This is a fantastic video. One thing I really like about EdgeOS though that I hope Unifi adopts, is when you make a change in the Config Wizard section of the GUI, it tells you the exact commands that it's applying
Yes, I wish so as well, however in reality for switches it's technically possible in most cases but for routers it's impossible due to missing a CLI backend.
Having UniFi gear is both great and frustrating. Another half-baked piece of functionality. But at least we can do something at layer 3 now. Let's hope they add the direction piece. Thanks for doing the video on this, much appreciated!
I really appreciate all your videos! You do an amazing job of running all sorts of examples. Please Keep Up The Good Work! Thank You! I think a fun and informative video to do would be on how Firewall Rules, ACL (on Layer 3 Switches), AND Client Device Isolation interact with each other. . . . Unifi has in the last month or so introduced basic ACL controls in the controller - (I am hoping they increase the detailed control to be more like the firewall rules). Correct me if I am wrong, but it seems like between those 3 ways we are able to 'manage' traffic on our networks that it depends on what device the packets touch on their journey through our unifi networks. For example, Firewall rules are ignored if the packets ONLY traverse the layer 3 switch. Could the same be said for ACL rules if: 1) We have 2 VLANs set up on 2 different Networks; 2) Both VLANs are accessible via the Access Point; 3) ACL's are established on the layer 3 switch that won't allow the VLANs to talk to each other; 4) Client Device Isolation on the AP is NOT enabled; 5) The AP is connected to the layer 3 Switch. If I connect to one of the VLANs via the AP and I want to connect to another device on the OTHER VLAN that is also connected to the AP, would the devices still be able to talk to each other?
Wow! Thank you Greg for contributing the idea! I have also been thinking about a video to talk about firewall rule vs. L3 ACL vs. L2 ACL vs. wireless isolation. But I still need to work on a video regarding the L2 ACL, then to see whether Ubiquiti will release new ACL features in coming releases. Regarding the scenario described by you, let me do some testing before answering just based on the simulation in my mind:)
I set up a test environment and validated what I thought: the ACL isolation still works for the two wifi clients. Setup: - one L3 swtich - two VLANs managed by the switch: 66 and 88 - L3 isolation is enabled between 66 and 88 using ACL - one AP - two SSIDs for VLAN 66 and 88 respectively - client isolation is not enabled on AP - wifi client 1 connected to the SSID for VLAN 66 - wifi client 2 connected to the SSID for VLAN 88 Test: - ping client 2 from client 1 Result: - not reachable Analysis: - because the two clients are on two VLANs, the network traffic has to go to the switch - the switch has the ACL rules - the AP does not have the ACL rules, but it does not matter.
@@hz777 Here is a slight twist - rather than using: - two SSIDs for VLAN 66 and 88 respectively . . . use: - "ONE" SSID, and then use Private Pre-Shared Keys to define which device goes to which vlan! Would this change things?
I tried this function since days ago. I found sometimes enable blocking takes a couple of hours to take effect. Users complain the vlan is not accessible after half day after I ticked it. But remove blocking was immediate.
13:29 This hardly depends who is the gateway for the specific VLAN right? I mean, if the Router or the Switch is like the Gateway (IPAdress *.*.*.1), or the DHCP Server which hands out the IPs?
@mcury85 Let me guess… they will follow Apple, and ivory white and space gray rackmount switches are coming :) My only wish is they upgrade the aggregation pro to support 100GbE. But based on their previous unsuccessful and unreleased one, it won’t be affordable.
At the 4:14 mark (czcams.com/video/vplCxMkSg_0/video.html) . . . where you create the "Firewall Rule" to block traffic from 66 to 88, is it possible the reason the firewall rule is ignored is that for those vlans the switch is selected as the gateway? If you were to select the Router as the gateway (on one . . . or both???) of the vlans (66 and/or 88), would the firewall rule then be respected then? (((For clarification, Can I assume that for vlan 66 and 88 that "L3 Network Migration" was selected, and that it was not for the other vlans?)))
right, the firewall rule at 4:14 will never be effective because there won't be that type of traffic going through uxg-pro. If one or two of the vlans are managed by uxg-pro, yes, the firewall rule will be effective. Regarding "L3 Network Migration", it's for different purpose instead of firewall. In fact, I have never used "L3 Network Migration". What it is supposed to do is to change the router for that vlan from gateway to L3 swtich.
