Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)OK to Mix System Management Between EdgeMax and Unifi Controller?
AndyT

166 posts

Master Geek
+1 received by user: 10


#280703 4-Jan-2021 21:39
Send private message

Perhaps another daft noob question .... so forgive me, but here goes...

 

Background:

 

     

  1. I've configured an ER-X with VLANs on switch0 as VLAN 1 and for IoT devices as VLANs 3, 4 & 7, eg Chromecast, Apple TV, Ezviz cams, with PVIDs and VIDs set per eth interface
  2. The IoT devices are Cat 6 wired via USW Flex Minis with ports profiled for the respective VLANs.
  3. I've then created "VLAN Only" networks in Unifi Controller for each VLAN, with firewall rules configured to prevent the IoT devices "leaking"
  4. The ER-X has its stock WAN firewall rules created by the WAN+2LAN2 Wizard

 

Issue:

 

     

  1. Everything appears to work fine, but when I audit the firewalls by giving my iMac a static IPA on any of the VLAN subnets, I can still ping the main LAN - which shouldn't happen if the firewalls were properly doing their thing per what I thought was a correct configuration.

 

Question:

 

     

  1. Per the headed subject matter, is it OK to mix system management like this with the ER-X essentials configured on EdgeMax OS (ver 2.0.9), and the VLAN ports and associated firewalls configured on Unifi Controller (ver 6.0.43)? I've assumed it is OK as this is exactly what I do on other systems in other circumstances with ER-x's and UAPs. If it is OK I'll have to dive deeper into the firewall on the Controller and get it properly sorted in this case; if not, I'll scrap the Controller VLAN configuration of firewalls and reconfigure the VLAN firewalls in EdgeMax OS.

 

Thanks in anticipation.

 

 




Rgds Andy T

Create new topic
michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2630426 5-Jan-2021 02:29
Send private message

This is what I do.

 

I've got UniFi Access Points + an Edgerouter 4.

 

Edgerouter is configured like so:

 

 

On the UniFi network I've created 2x networks with the VLAN's specified (90,95):

 

 

Then on the Wireless network I've specified the corresponding network:

 

 

Just note - if you have third party smart switches you'll also need to pass (trunk) these VLAN's across to your UniFi access points.

 

On the Edgerouter you'll need firewall rules to prevent cross-VLAN communication as by default it'll route across VLAN's. Follow this guide to secure things off: https://help.ui.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule





Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



AndyT

166 posts

Master Geek
+1 received by user: 10


  #2630803 5-Jan-2021 17:59
Send private message

Many thanks michaelmurphy.

 

I've implemented the firewalls in Edge OS line with the guide suggested in your final para and all seems well and I'll carry out a series of "pingability" tests later this evening.

 

One point though that I've probably misunderstood - does the guide deal with cross-VLAN communication, or do I need to address that aspect separately, and if so, do you have anything on this that I can follow?

 

Thanks & regards,




Rgds Andy T

michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2630809 5-Jan-2021 18:37
Send private message

@AndyT The cross-VLAN communication needs to be taken care of using firewall rules on the Edgerouter itself. Guide above for that.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



AndyT

166 posts

Master Geek
+1 received by user: 10


  #2630826 5-Jan-2021 20:10
Send private message

OK, understood.

 

Thank You.

 

 




Rgds Andy T

AndyT

166 posts

Master Geek
+1 received by user: 10


  #2630838 5-Jan-2021 21:15
Send private message

One more question if I may .....

 

I've carried out some "pingability" tests by giving the iMac a static IPA of one of the VLANs e.g. 192.168.30.10, and pinging another VLAN at say 192.168.40.1

 

At first attempt it will ping, but after a few other pings to other VLANs and then coming back to re-ping 192.168.40.1 it blocks the ping - as intended by the firewall.

 

I'm unclear why this is inconsistency is happening and wondering if there is anything I need to worry about and reconfigure here, or is this normal firewall behaviour? I'm thinking that I didn't configure anything for "new/established/related/invalid" states, but followed the UI help guide to the letter, other than using firewall policy names of IOT-IN and IOT-LOCAL rather than GUEST-IN and GUEST-LOCAL on the assumption that this doesn't make any difference?

 

Many thanks,




Rgds Andy T

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright