Vlan-En-Ubiquiti

Bridged Network with VLAN Configuration - Ubiq... 

http://community.ubnt.com/t5/airOS-Software-Con... 

 

 

S T O R E C O M M U N I T Y SIGN IN 

 

REGISTER 

Home 

Forums 

Knowledge Base 

Blogs 

Stories 

Board 

SEARCH 

Subscriptions Bookmarks Unread posts Mark as Read Recent posts Recent Topics FAQ 

Ubiquiti Networks Community Forums airMAX airOS Software & Conguration 

Bridged Network with VLAN Conguration 

Conguration 

REPLY Topic Options Message Listing Previous Topic Next Topic Previous 1 2 3 Next 

feisley 

New Member 

Bridged Network with VLAN Conguration 

01-18-2013 11:21 PM 

Options 

Posts: 18 

Kudos: 10 

Registered: 10-01-2012 

We are getting ready to launch our first Ubiquiti network. We currently have two existing networks and this new network will overlay 

and supplement the service area. 

During the testing and planning process one of the key items was to plan how to integrate this into our existing network topology, 

primarily the VLANs for customer access and management traffic. 

After searching the forums to see how others did it, I decided to set this up in the lab to see which scenarios worked best. In the end I 

settled on a VLAN configuration that closely mimics how we manage our Canopy network. Since I did not see anything like this 

posted, I wanted to share the configuration and notes as others may find it useful. 

The goals were as follows: 

1. Provide a VLAN from the core network to manage individual stations based on either a static IP or a DHCP reservation. The 

customer should not be able to see or access this VLAN or subnet. 

2. Allow a technician connected directly to the radio to access the management interface by a common ip (in this example 

192.168.1.20). The technician should not need any VLAN aware equipment. 

3. Provide an access VLAN that will be exposed to the user on the station ethernet port. The user should not need any VLAN aware 

equipment. 

Lab Setup: 

VLAN 10 - 192.168.10.X - Management Network 

VLAN 12 - 192.168.12.X - Customer Access Network 

Wiring Setup: 

Cisco Switch AP ((((((())))))) STA Laptop 

Configuration Steps: 

0. A Few Assumptions are made 

This assumes the Cisco (or other) switch is tagging both VLAN 10 and 12 on the port connected to the AP. The laptop is just a 

standard device with no VLAN configuration. 

1. Add VLANs under Advanced Network Configuration 

2. Assign WLAN0.10 to the Management Interface 

By doing this, the management IP is exposed only via VLAN 10 to the core network. It cannot be accessed by the local LAN0 

interface. 

3. On BRIDGE0, remove WLAN0 and add WLAN0.12 

Doing this bridges the customer VLAN 12 to the wired interface, thus connecting the customer to the appropriate network. As an 

added bonus, for customers that are behind on payments, we simply change this to a captive portal VLAN that provides them an 

interface to pay their bill. Ideally we want to make this switch automatic. 

4. Add the IP Alias of 192.168.1.20 to the BRIDGE0 

This exposes 192.168.1.20 as a way of managing the device from the local lan port. This is useful if a station falls off line and we 

need to roll a truck to repair the modem. The technician simply plugs a laptop into the LAN port and is able to manage the device. 

1 de 9 14/01/16 08:40



NOTE: Due to the fact this is on the BRIDGE0, that 192.168.1.20 IP is also bridged to the Wireless VLAN 12 (That the customers are 

on). Based on our testing, this did not cause an issue as any attempt to access the 192.168.1.20 interface is handled by the local 

station rather than bridging to another device. Additionally if you employ client isolation this is further mitigated. The biggest thing to 

understand is that you could not access 192.168.1.20 from the core network side of VLAN 12. Doing so would not work due to the 

conflict between the devices bridged to it. Finally if this is a concern, you could assign a unique IP Alias, however, we felt this 

defeated the purpose of having a single easy to remember management IP. I welcome your input on this. 

I have included a screen shot of the configuration for reference. It shows the resulting network settings after following the above 

steps. 

Again, I hope some may find this useful and I welcome a discussion if you feel there are any ways this could be improved. 

Cheers, 

Jacob 

1 of 51 

7 Kudos 

REPLY 

sjackson909 

Regular Member 

Re: Bridged Network with VLAN Conguration 

01-19-2013 06:02 AM 

Options 

Posts: 690 

Jacob, 

Great write up. This is the same exact way we setup all our CPE's in one of my markets. The network is a mix of canopy and UNBT 

and completely bridged all the way back to the core. The setup is not as easy as setting a untagged ingress like canopy but at least it 

2 de 9 14/01/16 08:40



Kudos: 189 

Solutions: 1 


works. Again great write up. 