@@hz777 I have been confused by that "L3 Network Migration" option for some time and I am guessing that others are too. I don't understand why selecting "L3 Network migration" would change the router for that vlan from the gateway to the L3 switch . . . I can do that already in the "Router" dropdown menu above that link even without selecting the "L3 Network Migration" link/option. I guess I still don't understand what that "L3 Network Migration" link is for. I selected it once and it was a mess . . . my topology was ALL messed up - it ended up putting my switch above my UDM pro and clients were connected in places that they were not actually connected. I have NO idea why anyone would select this option! Maybe it would be good to mention it in future videos that "L3 Network Migration" was never selected as part of your setup. I think that would be very helpful to others - your videos are already SO good . . . I don't want to make them harder for you to make - this is just a suggestion.
@Greg.M I GUESS the "L3 Network Migration" does more than simply changing the router option for the VALN. It may change firewall rules to ACL,... When I have time, I will look into it, and if I find anything interesting, I may come up with a video :)
HI, coould you do some experiment and try to use 2 different unifi networks with ex. UDM PRO on each network and try to configure intervilan to access ex. VLAN10 in one network from VLAN 20 in other UNIFI network? This scenario assume that UDM PROs are connected via LAN not WAN example two buldings two commpanies has UNIFI network and want to share some IT resources between them. They want very fast connetion so they want 2x 10Gbit\s LACP but their Internet WAN is verry slow. Is it even possible to achieve?
Two unifi routers on the same lan is problematic... Udm pro does have two wan ports, have you considered using the other wan port and configure routing between the two udm pros?
Yes, as in my first reply (which was deleted by me later), what you need is simply routing between two routers, so any router should do. The only problem is the requirement about "through lan".
This is a fantastic video. One thing I really like about EdgeOS though that I hope Unifi adopts, is when you make a change in the Config Wizard section of the GUI, it tells you the exact commands that it's applying
Yes, I wish so as well, however in reality for switches it's technically possible in most cases but for routers it's impossible due to missing a CLI backend.
Having UniFi gear is both great and frustrating.
Another half-baked piece of functionality. But at least we can do something at layer 3 now. Let's hope they add the direction piece.
Thanks for doing the video on this, much appreciated!
I really appreciate all your videos! You do an amazing job of running all sorts of examples. Please Keep Up The Good Work! Thank You!
I think a fun and informative video to do would be on how Firewall Rules, ACL (on Layer 3 Switches), AND Client Device Isolation interact with each other.
. . . Unifi has in the last month or so introduced basic ACL controls in the controller - (I am hoping they increase the detailed control to be more like the firewall rules). Correct me if I am wrong, but it seems like between those 3 ways we are able to 'manage' traffic on our networks that it depends on what device the packets touch on their journey through our unifi networks. For example, Firewall rules are ignored if the packets ONLY traverse the layer 3 switch. Could the same be said for ACL rules if:
1) We have 2 VLANs set up on 2 different Networks;
2) Both VLANs are accessible via the Access Point;
3) ACL's are established on the layer 3 switch that won't allow the VLANs to talk to each other;
4) Client Device Isolation on the AP is NOT enabled;
5) The AP is connected to the layer 3 Switch.
If I connect to one of the VLANs via the AP and I want to connect to another device on the OTHER VLAN that is also connected to the AP, would the devices still be able to talk to each other?
Wow! Thank you Greg for contributing the idea!
I have also been thinking about a video to talk about firewall rule vs. L3 ACL vs. L2 ACL vs. wireless isolation. But I still need to work on a video regarding the L2 ACL, then to see whether Ubiquiti will release new ACL features in coming releases.
Regarding the scenario described by you, let me do some testing before answering just based on the simulation in my mind:)
I set up a test environment and validated what I thought: the ACL isolation still works for the two wifi clients.
Setup:
- one L3 swtich
- two VLANs managed by the switch: 66 and 88
- L3 isolation is enabled between 66 and 88 using ACL
- one AP
- two SSIDs for VLAN 66 and 88 respectively
- client isolation is not enabled on AP
- wifi client 1 connected to the SSID for VLAN 66
- wifi client 2 connected to the SSID for VLAN 88
Test:
- ping client 2 from client 1
Result:
- not reachable
Analysis:
- because the two clients are on two VLANs, the network traffic has to go to the switch
- the switch has the ACL rules
- the AP does not have the ACL rules, but it does not matter.
