I did think of speed testing initially, then decide not to include it in the series, because it seems L3 inter vlan routing can be handled by the pro switches effortlessly, especially if we are just talking about 1GbE ports.
:facepalm: I forgot about vlan 4040! Derp! As of writing, my USW Pro Max 16 didn't show it's IP information for the VLAN4040 setup, but manually setting the values like yours totally allowed everything to work finally. I'll have a stiff one for you later.
First off my network skills are poor and introducing L3 into *sense* firewalls was breaking my brain. These videos are absolutely INCREDIBLE as I've been debating whether or not to use the L3 functions of my switch for cross vlan routing and being able to isolate my servers. You even started from a scratch config on all devices, this is SO WELL DONE my friend. However I keep hearing of ACL dropping config on reboot. I haven't even looked into the ACL portion to see what parameters are possible to block vlans from communicating with each other but if the config does not come back up....is there even a point to using L3? I'm so excited for these videos and yet so dismayed at the same time. Please tell me we can use ACL between vlans and the settings will keep after a reboot? This has to be a bug and priority number one for Ubiquity right? It makes no sense. Can we just load config from backup if the switch goes down?
Unfortunately nothing has changed about ACL: your config will be lost after reboot. Ubiquiti never publish their roadmaps so I have no idea whether ACL will be supported at all in the future.
@hz777 Well I'm going to use L2 for now then. When ACL are implemented I am coming back to this video and I will leave some $ for a coffee. Thank you so much for such a well thought out video series.
@RifatNabi Thanks a lot for alls the work you put in your videos. Especially the L3 Switching is of great interest for me. What I have not understood so far is how the Unifi Controller is connected to your switch? Is it a cloud controller, or hosted as vm on the same device as the PF Sense?
ok, thanks! Could it also be achieved with a local controller? I do use an express and in the moment it is situated between Firewall and USW-Pro-May-16 PoE. Default and Inter Clan 4040 networks reside on Unify express whereas the other VPNs I manage to setup on the usw.
This series of videos is about pfSense. If you use Unifi gateways which come with unifi controllers, the situation will be different and much more simpler. Everything is simply supported out of box. Having said that, I don't own an express so not sure where anything will be special.
Thank you for the video! I finally understood UniFi‘s implementation of L3 routing. One question: do you know, if the switches support some kind of ACL‘s? Of course, when traffic is being routed by pfSense, I can apply firewall rules there. But what I want to know: when I’m creating 2 VLAN‘s on the switch, can I create firewall rules between those? Can I restrict traffic between those VLAN‘s?
Yeah also a good a video. But sadly just highlights that UniFi L3 switches are pretty much pointless. The main reason you create VLANs is to restrict traffic between them 😂
for pfsense to l3 switch port config what is it set to? All or a custom profile with all the tag vlans? For some reason I don't have the all profile anymore
Thank you for another great video. Could you please share where we can learn those CLI commands from Unifi gears? They look very similar to Cisco commands. Thanks again.
google "ubiquiti edge cli pdf", you should be able to find the official document from Ubiquiti about CLI for the edge switches (the old versions, before unifi switches). Please note it seems Ubiquiti never officially mentioned the existence of those CLI commands in UniFi switches, which means they not really officially supported and may change any time in the future.
Do we still have no ACL support (official) between two vlans on unifi? so even in the case of a guest network, how to prevent all vlan to vlan traffic in unifi?
Man, this config save problem is a show stopper. With no ACLs working, why should I use the L3 functions? Better to leave devices on same VLAN or use pfsense as the router on a spoke...
Thanks for very nice guide, but I'm confused I have usw enterprise 8 poe and opnsense as a dns, dhcp server. And I was thinking that I can: optimize network communication between devices using L3, don't stress the opnsense server and play around these Vlans, separate things etc... but before doing anything, my traceroutes are direct to any LAN/WLAN device. I know that with Vlans I could isolate IoT devices etc (which to be honest could be already filtered on unbound dns blacklist) What I'm missing/not understanding there? tracert 192.168.1.239 Tracing route to 192.168.1.239 over a maximum of 30 hops 1
I remember looking at doing this a year or two ago and people were saying that Ubnt Level 3 switching wasn't persistent across switch reboots, so if you rebooted the switch it would undo all the configuration. Has this been fixed?
Your videos are really useful and give all the required information on the topic you're discussing. Thanks.
Thanks! Have a coffee on me. You are probably one of the most underrated content creator I watch. Keep up the good work 👍.
Amazing, dude! Thank you so much for doing these series and everything else you've done on your channel! 🙏🏻
Thanks for the video!
A speed test of layer 3 routing within the switch might be interesting.
I did think of speed testing initially, then decide not to include it in the series, because it seems L3 inter vlan routing can be handled by the pro switches effortlessly, especially if we are just talking about 1GbE ports.
:facepalm: I forgot about vlan 4040! Derp! As of writing, my USW Pro Max 16 didn't show it's IP information for the VLAN4040 setup, but manually setting the values like yours totally allowed everything to work finally. I'll have a stiff one for you later.
great info. Looking forward to the next video.
Great work, dude! I was stuck and you just showed me the way! Thanks a lot!
First off my network skills are poor and introducing L3 into *sense* firewalls was breaking my brain. These videos are absolutely INCREDIBLE as I've been debating whether or not to use the L3 functions of my switch for cross vlan routing and being able to isolate my servers. You even started from a scratch config on all devices, this is SO WELL DONE my friend.
