Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)OK to Mix System Management Between EdgeMax and Unifi Controller?
AndyT

164 posts

Master Geek


#280703 4-Jan-2021 21:39
Send private message

Perhaps another daft noob question .... so forgive me, but here goes...

 

Background:

 

     

  1. I've configured an ER-X with VLANs on switch0 as VLAN 1 and for IoT devices as VLANs 3, 4 & 7, eg Chromecast, Apple TV, Ezviz cams, with PVIDs and VIDs set per eth interface
  2. The IoT devices are Cat 6 wired via USW Flex Minis with ports profiled for the respective VLANs.
  3. I've then created "VLAN Only" networks in Unifi Controller for each VLAN, with firewall rules configured to prevent the IoT devices "leaking"
  4. The ER-X has its stock WAN firewall rules created by the WAN+2LAN2 Wizard

 

Issue:

 

     

  1. Everything appears to work fine, but when I audit the firewalls by giving my iMac a static IPA on any of the VLAN subnets, I can still ping the main LAN - which shouldn't happen if the firewalls were properly doing their thing per what I thought was a correct configuration.

 

Question:

 

     

  1. Per the headed subject matter, is it OK to mix system management like this with the ER-X essentials configured on EdgeMax OS (ver 2.0.9), and the VLAN ports and associated firewalls configured on Unifi Controller (ver 6.0.43)? I've assumed it is OK as this is exactly what I do on other systems in other circumstances with ER-x's and UAPs. If it is OK I'll have to dive deeper into the firewall on the Controller and get it properly sorted in this case; if not, I'll scrap the Controller VLAN configuration of firewalls and reconfigure the VLAN firewalls in EdgeMax OS.

 

Thanks in anticipation.

 

 

Create new topic
michaelmurfy
meow
13275 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2630426 5-Jan-2021 02:29
Send private message

This is what I do.

 

I've got UniFi Access Points + an Edgerouter 4.

 

Edgerouter is configured like so:

 

 

On the UniFi network I've created 2x networks with the VLAN's specified (90,95):

 

 

Then on the Wireless network I've specified the corresponding network:

 

 

Just note - if you have third party smart switches you'll also need to pass (trunk) these VLAN's across to your UniFi access points.

 

On the Edgerouter you'll need firewall rules to prevent cross-VLAN communication as by default it'll route across VLAN's. Follow this guide to secure things off: https://help.ui.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule





Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



AndyT

164 posts

Master Geek


  #2630803 5-Jan-2021 17:59
Send private message

Many thanks michaelmurphy.

 

I've implemented the firewalls in Edge OS line with the guide suggested in your final para and all seems well and I'll carry out a series of "pingability" tests later this evening.

 

One point though that I've probably misunderstood - does the guide deal with cross-VLAN communication, or do I need to address that aspect separately, and if so, do you have anything on this that I can follow?

 

Thanks & regards,

michaelmurfy
meow
13275 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2630809 5-Jan-2021 18:37
Send private message

@AndyT The cross-VLAN communication needs to be taken care of using firewall rules on the Edgerouter itself. Guide above for that.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



AndyT

164 posts

Master Geek


  #2630826 5-Jan-2021 20:10
Send private message

OK, understood.

 

Thank You.

 

 

AndyT

164 posts

Master Geek


  #2630838 5-Jan-2021 21:15
Send private message

One more question if I may .....

 

I've carried out some "pingability" tests by giving the iMac a static IPA of one of the VLANs e.g. 192.168.30.10, and pinging another VLAN at say 192.168.40.1

 

At first attempt it will ping, but after a few other pings to other VLANs and then coming back to re-ping 192.168.40.1 it blocks the ping - as intended by the firewall.

 

I'm unclear why this is inconsistency is happening and wondering if there is anything I need to worry about and reconfigure here, or is this normal firewall behaviour? I'm thinking that I didn't configure anything for "new/established/related/invalid" states, but followed the UI help guide to the letter, other than using firewall policy names of IOT-IN and IOT-LOCAL rather than GUEST-IN and GUEST-LOCAL on the assumption that this doesn't make any difference?

 

Many thanks,

Create new topic





News and reviews »

Gen Threat Report Reveals Rise in Crypto, Sextortion and Tech Support Scams
Posted 7-Aug-2025 13:09

Logitech G and McLaren Racing Sign New, Expanded Multi-Year Partnership
Posted 7-Aug-2025 13:00

A Third of New Zealanders Fall for Online Scams Says Trend Micro
Posted 7-Aug-2025 12:43

OPPO Releases Its Most Stylish and Compact Smartwatch Yet, the Watch X2 Mini.
Posted 7-Aug-2025 12:37

Epson Launches New High-End EH-LS9000B Home Theatre Laser Projector
Posted 7-Aug-2025 12:34

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright