Physical Network Isolation

Mainstay

Mainstay

Well-Known Member
Reaction score
747
Hi All,

I am upgrading the security at a small resort / lodge. It was discovered that every room has an Ethernet jack that directly connects the guest to the private resort network (yikes!).

I know I can physically block these ports and/or simply not connect those jacks to anything, but I'd like to keep that functionality should WiFi drop in the resort.

I will be isolating Guests connections on the Wireless network using Ubiquiti equipment, but have not had to work with isolating wired connections before.

Should I simply install a UBNT managed switch and configure each port as its own VLAN? We are only talking 12 suites, so 12 ports ID'd to their proper rooms and operating in VLAN 1, 2, 3 - 12?

Or is there an easier and / or better practice that I should be following?

Thank you all!

--Matthew
 
Mainstay said:
Hi All,

I am upgrading the security at a small resort / lodge. It was discovered that every room has an Ethernet jack that directly connects the guest to the private resort network (yikes!).

I know I can physically block these ports and/or simply not connect those jacks to anything, but I'd like to keep that functionality should WiFi drop in the resort.

I will be isolating Guests connections on the Wireless network using Ubiquiti equipment, but have not had to work with isolating wired connections before.

Should I simply install a UBNT managed switch and configure each port as its own VLAN? We are only talking 12 suites, so 12 ports ID'd to their proper rooms and operating in VLAN 1, 2, 3 - 12?

Or is there an easier and / or better practice that I should be following?

Thank you all!

--Matthew
Click to expand...
Look up the Port Isolation function on Ubiquiti/Unifi switches. There's not much documentation about and I've not personally tried it but it's there in the switch port advanced options and people say it does what your describing.
 
We've also been using TP-Link managed switches, and reading their documentation seems to indicate that it is easier than the Ubiquiti devices.

I don't mind mixing equipment (UBNT Edge Lite as the router, TP Link as the switch, etc.), so perhaps that is what I'll do.
 
You should create 2 separate networks using vlans, one for business use and one for the guests. You can then take it a step further and then isolate each guest connection (WiFi and wired).

You then need to a setup firewall rule to block all guest to private network traffic.
 
Frick said:
You should create 2 separate networks using vlans, one for business use and one for the guests. You can then take it a step further and then isolate each guest connection (WiFi and wired).

You then need to a setup firewall rule to block all guest to private network traffic.
Click to expand...

that's the plan!
 
  • Like
Reactions: CLC
Mainstay said:
Should I simply install a UBNT managed switch and configure each port as its own VLAN? We are only talking 12 suites, so 12 ports ID'd to their proper rooms and operating in VLAN 1, 2, 3 - 12?

Or is there an easier and / or better practice that I should be following?
Click to expand...

You're on the right path. I'd put a managed switch in there...and just do 1x VLAN for the guests. I wouldn't do a separate VLAN for each room...no need for that. What Glenn mentioned above will work, "port isolation". Scroll down a bit here.
https://help.ubnt.com/hc/en-us/articles/115000166827-UniFi-Wireless-Guest-Network-Setup

VLANs are really easy in Ubiquiti Unifi..it's just they take a different approach, done in "Profiles" now...which is different than how we've done in for decades on managed switches with our diagrams of T, U, and E on each port. But if you plan on doing Unifi WiFi at this client down the road, or already have 'em there, the way the Unifi manages it all..the more Unifi products you have stacked on the whole network..the better the Unifi tool gets.
 
If I deploy a Ubiquiti managed switch with two VLAN's (1 private = staff and ops, 1 "public" = guests, isolated from each other), and each vlan has it's own WAP's, can a single cloud key handle the two networks?

I have a low budget, low tech way of achieving this deployment, but I am trying to up my game and really appreciate all of this input and guidance!
 
Mainstay said:
If I deploy a Ubiquiti managed switch with two VLAN's (1 private = staff and ops, 1 "public" = guests, isolated from each other), and each vlan has it's own WAP's, can a single cloud key handle the two networks?

