UniFi Management VLAN & Network Security

I love this content, just a regular home user learning (trying) this channel has poke my interest that I will be taking some classes to lear a bout IT security..... Thanks Tom

How To Setup VLANs With pfsense & UniFI 2022
ua-cam.com/video/WMyz7SVlrgc/v-deo.html
David Bombal Video on VLAN Hopping With Cisco & Python ua-cam.com/video/SiFyhipl57A/v-deo.html)e
⏱ Timestamps ⏱
00:00 ▶ UniFi Management VLAN
02:14 ▶ Network Demo Setup
03:50 ▶ How to Change management VLAN
04:34 ▶VLANs and UniFi Security

well , our Corp just moved into their new building and i did a full Ubiquiti network with 15 switches, 10Gb Agg Switch, UDMSE, UNVR, RPS's Access Controls, APC security and Audio in a MDF/IDF setup with fiber backbones and a second rack of servers. I used a management network, system network, VOIP network, Camera Network, IoT Network, and Guest Network . The 6 networks definitely helped split the traffic with over 500 endpoints total so far... i wouldn't have wanted my network device IPs mixing at all with my systems and servers. it was an extremely smooth installation as i layed out from drawings, and configured most of the equipment before the move, installed over Memorial Day weekend and built out the network racks /APs/Cameras /VOIPs etc and tested and then moved the servers 2 and 3 days before we moved the offices in. It was a blast configuring and setting up ... I wouldn't have mixed the Vlan's for anything.

Asked this some days ago on a live stream - and here it is! MANY THANKS!👍

One of the best walkthroughs on UA-cam 🙏🏼

I recently did this to clear up some more statics on my main lan. As Tom says, it was pretty painless. Thanks for another great video!

I have hired LS before and I can highly recommend them!

This is what i was looking for !! Thanks for sharing Tom!

This is an interesting topic to me that I'm just starting to play with. I'm going to need a lot more information :)
I have a mix of equipment (not all Unifi). Don't even get me started on what you need to do to change the management vlan on a netgear switch (pvid vs untagged headache).
I had a lot of trouble changing the management vlan on a unifi AP, and I that's because once I did, the controller is now not in the same network. You've probably covered it elsewhere, but definitely point people to something that covers that. I'm using Option 43, but of course I set that up a year ago, and I had to rediscover it. It's not just that you need traffic routed between networks, the device needs to know in what network the controller can be found. Maybe that just automagically happens in an all-unifi deployment?
There seems to be a lot of different options to deal with the default vlan, and I'm honestly not informed enough to know why one is better than the other. Do I change the native vlan on trunks? Should I not route the default vlan /at all/? Should I change the default vlan into a guest vlan dumpster fire and pretend to any guest that there aren't any vlans at all, or is that the opposite of a good idea and I should blackhole default?
Does any of this make any difference without proper 802.1x support?
Does unifi have a way to indicate that "unknown" mac addresses for their "Radius MAC Authentication" feature are dumped into some "default" (not -the- default) vlan?

Great content. Keep it coming

Booya! Sounds like I segregated my VLANs correctly ! I was just wondering about exactly this subject!

Never thought about that! Thanks, but now I have to redo my home networks... again. Always learning something new on your channel I can try and apply.

Thank you

It is called default VLAN 1, not native VLAN. Native VLAN is a term used when trunking. Native VLAN is used for management traffic/protocols in a Trunk. It is recommended to use another VLAN for native because default VLAN cannot be changed. It is always 1. If you put Native VLAN on 1. Then it means every device connected on default VLAN can transfer over the trunk line. Most offices are using untagged port with a VLAN Port. So VLAN1 cannot be exposed.

3:56 June 2024 - I don't see the "Services" tab in "Options" on any of my unifi devices. I'm wondering if "Management VLAN" has been renamed and/or relocated in a Unifi OS update? Your content is always very helpful. Thanks!

Big brain: put every single device on its own vlan. 100 devices, 100 vlans. Boom lol

Thanks for your informative videos - greatly appreciated. Do you have a video on how to setup an Ubuntuserver with 2 nic’s… one for management purposes and the other for the services? Thanks

I was about to try this “because I can”, not “should”. I just still need to convince myself that re-adopting an AP is not going to be a massive hassle. Not that I’ve ever had to do that, but still. A new Wifi 6 AP is more likely.

192.168.1.x all unifi hardware
192.168.10.x main wifi
192.168.2x.x gaming
10.10.x.x IOT
All network is guest network and port for gaming is isolated on switch.

Typically I put all my MSP clients WIFI on VLAN 2 and VoIP devices on VLAN10.
I keep all my workstations/laptops as untagged. Should I be looking to move my clients workstations to a dedicated VLAN?

Thanks, great video.

First
Thanks for the video. I moved my normal network from VLAN 1 as I couldn’t tag it and now I have all my services working (still waiting for mDNS reflector). I ought to ditch the management SSID as I never use it but at least it’s paused

I love this, but I'm having an issue with IPv6 on a VLAN Trunk. I configured a Guest Network, VLAN10 and assigned it a static IPv4 interface, IPv6 was set to Track Interface "WAN". DHCP6 shows only a WAN at the top of the page, and when I connect to the source of the VLAN I only get a IPv4 DHCP address. is there something different for IPv6 we should know.

Does adding a VoIP Vlan slow throughput on the Vlan1?

Are you trying to say that pruning the VLAN trunks is more secure than segregating devices off of VLAN 1?

Why just change the native vlan like cisco? It is possible to do this in unify?

This has been giving headaches all day. How do you set management VLAN on the new UI? I realised USW Flex Mini goes offline when I change the management VLAN to anything but VLAN 1.

Most of the time when I talk to people about CLEARING clients off Lan1 they look at me with a ? mark on their faces... The thing is, lots of ''professionals'' are leaning their recommendations over their ''experience'' and consultants are cheaping out on hardware. I've seen small Business Routers getting crushed by inter Vlan I/O s, May be this can explain why this rule is sometimes overlooked or ignored.

Hi Tom, love your channel. Can you make a video showing how to add MFA to PfSense itself, using FreeRadius+OpenVPN-export (or any other easier method)? There's only one YT video on that topic but it's not very well done.

Tried to watch but for some reason the video does not load and play (2022.08.24 11:55 PDT).

I have a unifi switch connected to my cheap spectrum router that does do vlans. I created a network on vlan 20, created a port profile with vlan 1 as native. As soon as I assign that port profile to the port connecred to my laptop , I loose network connectivity. I am trying to understand why this is happening and I can ping other networks that I had set up within the switch. Can someone please help answer this questions for me. I onky have unifi switch, cloud key and my spectrum router.

Is it possible for hackers to hijack your AP and get your SSID?

I follow infosec people on Twitter. VLANs are not an obstacle to red teamers.

Why you're right: You just are. Why you're wrong: You just aren't.

Let’s make a video of optical modules together, we sincerely invite you to cooperate with us, we have 10 years of experience in optical module sales and are a trustworthy company, looking forward to your reply~

First

Nah. Once you have an intruder ANYWHERE in your network, a VLAN will not stop them from moving around!
It’s more or less trivial to make custom packets to hop around any VLAN, so again, VLANS are more for broadcast separation and network design than security.