specified as the management interface you selected. I have not tried this
locally, but you may want to try changing one of the IPs to see if that clears things up.
For example, in our network Local Admin is always 192.168.1.20 (to match factory Ubiquiti configuration). And our WAN
management network is 10.10.2.X
6 de 9
14/01/16 08:40
http://community.ubnt.com/t5/airOS-Software-Con...
0 Kudos
13 of 51
truverman
Newbie
01-28-2013 10:05 AM
REPLY
Options
14 of 51
truverman
Newbie
01-28-2013 10:09 AM
REPLY
Options
Yep that was it, changed the test subnet to 192.168.2.x and it works. thanks!
Posts: 7
Registered: 12-14-2011
0 Kudos
15 of 51
feisley
New Member
01-29-2013 09:26 PM
REPLY
Options
Yep that was it, changed the test subnet to 192.168.2.x and it works. thanks!
Posts: 18
Kudos: 10
Registered: 10-01-2012
0 Kudos
16 of 51
Mathieu
Regular Member
02-02-2013 09:09 AM
REPLY
Options
I use bridge filters on the mikrotik. I can show my code if anyone cares.
Posts: 544
Kudos: 37
Solutions: 4
Registered: 06-29-2010
0 Kudos
17 of 51
adairw
Regular Member
02-02-2013 05:52 PM
REPLY
Options
http://forum.ubnt.com/showpost.php?p=425756&postcount=11
0 Kudos
18 of 51
jtf6xb
Newbie
02-12-2013 02:16 PM
REPLY
Options
Great post. Helped me confirm the configuration I was wanting to use for my CPE devices. I am curious about the vlan configuration
of the AP. Do you create a bridge for each vlan?
Posts: 2
Registered: 02-11-2013
7 de 9
14/01/16 08:40
http://community.ubnt.com/t5/airOS-Software-Con...
Verde
Member
02-12-2013 03:37 PM
Posts: 111
Kudos: 131
Solutions: 4
Registered: 08-12-2010
8 de 9
Options
Agreed, great post. I also played around with my AP and this is what I can up with:
On the AP:
In Advanced Configuration Mode:
1. Static IP 192.168.10.x
2. Add vlan 10 & 12 to both ports (wlan0 & lan0)
3. Bridge0 should only contain lan0.12 & wlan0.12
4. Bridge1 should only contain lan0.10 & wlan0.10
5. Assign Bridge1 to Management Interface
It worked for me.
REPLY
1 Kudo
20 of 51
REPLY
REPLY
0 Kudos
19 of 51
Message Listing
Previous Topic
Next Topic
Previous
Next
14/01/16 08:40
Platforms
Support
Company
EdgeMax
Platforms
About us
airMax
Downloads
Contact us
airFiber
Training
Marketing
airVision
http://community.ubnt.com/t5/airOS-Software-Con...
Investors
UniFi
mFi
9 de 9
Terms of Service
Privacy policy
14/01/16 08:40