Unifi on Vlans/subnets
OK. Unifi is great but I have one large criticism.
It's a pile of s*** when you don't just have a flat network.
I keep reading up on it and there are multiple workarounds, the majority aren't helpful, including daft suggestions like moving DC's, DHCP servers etc.
Is there something simple I'm missing?
Everything's vlanned up, servers on one, wifi clients on another, AP's and switches on one subnet (not vlanned, just on default obviously)
The gist seems to be you can't have the controller on a separate vlan/subnet from the points which is ridiculous. Any help available on this? Ubiquiti's site is clear as mud.
Originally Posted by synaesthesia
We have standard and pro APs setup to offer multiple SSIDS in multiple VLANS - our NM didn't seem to have much of a problem, and reckons these are a whole lot simpler to configure to do that than the procurve stuff we had before..
We have the AP's in the same VLAN as the server, and then the SSID's are on different VLAN's (School, BYOD,Staff).
This isn't about SSID's in vlans though - that is easy. It's about actually getting the points to speak to the server in the first place! I'm sure as f*** not putting DHCP on our servers VLAN.
Use RADIUS to achieve Dynamic VLAN assignment? AP's are on a single network, clients get shifted to the relevant network upon connecting.
Points will always speak to the server providing there is a default gateway setup, and the point knows the servers address.
For the points to know that address they must first get an address.
DHCP using only reservations, or static IP's - they are your only options tbh.
Just had to do that, annoyingly. Will give them statics afterwards. Seems very OTT for such a simple job.
One question furthermore;
I assume the "gateway" in the AP's options is for the networking gateway? (i.e. in this case that vlan's gateway address) and absolutely NOT the IP of the unifi controller?
Nope, this is still not playing ball.
So, as I type this I have 3 unifi points connected and speaking to my controller. To do this, I enabled DHCP on that vlan to get them an IP address. That enabled the controller to see them and allow me to set them up.
I have given them a static IP, which is fine. However, clients don't get an IP as they're not on the right VLAN.
Move them to the right vlan and no connectivity. The core switch can ping them (whcih is what they're currently plugged into). Routing is working.
The controller is sitting on the servers vlan (100).
The default management vlan across the site is vlan 1.
The wifi clients vlan is 105.
If it matters, the cores are HP Procurve 5406. Currently, the APs on the Servers VLAN ping fine.
If I do as the documentation clearly states and UNTAG them for vlan 1 whilst TAGGING them for vlan 105, I can no longer speak to them.
The servers are absolutely able to speak to other devices on VLAN1.
They are able to speak to other devices on the WiFi vlan.
They are however unable to speak to the unifi APs.
They have 2 ssids both tagged in the controller options for vlan 105.
Nothing speaks to anything.
OK - this is how I have our Ruckus system working at this end.
Lets use port 1 as the AP, port 24 as the uplink to my core switch.
APs are on the networks VLAN (15 in this example)
Clients are put onto VLAN 200 and VLAN 300 by RADIUS
Port 1 is untagged to the local network VLAN 15
Port 1 is tagged to VLAN200 and VLAN300
Port 24 is tagged on VLAN15, VLAN200 and VLAN300
Recieving port on the core switch is tagged on VLAN15, VLAN200 and VLAN300
All of these networks have default gateways?
The APs default gateway is the gateway of the VLAN it's connected to?
There's no default gateways as they're routing. They all have an IP and can all speak to eachother where appropriate. The AP's default gateway is set to the VLAN ip.
Your clients are going to be put on the same network as the AP as it stands - there is nothing telling them otherwise if you are not using something like RADIUS to change the VLAN.
RADIUS shouldn't come into it. It wouldn't actually matter if the clients are in teh same network as the AP as long as they got the right address, but nada. The controller doesn't even speak to the AP.
The controller needs to be on a vlan with the APs for managment. This vlan must be untagged on the AP ports.
For SSIDs you need the AP ports tagged for those vlans. Your ports that the APs are plugged into will need to support VLANs and have them available on the switch.
The APs do not send traffic via the controller for unifi afaik. I assume the APs gateway is for the vlan you are using for management/unifi server.
My Ruckus controller isn't on the same VLAN as my APs in my setup - they are all gatewayed up and work fine across VLANs.
Controller is on VLAN 2 (10.0.2.x/24 - gateway 10.0.2.1)
APs 1-5 are on VLAN 5 (10.0.5.x/24 - gateway 10.0.5.1)
APs 6-10 are on VLAN6 (10.0.6.x/24 - gateway 10.0.6.1)
APs 11-15 are on VLAN7 (10.0.7.x/24 - gateway 10.0.7.1)
My core / routing switch is a 5412xl (12-module version of OP) and APs can talk to controller as all VLANs route through the core switch.