@@hz777 Out standing! Thanks for doing the test.
@@hz777 Here is a slight twist - rather than using:
- two SSIDs for VLAN 66 and 88 respectively
. . . use:
- "ONE" SSID, and then use Private Pre-Shared Keys to define which device goes to which vlan!
Would this change things?
@@Greg.M I don't think you can have two vlans for an ssid
You have to change the firewall rule from 88 to 66 (you define 66 to 88)
Change it and it works
Do you mean when 66 and 88 are managed by L3 Switch instead of router, firewall rules work???
I tried this function since days ago. I found sometimes enable blocking takes a couple of hours to take effect. Users complain the vlan is not accessible after half day after I ticked it. But remove blocking was immediate.
That's strange because as soon as the changes are provisioned to the switch, they should be effective right away.
13:29 This hardly depends who is the gateway for the specific VLAN right? I mean, if the Router or the Switch is like the Gateway (IPAdress *.*.*.1), or the DHCP Server which hands out the IPs?
What is the context for the questions? I cannot find it at 13:29...
There are rumors that new switches will be launched later this year..
G3?
@@hz777 I think so, Lawrence system made a comment about it.. no details given.
@mcury85 Let me guess… they will follow Apple, and ivory white and space gray rackmount switches are coming :)
My only wish is they upgrade the aggregation pro to support 100GbE. But based on their previous unsuccessful and unreleased one, it won’t be affordable.
@@hz777 I want a new 8 ports enterprise, without cooler :)
At the 4:14 mark (czcams.com/video/vplCxMkSg_0/video.html) . . . where you create the "Firewall Rule" to block traffic from 66 to 88, is it possible the reason the firewall rule is ignored is that for those vlans the switch is selected as the gateway?
If you were to select the Router as the gateway (on one . . . or both???) of the vlans (66 and/or 88), would the firewall rule then be respected then?
(((For clarification, Can I assume that for vlan 66 and 88 that "L3 Network Migration" was selected, and that it was not for the other vlans?)))
right, the firewall rule at 4:14 will never be effective because there won't be that type of traffic going through uxg-pro.
If one or two of the vlans are managed by uxg-pro, yes, the firewall rule will be effective.
Regarding "L3 Network Migration", it's for different purpose instead of firewall. In fact, I have never used "L3 Network Migration". What it is supposed to do is to change the router for that vlan from gateway to L3 swtich.
@@hz777 I have been confused by that "L3 Network Migration" option for some time and I am guessing that others are too.
I don't understand why selecting "L3 Network migration" would change the router for that vlan from the gateway to the L3 switch . . . I can do that already in the "Router" dropdown menu above that link even without selecting the "L3 Network Migration" link/option.
I guess I still don't understand what that "L3 Network Migration" link is for.
I selected it once and it was a mess . . . my topology was ALL messed up - it ended up putting my switch above my UDM pro and clients were connected in places that they were not actually connected. I have NO idea why anyone would select this option!
Maybe it would be good to mention it in future videos that "L3 Network Migration" was never selected as part of your setup.
I think that would be very helpful to others - your videos are already SO good . . . I don't want to make them harder for you to make - this is just a suggestion.
@Greg.M I GUESS the "L3 Network Migration" does more than simply changing the router option for the VALN. It may change firewall rules to ACL,... When I have time, I will look into it, and if I find anything interesting, I may come up with a video :)
@@hz777 Ok. Thank You.
HI, coould you do some experiment and try to use 2 different unifi networks with ex. UDM PRO on each network and try to configure intervilan to access ex. VLAN10 in one network from VLAN 20 in other UNIFI network? This scenario assume that UDM PROs are connected via LAN not WAN example two buldings two commpanies has UNIFI network and want to share some IT resources between them. They want very fast connetion so they want 2x 10Gbit\s LACP but their Internet WAN is verry slow. Is it even possible to achieve?
Two unifi routers on the same lan is problematic... Udm pro does have two wan ports, have you considered using the other wan port and configure routing between the two udm pros?
@@hz777 VLAN 4040 is intervilan routing in unifi right? So teoreticaly it can be done via LAN. Static route etc?
The problem is still one vlan 4040 but two routers connected via lan. Idk...
@@hz777 edge roter?
Yes, as in my first reply (which was deleted by me later), what you need is simply routing between two routers, so any router should do. The only problem is the requirement about "through lan".