Thanks 

-Seth 

2 of 51 

0 Kudos 

REPLY 

feisley 

New Member 


01-21-2013 09:03 PM 

We added the following rules to the AP firewall to block the discovery and CDP packets from the 192.168.1.20 interface: 

Options 

Posts: 18 

Kudos: 10 


Bridge chain: FIREWALL, entries: 2, policy: ACCEPT 

-p IPv4 -i ath0.12 --ip-src 192.168.1.20 -j DROP 

-d 1:0:c:cc:cc:cc -i ath0.12 -j DROP 

3 of 51 

0 Kudos 

REPLY 

Mathieu 



01-26-2013 09:31 PM 

Options 

We added the following rules to the AP firewall to block the discovery and CDP packets from the 192.168.1.20 interface: 

Posts: 544 

Kudos: 37 

Solutions: 4 


Bridge chain: FIREWALL, entries: 2, policy: ACCEPT 

-p IPv4 -i ath0.12 --ip-src 192.168.1.20 -j DROP 

-d 1:0:c:cc:cc:cc -i ath0.12 -j DROP 

what appen if a customer plug their router into the lan port ? 

i will never run a network witout a station in router mode. 

4 of 51 

0 Kudos 

REPLY 

feisley 

New Member 


01-26-2013 10:16 PM 

Options 


Posts: 18 

Kudos: 10 



Our market is primarily business customers where we handle the installation of their equipment, thus this is unlikely to occur for our 

use case. 

However, we do take preventative measures in case of mistakes. We have the firewall enabled on the station which blocks DHCP, 

SMB, and other applications that should not extend into our network. We also block traffic not part of our customer IP ranges, to 

further inhibit a reversed router from causing any problems (other than the customer not getting internet until the router is installed 

properly) 

5 of 51 

0 Kudos 

REPLY 

sjackson909 


Posts: 690 


01-27-2013 06:24 AM 

This is where canopys protocol filter page would be nice. I requested a while back but didn't catch on. 

forum.ubnt.com/showthread.php?t=65738 

Thanks 

Options 

3 de 9 14/01/16 08:40



Kudos: 189 

Solutions: 1 


-Seth 

6 of 51 

0 Kudos 

REPLY 

adairw 



01-27-2013 09:10 AM 

Options 

Posts: 326 

Kudos: 145 

Solutions: 3 




I use bridge filters on the mikrotik. I can show my code if anyone cares. 

7 of 51 

1 Kudo 

REPLY 

adairw 



01-27-2013 09:12 AM 

Options 

Posts: 326 

Kudos: 145 

Solutions: 3 


Thanks for sharing. 

This is pretty much how I setup my radios also except I don't use a management vlan. The management interface is on wlan0. I like 

the idea of the ip alias. Have to play around with that. 

8 of 51 

1 Kudo 

REPLY 

feisley 

New Member 


01-27-2013 12:38 PM 

Options 

Posts: 18 

Kudos: 10 


This is where canopys protocol filter page would be nice. I requested a while back but didn't catch on. 

forum.ubnt.com/showthread.php?t=65738 

Thanks 

-Seth 

Seth, 

Yea, the ease of simply checking the filtered protocols is nice, however, if what you want to block doesn't fit in that list or in the 3 

extra spaces they give you then you are out of luck. 

So I guess AirOS sacrifices some of the simplicity in exchange for a bit more power/flexibility. The ability to add any number of rules 

per device is handy. The firewall page could be expanded to allow raw ebtables/iptables rule entry for advanced configuration 

(eliminating the need to manually edit the config on the device) 

On a slightly unrelated subject... One thing I would like to see from Canopy is the separate rate limit for broadcast. 

9 of 51 

0 Kudos 

REPLY 

feisley 

New Member 


01-27-2013 12:40 PM 

Options 


Posts: 18 

Kudos: 10 


I would be interested in this. I have just started looking at some of the MikroTik devices. 

4 de 9 14/01/16 08:40



10 of 51 

0 Kudos 

REPLY 

adairw 



01-27-2013 01:05 PM 

Options 

I would be interested in this. I have just started looking at some of the MikroTik devices. 

Posts: 326 

Kudos: 145 

Solutions: 3 


I initially used this example to make my own functional rule. 

http://wiki.mikrotik.com/wiki/Bridge_Filter_-_Blocking_DHCP_Traffic 

/interface bridge filter 

add action=drop chain=forward dst-port=68 in-bridge=bridge-vpls-1002-Nat1 \ 

ip-protocol=udp mac-protocol=ip src-address=!192.168.99.254/32 src-port=\ 

67 

I use this rule on each tower router where I have a bridge from a VPLS tunnel to a VLAN. 

Using client isolation on the AP this basically allows dhcp responses to only be received by/from my server (99.254) that's in the 

core. 

Again, I do like you and bridge the CPE LAN interface to a VLAN that's bridged in the mikrotik to a VPLS tunnel that terminates back 

at my core router. I use VPLS as route-able vlan's so to speak. Currently there is a VPLS tunnel from my core router out to each 

tower router and all my towers are bridged together(in the core). But I think I'm about to break the bridge and terminate each tunnel 

at the core with it's own subnet and do routing/natting on each. Which will make the above filter a little useless but for now it works. 

11 of 51 

0 Kudos 

REPLY 

truverman 

Newbie 

Local Management 

01-28-2013 09:51 AM 

Ok, first off great post, exactly what i need to know. 

Options 

Posts: 7 


i attached a photo of my config, it seems everything works EXCEPT the local management, can anyone notice why? thanks for any 

advise. 

16028 

5 de 9 14/01/16 08:40



12 of 51 

0 Kudos 

REPLY 

feisley 

New Member 


01-28-2013 10:00 AM 

Options 

Ok, first off great post, exactly what i need to know. 

Posts: 18 

Kudos: 10 


i attached a photo of my config, it seems everything works EXCEPT the local management, can anyone notice why? thanks 

for any advise. 

16028 

For local management, you need to be plugged directly into the wired interface (i.e. no router, NAT, etc). Additionally the computer 

must have an IP in that subnet (192.168.1.X) assigned to it. 

The other thing that could cause issues but is less likely is that both your WAN Management VLAN and the Local one are using the 

same subnet. The gateway interface for this subnet is specified as the management interface you selected. I have not tried this 

locally, but you may want to try changing one of the IPs to see if that clears things up. 

For example, in our network Local Admin is always 192.168.1.20 (to match factory Ubiquiti configuration). And our WAN 

management network is 10.10.2.X 

6 de 9 14/01/16 08:40



13 of 51 

0 Kudos 

REPLY 

truverman 

Newbie 


01-28-2013 10:05 AM 

thanks, testing now! 

Options 

Posts: 7 


14 of 51 

0 Kudos 

REPLY 

truverman 

Newbie 


01-28-2013 10:09 AM 

Yep that was it, changed the test subnet to 192.168.2.x and it works. thanks! 

Options 

Posts: 7 


15 of 51 

0 Kudos 

REPLY 

feisley 

New Member 


01-29-2013 09:26 PM 

Options 

Yep that was it, changed the test subnet to 192.168.2.x and it works. thanks! 

Posts: 18 

Kudos: 10 


Awesome, glad it worked for you. 

16 of 51 

0 Kudos 

REPLY 

Mathieu 



02-02-2013 09:09 AM 

Options 


Posts: 544 

Kudos: 37 

Solutions: 4 


sure it will be appreciated 

17 of 51 

0 Kudos 

REPLY 

adairw 



02-02-2013 05:52 PM 

Options 

sure it will be appreciated 

Posts: 326 

Kudos: 145 

Solutions: 3 


http://forum.ubnt.com/showpost.php?p=425756&postcount=11 

18 of 51 

0 Kudos 

REPLY 

jtf6xb 

Newbie 


02-12-2013 02:16 PM 

Options 

Posts: 2 


Great post. Helped me confirm the configuration I was wanting to use for my CPE devices. I am curious about the vlan configuration 

of the AP. Do you create a bridge for each vlan? 

7 de 9 14/01/16 08:40



19 of 51 

0 Kudos 

REPLY 

Verde 

Member 

Posts: 111 

Kudos: 131 

Solutions: 4 



02-12-2013 03:37 PM 

Agreed, great post. I also played around with my AP and this is what I can up with: 

On the AP: 

In Advanced Configuration Mode: 

1. Static IP 192.168.10.x 

2. Add vlan 10 & 12 to both ports (wlan0 & lan0) 

3. Bridge0 should only contain lan0.12 & wlan0.12 

4. Bridge1 should only contain lan0.10 & wlan0.10 

5. Assign Bridge1 to Management Interface 

It worked for me. 

Options 

20 of 51 

1 Kudo 

REPLY 

REPLY Message Listing Previous Topic Next Topic Previous 1 2 3 Next 

8 de 9 14/01/16 08:40



Platforms 

EdgeMax 

airMax 

airFiber 

airVision 

UniFi 

mFi 

Support 

Platforms 

Downloads 

Training 

Company 

About us 

Contact us 

Marketing 

Investors 

© 2016 Ubiquiti Networks. All rights reserved. 

Terms of Service 

Privacy policy 

9 de 9 14/01/16 08:40

Vlan-En-Ubiquiti

Create successful ePaper yourself

Delete template?

Save as template?