I have a low budget, low tech way of achieving this deployment, but I am trying to up my game and really appreciate all of this input and guidance!
Click to expand...

Unifi WAPs can have different networks and VLANs on them at the same time (not sure if its 4? 3 definately). You do not need different WAPs for each VLAN.
 
Frick said:
Unifi WAPs can have different networks and VLANs on them at the same time (not sure if its 4? 3 definately). You do not need different WAPs for each VLAN.
Click to expand...

For some reason, this never even occurred to me. Thank you guys! This is really helpful!

(I am not new to Ubiquiti, but I am definitely a novice when it comes to their CLI..... and there are some concepts like VLANS which I have toyed with but have never incorporated into a design from the beginning... so time to step up!)
 
The Ubiquiti APs can have up to 8x different SSIDs on them (at least the Pro models to, pretty sure the LRs..not sure about the Lites I don't use them much, I pretty much only use the Pro models indoors).
How you divvy up those "up to 8 networks"..they don't care about.
 
Last edited:
The Pro's, at least the one I have has a secondary NIC. Wondering if that could be used to broadcast the guest network over copper?
 
Markverhyden said:
The Pro's, at least the one I have has a secondary NIC. Wondering if that could be used to broadcast the guest network over copper?
Click to expand...

You mean to use it as a relay in the copper connections? There are data lines located in most of my desired locations, so I *think* I will be ok for straight runs.

I was thinking of setting up as follows:

internet >> edge router lite with ETH0 as WAN, ETH1 as LAN, ETH2 as my fallback LAN2 if I can't get the VLAN's to work >> L2 Switch >> WAP's

This guy has a video that I think I can work with.


So setup a trunk link from ETH1 to port 1 on the switch, Ports 2-10 will be VLAN1 and I don't change the default settings (this will be for staff) and setup Ports 11 - 20 as VLAN2 for use with Guest Wired connections and the downstream WAPs. Do the WAP's need to be on VLAN2? Can they be on any of the VLAN1 ports? How does the UAP even know there is a VLAN2? You tell it?

The UAP's I'll setup using this tutorial which associates a certain SSID with a certain VLAN. https://help.ubnt.com/hc/en-us/arti...ith-UniFi-Wireless-Routing-Switching-Hardware


Question: If I run out of VLAN2 ports on the L2 switch, can I attach a dumb switch? I think yes, it totally makes sense, but I am entering into uncharted water =)
 
Mainstay said:
You mean to use it as a relay in the copper connections? There are data lines located in most of my desired locations, so I *think* I will be ok for straight runs.

I was thinking of setting up as follows:

internet >> edge router lite with ETH0 as WAN, ETH1 as LAN, ETH2 as my fallback LAN2 if I can't get the VLAN's to work >> L2 Switch >> WAP's

This guy has a video that I think I can work with.


So setup a trunk link from ETH1 to port 1 on the switch, Ports 2-10 will be VLAN1 and I don't change the default settings (this will be for staff) and setup Ports 11 - 20 as VLAN2 for use with Guest Wired connections and the downstream WAPs. Do the WAP's need to be on VLAN2? Can they be on any of the VLAN1 ports? How does the UAP even know there is a VLAN2? You tell it?

The UAP's I'll setup using this tutorial which associates a certain SSID with a certain VLAN. https://help.ubnt.com/hc/en-us/arti...ith-UniFi-Wireless-Routing-Switching-Hardware


Question: If I run out of VLAN2 ports on the L2 switch, can I attach a dumb switch? I think yes, it totally makes sense, but I am entering into uncharted water =)
Click to expand...
That's Chris Sherwood. Him and Willie Howe pretty much are the standard for YouTube videos on Ubiquiti equipment.
 
Mainstay said:
You mean to use it as a relay in the copper connections? There are data lines located in most of my desired locations, so I *think* I will be ok for straight runs.
Click to expand...

When you enable guest mode the AP acts as it's own router, creating the client isolation for that subnet. I was wondering if the secondary port could be bound to the guest network, using it for DHCP, etc and just use a flat switch. I'll take a look at mine.
 
Mainstay said:
You mean to use it as a relay in the copper connections? There are data lines located in most of my desired locations, so I *think* I will be ok for straight runs.

I was thinking of setting up as follows:

internet >> edge router lite with ETH0 as WAN, ETH1 as LAN, ETH2 as my fallback LAN2 if I can't get the VLAN's to work >> L2 Switch >> WAP's

This guy has a video that I think I can work with.


So setup a trunk link from ETH1 to port 1 on the switch, Ports 2-10 will be VLAN1 and I don't change the default settings (this will be for staff) and setup Ports 11 - 20 as VLAN2 for use with Guest Wired connections and the downstream WAPs. Do the WAP's need to be on VLAN2? Can they be on any of the VLAN1 ports? How does the UAP even know there is a VLAN2? You tell it?

The UAP's I'll setup using this tutorial which associates a certain SSID with a certain VLAN. https://help.ubnt.com/hc/en-us/arti...ith-UniFi-Wireless-Routing-Switching-Hardware


Question: If I run out of VLAN2 ports on the L2 switch, can I attach a dumb switch? I think yes, it totally makes sense, but I am entering into uncharted water =)
Click to expand...
I would stick with the full unifi line of hardware. That will make management much easier, and enable some helpful additional features and info (such as DHCP guarding, DPI, etc).
 
Frick said:
I would stick with the full unifi line of hardware. That will make management much easier, and enable some helpful additional features and info (such as DHCP guarding, DPI, etc).
Click to expand...

Agreed...
That video up above..from Crosstalk, is old, dated 2016. The Unifi lineup had barely begun maturing..it was before Chris B from PFSense took over the Unifi product (which was August 2016..the video was several months earlier). Back when the video was made, the Unifi switches and gateways, along with the Unifi controller software...were not very feature rich yet, quite immature. People were loving the APs but not finding the switches and gateways very configurable. So back then we were using ERs and ES's with Unifi APs..and not touching the USs and USGs.

A lot changed since Chris B took over...A LOT! Within about 6 months we started seeing the entire Unifi statck really mature.
You lose SOOO much by not using USs and USGs. You're missing out on the incredible features of the Unifi controller and all it can do.
Plus it's soooo nice being able to log into just one portal..and seeing all of your Unifi network clients listed there and be able to easily remote into their Unifi controller and do what you have to do. A bit over a year ago we slowed down doing the ESs and ERs and do all Unifi now...since it's become so capable..and that much more.
 
Markverhyden said:
When you enable guest mode the AP acts as it's own router, creating the client isolation for that subnet. I was wondering if the secondary port could be bound to the guest network, using it for DHCP, etc and just use a flat switch. I'll take a look at mine.
Click to expand...

After looking at my setup and doing some searching it appears that the secondary port is actually just like a hub port. So it can't do what I thought it might do.
 
Markverhyden said:
After looking at my setup and doing some searching it appears that the secondary port is actually just like a hub port. So it can't do what I thought it might do.
Click to expand...

It's just bridged to the primary (main) Eth port. I don't believe you can dig into the port itself and manipulate VLANs on it like you can on a Unifi switch...ya know, tag, untag, exlude....
 
You must log in or register to reply here.

Similar threads

HCHTech
VLAN 101.....again
Replies
9
Views
1K
YeOldeStonecat
YeOldeStonecat
YeOldeStonecat
Pretty cool network projects I'm setting up...
Replies
13
Views
2K
HCHTech
HCHTech
thecomputerguy
How do I create a guest network in a full Ubiquiti setup with DHCP handled by the DC?
Replies
2
Views
723
Markverhyden
Markverhyden
HCHTech
Network planning - lots of connected devices
2
Replies
23
Views
3K
NETWizz
NETWizz
tek9
HP Server no network link to Mikrotik router
Replies
10
Views
3K
tek9
tek9
Back
Top