Unifi Port Profile help.

G

gpg

Member
Reaction score
12
Hi All,

I have an Untangle NGFW on latest version along with Unifi CKG2 with a Unifi 24 port switch and Unifi AP all with latest version of software.

On the Untangle I have 4 ports defined as follows:

Port 1 = WAN

Port 2 = LAN 10.0.0.1 Set to issue DHCP.

Port 3 = WiFi 192.168.10.1 Set to issue DHCP.

Port 4 = disabled

The issue I am running into is when a LAN connected device requests a IP address it's getting a WiFi address and the same issue is happening with the WiFi IP address requests. WiFi devices are sometimes getting the LAN IP not the WiFi IP it should get.

Guessing it's the Unifi switch Profile setup? On the Unifi switch port going to the Untangle WiFi the port Profile is set to All. Changing the Unifi switch port Profile to WiFi Profile the connection to the AP just drops. I have to set it back to All to get internet connectivity from the AP.

I have changed the Unifi CKG2 and the switch and AP to be all static IP addresses in the WiFi 192 scope. Still no success, LAN devices are still getting WiFi and vise versa. I have a Filter Rule setup on the Untangle that allows LAN to see WiFi network and I can access the Unifi CKG2 and controller from the LAN 10 scope.

Thank you in advance for your insights.
 
We combine Unifi switches and APs with Untangle a lot..it's our favorite recipe for our clients.
You can handle this 2 ways with Untangle, you can tag the VLAN on Untangles interface, and just pour all VLANs out any ports on the switch. BUT..I prefer to dump the VLAN from a port on the switch facing the intended port on Untangle....I let the switch handle VLAN in/out, and I prefer to keep the Untangle interfaces dedicated to each network.

So for this example, let's take your Unifi switch and do the following:
*Port 1...will face port 2 on Untangle
*Port 2...will face port 3 on Untangle.
*Ports 22, 23, and 24 are for 3x APs

For Unifi, under Networks, you'll have your default corporate LAN, and for your wifi, let's make another network...choose VLAN only, and we'll call it "WiFi" and assign it VLAN3

I'm assuming you do not want any wifi to merge with the production/default network? You're going to treat wifi only as a separate network?

For profiles, we'll make several.
*"Data only"...if you don't have VoIP phones, create one for default corporate network, with no POE. Do not tag additional ports. Assign this to port 1, 3-21
*"Wifi facing Untangle" Create this profile with "WiFi" network...with POE disabled. Do not add any other networks. Assign this to port 2
*"WiFi for APs"..create this profile with WiFi" network...with POE enabled, and with Port Isolation Enabled. Assign to ports 22, 23, and 24.

Your wireless network, under advanced, will be assigned VLAN3.

In the "traditional" way you'd do this with most other managed switches, you want to "Untag" the VLAN facing the ports in Untangle...and "exclude" the other VLANs. With Unifi, you do this by making the VLAN you want the default VLAN on that port, and not selecting the others.

Now, let's say you have a more common network where you have a wireless SSID for production laptops for the business, and you want a guest network too! The guest network would be the same as you have here...but the production SSID would have laptops on your default data network. So I'd create another profile, called *WiFi for APs..production and guest"...with POE enabled and port isolation enabled, and I'd assign that to ports 22, 23, and 24.

The "Production WiFi" SSID would allow to default to the default Corporate network.

If you have VoIP...I'd create another corporate VLAN, assigned VLAN2, and I'd have yet another profile, "Data/VoIP" and have POE enabled and assign that to ports 4-21, and if there is a PBX on the network...I'd have another port on the switch face that ..port 3.and I'd have a special profile to dump VoIP traffic to that just like we have with the wifi. And there's an option in Unifi to make that VLAN2 auto voice (enables LLDP-MED) so phones auto discover it.

For any POE ports that face a more expensive device, like your firewall, or a server..always disable POE on those ports. Regardless of brand of switch. POE auto senses pretty well, but once in a blue moon some "thing" occurs where it may send juice upstream..don't want to knock down a servers NIC or a firewall.

For switch ports going to APs, enable port isolation...cuts down on broadcast chatter that can take up precious airtime on the AP. Not doing that allows broadcast chatter to consume a lot of wireless airtime and cut down on performance.
 
YeOldeStonecat said:
We combine Unifi switches and APs with Untangle a lot..it's our favorite recipe for our clients.
You can handle this 2 ways with Untangle, you can tag the VLAN on Untangles interface, and just pour all VLANs out any ports on the switch. BUT..I prefer to dump the VLAN from a port on the switch facing the intended port on Untangle....I let the switch handle VLAN in/out, and I prefer to keep the Untangle interfaces dedicated to each network.

So for this example, let's take your Unifi switch and do the following:
*Port 1...will face port 2 on Untangle
*Port 2...will face port 3 on Untangle.
*Ports 22, 23, and 24 are for 3x APs

For Unifi, under Networks, you'll have your default corporate LAN, and for your wifi, let's make another network...choose VLAN only, and we'll call it "WiFi" and assign it VLAN3

I'm assuming you do not want any wifi to merge with the production/default network? You're going to treat wifi only as a separate network?

For profiles, we'll make several.
*"Data only"...if you don't have VoIP phones, create one for default corporate network, with no POE. Do not tag additional ports. Assign this to port 1, 3-21
*"Wifi facing Untangle" Create this profile with "WiFi" network...with POE disabled. Do not add any other networks. Assign this to port 2
*"WiFi for APs"..create this profile with WiFi" network...with POE enabled, and with Port Isolation Enabled. Assign to ports 22, 23, and 24.

Your wireless network, under advanced, will be assigned VLAN3.

In the "traditional" way you'd do this with most other managed switches, you want to "Untag" the VLAN facing the ports in Untangle...and "exclude" the other VLANs. With Unifi, you do this by making the VLAN you want the default VLAN on that port, and not selecting the others.

Now, let's say you have a more common network where you have a wireless SSID for production laptops for the business, and you want a guest network too! The guest network would be the same as you have here...but the production SSID would have laptops on your default data network. So I'd create another profile, called *WiFi for APs..production and guest"...with POE enabled and port isolation enabled, and I'd assign that to ports 22, 23, and 24.

The "Production WiFi" SSID would allow to default to the default Corporate network.

If you have VoIP...I'd create another corporate VLAN, assigned VLAN2, and I'd have yet another profile, "Data/VoIP" and have POE enabled and assign that to ports 4-21, and if there is a PBX on the network...I'd have another port on the switch face that ..port 3.and I'd have a special profile to dump VoIP traffic to that just like we have with the wifi. And there's an option in Unifi to make that VLAN2 auto voice (enables LLDP-MED) so phones auto discover it.

For any POE ports that face a more expensive device, like your firewall, or a server..always disable POE on those ports. Regardless of brand of switch. POE auto senses pretty well, but once in a blue moon some "thing" occurs where it may send juice upstream..don't want to knock down a servers NIC or a firewall.

For switch ports going to APs, enable port isolation...cuts down on broadcast chatter that can take up precious airtime on the AP. Not doing that allows broadcast chatter to consume a lot of wireless airtime and cut down on performance.
Click to expand...

Thanks for your help!
 
You must log in or register to reply here.

Similar threads

YeOldeStonecat
Ubiquiti's new Unifi Express came in
Replies
5
Views
1K
YeOldeStonecat
YeOldeStonecat
thecomputerguy
Can I use a UDM-Pro as a controller ONLY?
Replies
1
Views
122
phaZed
phaZed
HCHTech
Narrowing down a internet issue
Replies
5
Views
236
YeOldeStonecat
YeOldeStonecat
thecomputerguy
What happens when your POE devices require more budget than is offered?
Replies
3
Views
696
NETWizz
NETWizz
HCHTech
New+old Unifi setup struggles
Replies
8
Views
1K
HCHTech
HCHTech
Back
Top