Text Size

By Default the ERL in the SOHO configuration is setup to allow routing between subnets.  I wanted to keep my Guest and Private networks separate, but allow Guests on my Guest WLAN to access the UniFi controller that is on my Private network for authentication.  

One note before I get started…  When following the steps below, please make sure to change any of my interface and IP information to what matches your setup. Also, this is not the only way to do this. Some will use more firewall groups than I have and others may not use any. 

 My current network configuration is as follows: 

eth0 = Wan

eth1 = Private

 I'm going to create VLAN 30 on eth1 to use for my guest network 

eth1.30 = Guest

 To get things started, login to your routers console and put it in configuration mode. 

$ configure

The fist step is to back up your current configuration in case you really screw something up.  You can use the UI and save the configuration file if you wish. I like to use TFTP for my configuration files so I have the configuration files on my NAS for easy viewing and editing.  

I like to name the backup something that is easy to remember. I use the configuration type for changes or the date for working configurations. That way I can sort changes by date and see what I've done quickly and easily.

Backup your configuration to TFTP 

#save tftp://nas1.local.net/ubnt/workingPrior2GuestVLAN

Now that the configuration is saved it's time to make our changes.

The first thing I'm going to do is to create a my new VLAN and assign an IP address.

set interfaces ethernet eth1 vif 30 address 192.168.3.1/24

set interfaces ethernet eth1 vif 30 description 'Guest Network'

set interfaces ethernet eth1 vif 30 firewall in name GUEST_VLAN

Here I'm going to create a firewall port-group to allow access to the UniFi Portal.   

set firewall group port-group UniFi_Guest_Portal description 'UniFi Portal'

set firewall group port-group UniFi_Guest_Portal port 8443

set firewall group port-group UniFi_Guest_Portal port 8880 

The next step is to create the firewall rules for the Guest Network. I set the default action for the firewall to accept and give it a description. 

set firewall name GUEST_VLAN default-action accept

set firewall name GUEST_VLAN description 'Isolate Guest VLAN' 

For the first rule, I allow access to the UniFi Portal by allowing access to it's IP address and port-group 

set firewall name GUEST_VLAN rule 1 action accept

set firewall name GUEST_VLAN rule 1 description 'UniFI Portal'

set firewall name GUEST_VLAN rule 1 destination address 192.168.1.100

set firewall name GUEST_VLAN rule 1 destination group port-group UniFi_Guest_Portal

set firewall name GUEST_VLAN rule 1 log disable

set firewall name GUEST_VLAN rule 1 protocol tcp

 For the second rule, I drop traffic to the rest of the network. 

set firewall name GUEST_VLAN rule 2 action drop

set firewall name GUEST_VLAN rule 2 description 'Drop Route to Private Network 192.168.1.0'

set firewall name GUEST_VLAN rule 2 destination address 192.168.1.0/24

set firewall name GUEST_VLAN rule 2 log disable

set firewall name GUEST_VLAN rule 2 protocol all 

With the firewall is all set we enable DNS to listen for requests on the VLAN 

set service dns forwarding listen-on eth1.30 

The last step in the process is to setup a DHCP server for the VLAN

set service dhcp-server shared-network-name Guest_Network authoritative disable

set service dhcp-server shared-network-name Guest_Network subnet 192.168.3.0/24 default-router 192.168.3.1

set service dhcp-server shared-network-name Guest_Network subnet 192.168.3.0/24 dns-server 192.168.3.1

set service dhcp-server shared-network-name Guest_Network subnet 192.168.3.0/24 lease 14400

set service dhcp-server shared-network-name Guest_Network subnet 192.168.3.0/24 start 192.168.3.60 stop 192.168.3.100 

Commit the changes 

#commit 

Now everything should be setup on the ERL side you just need to ensure your router is passing the VLAN packets and that the Guest WLAN on the UniFi server is configured for VLAN 30. 

 

Tech Stocks


Warning: Invalid argument supplied for foreach() in /home/sohowe5/public_html/tonystech.com/modules/mod_rokstock/lib/googlestock.class.php on line 71

Donations

If you like the site and feel the need to donate to help support the site, you can do it here.



Login Form