6610 VLANs and Ubiquiti AP's

[Jason Antes]

I am having an issue with getting my Unifi AP's working with tagged vlan's. I have a controller, in VLAN 10 and 2 APs in VLANs 20 and 30. 10 is my hardwired network, 20 is my "internal" wireless, and 30 is my IOT wireless. Going by what Ubiquiti recommends I set up the port to the AP as untagged and adopted it. After that I set up 2 new networks in the controller for VLAN id's 20 and 30 and assigned both to the APs. So far so good. I then go and add the APs port as tagged in both VLANs on the switch. I lose communication with the APs on VLAN 20 but things are working for VLAN 30 just fine. Sometimes I get an address on 20, sometimes not and I can no longer manage the APs from the controller. If I set the port to dual mode then I regain controller access to the APs but none of the clients can get IP addresses anymore.

Any ideas what I might be doing wrong? I am running opnsense as for DHCP, L3, and firewall rules. I have a rule to allow the known needed ports from the APs IP addresses to talk to the controller, all other communication is blocked from VLAN 20 to 10. I also have a DNS override to resolve "unifi" to the controller on VLAN 10. I am not doing a NAT port forward as such.

 

[Jason Antes]

Ok, so I thought of a possibility, and that is to put the APs in VLAN 10 for management purposes, setup a network for VLAN 10, but not attach that to any SSID's. Should get rid of the issues with passing traffic through VLANs for management. Does this pose any security risks for my internal wired network that are any worse than a port forward or allowing traffic from the AP IP address to talk to the controller on the wired VLAN?

 

[gregsachs]

On each AP, have you done Configure->Services->Management VLAN and set that?
I have my APs on the management vlan, and do not map a ssid to that vlan, so it is only wired.

 

[Jason Antes]

On each AP, have you done Configure->Services->Management VLAN and set that?
I have my APs on the management vlan, and do not map a ssid to that vlan, so it is only wired.

Yes, when I set that to vlan 20 it loses connection to the AP's as well. It's really frustrating. I think I'll try the way you have it and see what happens.

 

[itronin]

Ok, so I thought of a possibility, and that is to put the APs in VLAN 10 for management purposes, setup a network for VLAN 10, but not attach that to any SSID's. Should get rid of the issues with passing traffic through VLANs for management. Does this pose any security risks for my internal wired network that are any worse than a port forward or allowing traffic from the AP IP address to talk to the controller on the wired VLAN?

speaking generally.

yes. typical configuration, AP's in a management VLAN and that VLAN is untagged for the AP ports. then if you have specific VLAN's for specific SSID's add the vlan as tagged to the AP's ports. MAP the SSID's to the VLANS (vendor specific whether done in the controller or AP). Controller ideally is in the same mgmt VLAN (untagged) as the AP's. Assumes AP's have local droppoff of VLAN specific traffic. If not in the same management VLAN then absolutely needs a routed connection to the AP's VLAN (subnet) and you'll have to configure AP's and/or controller to find each other.

If you are using a WLC that backhauls network traffic to the controller/WLC hen things get different and may be specific to that controller or vendor. (think Cisco WLC)

 

[Jason Antes]

speaking generally.

yes. typical configuration, AP's in a management VLAN and that VLAN is untagged for the AP ports. then if you have specific VLAN's for specific SSID's add the vlan as tagged to the AP's ports. MAP the SSID's to the VLANS (vendor specific whether done in the controller or AP). Controller ideally is in the same mgmt VLAN (untagged) as the AP's. Assumes AP's have local droppoff of VLAN specific traffic. If not in the same management VLAN then absolutely needs a routed connection to the AP's VLAN (subnet) and you'll have to configure AP's and/or controller to find each other.

If you are using a WLC that backhauls network traffic to the controller/WLC hen things get different and may be specific to that controller or vendor. (think Cisco WLC)

Of course I had the rules in place to route traffic appropriately between the vlans. In order to set up vlan 10 for management and untagged, I'm guessing that I'll have to set the port to "Dual" for 10 and tagged for 20 and 30 on the 6610. Correct?

 

[itronin]

I'm guessing that I'll have to set the port to "Dual" for 10 and tagged for 20 and 30 on the 6610. Correct?

yes, it is what I am doing using Ruckus R710's Unleashed and a management VLAN for the AP's so they can talk to themselves there.
I don't know UBQ so I don't know if your controller (VM?) makes things easier if it is in the same VLAN or routed is fine and you point the AP's back to the controller (or use a DHCP option to pass that info).

IIRC dual-mode is deprecated in later OS versions. I'm currently running SW: Version 08.0.30tT7f3 and dual-mode works and did for the previous version I was running.

 

[Jason Antes]

Awesome, thanks. My 6610 is at 8.0.30T7f3. Appreciate the help from all of you.

 

[Jason Antes]

I did get this working. Setup networks 20, 30, 40 on the AP controller and assigned them to the SSID's. Created VLANs 10, 20, 30, 40 on the ICX and put them in order as: dual, tagged, tagged, tagged for the port to the AP. opnSense was configured for 10, 20, 30, 40 on the appropriate interfaces. At first it didn't work but I soon found that it was because 1 of the VE entries was missing so that VLAN wasn't talking to anything. Was my mistake and got it fixed. 10 is just for managing the AP and I am able to manage it much better than the rules and port forwards I was trying to do from 20. Thanks for the pointers.