However I keep hearing of ACL dropping config on reboot. I haven't even looked into the ACL portion to see what parameters are possible to block vlans from communicating with each other but if the config does not come back up....is there even a point to using L3? I'm so excited for these videos and yet so dismayed at the same time. Please tell me we can use ACL between vlans and the settings will keep after a reboot? This has to be a bug and priority number one for Ubiquity right? It makes no sense.
Can we just load config from backup if the switch goes down?
Unfortunately nothing has changed about ACL: your config will be lost after reboot. Ubiquiti never publish their roadmaps so I have no idea whether ACL will be supported at all in the future.
@hz777 Well I'm going to use L2 for now then. When ACL are implemented I am coming back to this video and I will leave some $ for a coffee. Thank you so much for such a well thought out video series.
Very Well done, saved my deployment.
@RifatNabi Thanks a lot for alls the work you put in your videos. Especially the L3 Switching is of great interest for me. What I have not understood so far is how the Unifi Controller is connected to your switch? Is it a cloud controller, or hosted as vm on the same device as the PF Sense?
Either way you described works. There is no special requirement when it comes to network controllers.
ok, thanks! Could it also be achieved with a local controller? I do use an express and in the moment it is situated between Firewall and USW-Pro-May-16 PoE. Default and Inter Clan 4040 networks reside on Unify express whereas the other VPNs I manage to setup on the usw.
This series of videos is about pfSense. If you use Unifi gateways which come with unifi controllers, the situation will be different and much more simpler. Everything is simply supported out of box. Having said that, I don't own an express so not sure where anything will be special.
Thank you for the video! I finally understood UniFi‘s implementation of L3 routing. One question: do you know, if the switches support some kind of ACL‘s? Of course, when traffic is being routed by pfSense, I can apply firewall rules there. But what I want to know: when I’m creating 2 VLAN‘s on the switch, can I create firewall rules between those? Can I restrict traffic between those VLAN‘s?
Yes. Just search acl in my channel. But don’t raise your hope too high, because the settings won’t survive reboot.
Yeah also a good a video. But sadly just highlights that UniFi L3 switches are pretty much pointless.
The main reason you create VLANs is to restrict traffic between them 😂
for pfsense to l3 switch port config what is it set to? All or a custom profile with all the tag vlans? For some reason I don't have the all profile anymore
Yeah, not too long ago Ubiquiti changed the port profile part in network controller. "Default" works for me.
@@hz777 Thanks, for some reason when I us default it stops routing ai had to create a profile and add the networks
Excellent video !!!
Verrrrrrrry well done!
Thank you so much for this!!!!
Why can't pfsense manage DHCP with L3 routing? oh, that might be in the last video. :D
Thank you for another great video. Could you please share where we can learn those CLI commands from Unifi gears? They look very similar to Cisco commands. Thanks again.
google "ubiquiti edge cli pdf", you should be able to find the official document from Ubiquiti about CLI for the edge switches (the old versions, before unifi switches). Please note it seems Ubiquiti never officially mentioned the existence of those CLI commands in UniFi switches, which means they not really officially supported and may change any time in the future.
Thx for sharing. Liked + Abo
Thanks for the video!!
Can we run L3 switching with 2 Aggregations together? One the main one and the other the secondary (for redundancy)?
They will be equal: no master-slave, no primary-secibdary, no main-backup.
@@hz777 but how the DHCP-SERVER will work on both?
Each L3 Switch runs its own DHCP server
Do we still have no ACL support (official) between two vlans on unifi? so even in the case of a guest network, how to prevent all vlan to vlan traffic in unifi?
Nope! Still not there.
Man, this config save problem is a show stopper. With no ACLs working, why should I use the L3 functions? Better to leave devices on same VLAN or use pfsense as the router on a spoke...
The default gateway for vlan4040 is 10.255.253.1, what about 10.255.253.2?
2 is for the UniFi switch, 1 is for pfsense.
Thanks for very nice guide, but I'm confused
I have usw enterprise 8 poe and opnsense as a dns, dhcp server.
And I was thinking that I can: optimize network communication between devices using L3, don't stress the opnsense server and play around these Vlans, separate things etc...
but before doing anything, my traceroutes are direct to any LAN/WLAN device.
I know that with Vlans I could isolate IoT devices etc (which to be honest could be already filtered on unbound dns blacklist)
What I'm missing/not understanding there?
tracert 192.168.1.239
Tracing route to 192.168.1.239 over a maximum of 30 hops
1
Are your devices in the same VLAN?
@@hz777 yes, they are in same VLAN, but it doesnt matter. I mean if I don't touch any network/vlan settings anyway I get direct tracert
If they are in the same VLAN, the traffic won't go to the router. Yes, it matters in fact.
@@hz777 But when I haven't configured anything yet, they are in same (default) network and I get direct connection without router
The default network is just a special VLAN. As long as the devices are in the same VLAN, their communications won't go via router.
I remember looking at doing this a year or two ago and people were saying that Ubnt Level 3 switching wasn't persistent across switch reboots, so if you rebooted the switch it would undo all the configuration. Has this been fixed?
Not aware of such thing. If the changes are done through UniFi controller, how can they not be persistent?
Can you setup traffic rules between the vlans on the unifi ?
You mean pfsense firewall rules for the unifi vlans? No, because pfsense is not aware of their existence.