How UniFi Blurs the Line Between VLANs and Routers

I almost think I'd rather have a standard Layer 3 switch with a straightforward configuration. When Ubiquiti introduces ambiguous terms like "corporate" and "guest" vlans, that makes networking actually harder thanks to the obfuscation of what's actually happening. I know that with a standard L3 switch, I can create a vlan, assign ports to it, assign a virtual interface to those ports if desired, enable dhcp on that interface, and add the vlan as tagged to the downlink to any other switches I'm connecting to. And then, I can look at a text config and immediately understand what's happening. That's extremely straightforward without adding a whole layer of proprietary ambiguousness.

I’m brand new to vlans and this was very helpful in understanding what’s going on. Thank you

This is the video i was looking for. Needing to set up security cam vlan. Thanks. I wish after you configure there was a GUI page that shows the virtual connection flow.

Spot on explanation and clarified some Unifi questions I needed answered.. great job!

Great explanation, cleared up an issue I was having getting out to the internet from my vlans!!!

Willie
The video cleared up some confusion. Could you followup with examples when you might create a L2 VLan. Oh the paint program needed a bit of tuning.

OMG thank you, I wish the interface had little flags to show you what device certain things belong to, because it is very confusing at times. Keep it up. Now I need to wrap my head around, firewall IN/OUT/LOCAL ... Tagged and untagged ports

You won't have to worry about that for much longer Willie. I'm running v6.0.36 and all those selections (corporate/guest/vlan/remote user vpn/ site to site vpn) have been replaced by one "add a new network" button which allows you to define all L2 and L3 components on a single page.

Hi Willie long time subscriber, Willie all makes sense, however to complete this great piece of information. Can you show how the VLAN’s can talk to each other if they are behind the firewall with Guest settings. For example if interface eth1 & eth2 have guest firewall rules running off same ruleset. What firewall settings do you use for VLAN 222 & 55 need to talk to each other? Or even down to device level across VLAN’s.

Great Video. It explained alot, and it took me a moment to understand WHY my VLANs were not getting internet access and this video helped me understand that. I would recommend What Jonathan Broom said in their previous comment: "add what unifi does and doesn't add into the clan that you might want. (DHCP server) what kind of routes it does) doesn't create and how to change them."
Still great video!!

Great video. If you really want the concept to hit home, maybe add in an example of why or what scenario one would want that.

VLAN ONLY is also used with other routers/firewalls. The normal VLAN is specially for use with USG/UDM/UXG. Also VLAN ONLY is used when combines with other brand switches or Core.

The best explanation!!! The drawing is good too

Great explanation thanks.

You confused me so much.... i finally understood it :-)
Thx

I use an Edgerouter rather than UDM or USG, but I have a unifi-Pro Gen2 switch. Can all the VLAN creation and firewalling between VLANs without resorting to EdgeOS?

Question. Do I need a unifi switch to do vlan only? I have an hp curve vlan capable switch and opnsense firewall and i can not get the AP to see the vlan at switch or router.

Fantastic once again!

HI, and what about trunk port config in the switch to enable all VLANs to be enable to use in ports that you need?

the video helped me a lot, now junt need to figure out how to crate a independent network with only internet access (without the captive portal) :D

Very clear. Thank you. So that means I could have vlan 222 connected to a different router but push vlan 222 through switches connected to a different router? For example, the AV department could run its own separate router and switches and devices, but push just that one vlan 222 through the main corporate network to send or get AV traffic to a specific room that is not on the AV networks physical network?

This was helpful

Have a UDM and for some reason I can ping from Unifi network over to ATT Modem, however can ping from ATT network to Unifi network

maybe you could add what unifi does and doesn't add into the clan that you might want. (DHCP server) what kind of routes it does) doesn't create and how to change them. This might be in another video but that's just my opinion.

Can you use VLAN 1 for routing with another vlan

It can be confusing at first and specifically if you are new to Layer 3 switches concept. But in my opinion this is no different than configuring a SVI on another layer 3 switch like cisco or avaya. Maybe the gui options is what throws people off?

I am speaking about the idea to have diferent PVIDs in a range of ports as untegged to interconect for example 2 branches througt Lan 2 Lan.

Helped.

Gotta rewatch

great video :)

So what if you only had a vendor (AT&T router), do you need them (AT&T) to set up those VLAN's on their router since I only have a unifi cloud key, switches, and AP's?

vlan only use if you have other router (mikrotik ,cisco etc) but use unifi switch or unifi ap

Hi Willie I understand how it works in Unifi but how do you block traffic between the VLAN's in Unifi?

Peplink Does this on its own too if you use the in control Service on it but Peplink when you create Plans you have to fill in your network info you have no choice but to fill in the ip range and gateway info DHCP is optional thow

Does it mean Unifi doesn't support L2 switching between VLANs? (and the only option is to assign L3 networks with routing)

Maybe I misunderstood but where does a device that only is in vlan get an IP?

So if you slapped a computer on the VLAN222 ports you would probably get a 169 address since no DHCP server would be present. If you set static IP on a computer and a printer they could see each other and do whatever they wanted but never leave that switch?

It helped but:
How can vlan 222 and vlan 55 talk to each other if you would route vlan 222 on the router as well? Arent vlans made to block traffic from each other? Or do you need a firewall rule to block them? Like, if you dont want vlan 222 and 55 to talk to each other, but both have access to the internet.
Second, if I create a vlan on the switch in L3 (eg dhcp etc), how can I let the firewall/router see that vlan? And how will this vlan get internet access if the gateway is on the switch and not the firewall?

Thanks! Very helpful!!

Its not a true layer 3 network tho is it as the switches and APs are not doing any routing.

Let me start by thanking you for your good explanations. However, I don't see a blurring of Vlans and routing (L2 & L3) here. VLANs were created for having a few to several broadcast domains on the same switch that doesn't see each other. Otherwise, we can say that VLANs by their nature blurs L2 & L3. ;~)

We can now see the true color of the back wall.

So, it works the way someone new would understand it

Maybe you can shed some light on some Vlan confusion.. with or without Unifi.
From what I understand,
a T agged port is the same as a T runk port JUSt different manufacturers.
an U ntagged network is another name for an ACCESS port as well as a NATIVE network
However I have read where some manufacturers only use NATIVE network to describe the untagged traffic of a T runk port.
UNTAGGED ports on a switch will appear to just have no VLAN but they WILL be on whatever VLAN ID that they are UNTAGGED to.
On top of this I see Netgear has a PVID that must be set to match the Vlan ID.
So, can you shed any light on this? or at least point me to your video that might already explain it..
THANKS MUCH!

shapes are your friend...