Vlans on Unifi

[Stin6667]

Good day,

 

I have reacenly gotten into networking. And understand some things but I need a little bit of help. I know how I have it currently set up isn't the best, it was and is my 1st real network project. I know I can make it better next time.

So the current setup. 
Router-> PFsense box-> Main switch(unifi)-> My pc

                                                             ->WIFi (Asus Ax11000) AP mode

                                                             -> NAS connection 1

                                                             -> Computer room switch (unifi) ->NAS connection 2

                                                                                                         -> Small Server (jellyfin)

                                                                                                         -> Open port (I think Cant remember)

                                                                                                         -> House Switch (unifi) -> PC 2 (in another room)

                                                                                                                                      -> Bedroom Switch (unifi) -> PS5

                                                                                                                                                                       -> Nintendo

                                                                                                                                                                       -> Bedroom PC 

                                                                                                                                                                       -> TV

                                                                                                                                                                        -> Wifi ASUS Ax3000 AP mode

 

What I would like to do:

1) Have all the devices read the NAS. But not beable to write. I have made a seperate account in the NAS for this.

2) Have all the wifis on their own network. Which they can see the nas, read the nas but not be able to make changes. If they only connect to the internet, that would be perfect.

3) Have the consoles and the TV on their seperated and individial VLans. 

4) Let the computers be able to Read and write to each other. 

 

To be honest I have no clue where to start.

But this is what I thought of so far:
 

Router-> PFsense box            ->                                   Main switch-> My pc

                                                                                                           ->WIFi (Asus Ax11000) AP mode

                                                                                                           -> NAS connection 1

                                                                                                           -> Small Server (jellyfin)

                                                 -> Computer room switch ->NAS connection 2

                                                                                             -> Open port (I think Cant remember)

                                                                                             -> House Switch -> PC 2 (in another room)

                                                                                                                          -> Bedroom Switch -> PS5

                                                                                                                          -> Nintendo

                                                                                                                          -> Bedroom PC 

                                                                                                                          -> TV

                                                                                                                          -> Wifi ASUS Ax3000 AP mode Imash

 

If it is not clear in the diagram. I am thinking of moving the Computer room switch directly to the PFsense box. The only reason I am not able to do that with any of the other switches is they way the apartment was built. the router comes through a shoe closet. Litr A port from the sheo closet comes into the computer room and one goes out (technically the 2nd was meant to be for a phone but I converted it as it uses and RJ45 female port).

Then I will use the cloud key ( I think that is what it is called) to segment everything that is needed.

 

If there is a better way to do this. I am keen to hear your thoughts. Also could you please explain how can I set up the vlans on the unifi switches. 

Thanks in advance 

 

[Bdavis]

Are all your switches Ubiquiti or L2 capable? Vlans are created on the router and assigned tags. Those tags are then used in your switch settings to assign vlans to ports on the switch, or ssids on access points.

 

Tom from Lawrence Systems has videos on YouTube that can walk you through the setup on pfsense and ubiquiti.

 

Just a heads up, you can't really set write permissions using vlans. This has to be done using file permission settings on the NAS. Vlans merely segment out your network to make it more secure. Simply creating vlans doesn't separate your network devices. You need to create firewall rules in order to block the traffic between vlans.

 

A good place to start is to figure out what groups of devices you want separated then create the vlans and firewall rules.

 

My vlans are:

1. Management: for server ipmi, and NAS admin.

2. IOT: for insecure IOT devices such as smart switches and smart home devices

3. Guest: for guess who just need internet access.

 

I'm still working on my network structure, and it's difficult sometimes to decide what vlan a device should be on.

[Stin6667]

2 minutes ago, Bdavis said:

Are all your switches Ubiquiti or L2 capable?

I think they are. 1 Switch Flex and the rest flex minis

[Stin6667]

6 minutes ago, Bdavis said:

You need to create firewall rules in order to block the traffic between vlans.

How do you recomend I go about writimng my fire wall rules? Mind you I only learned about dynamic firewall rules this weekend. And tested 1 by connecting the WIFI to the pfsense box ( had to add a rule to bridge the wan port and OP1)

 

Thanks again

[Stin6667]

9 minutes ago, Bdavis said:

Tom from Lawrence Systems has videos on YouTube that can walk you through the setup on pfsense and ubiquiti.

Thanks I will check him out!

[Electronics Wizardy]

For all of the nas permissions, and read and write settings, thats gonna be done on the nas with permissions, and not affected by vlans. I'd try to keep data from hopping between subnets so the router doesn't have to see all the the traffic that goes to the nas.

 

Id just make a gues account that read only, and login on the systems you want to read and write.

 

Do those access points support vlans? I don't think they do with a quick google. They probably support a guest network, and I'd just use the guest network for devices that should only be able to access the internet with no lan access.

 

You can go setup some vlans on the switch, then matching subnets on the router, and setup routing rules between the networks if you want. From what you listed, I'd be lazy and just make one big subnet for trusted devices. If you want to mess around its easy to add anouther subnet and the vlan on the switch.

[Stin6667]

3 minutes ago, Electronics Wizardy said:

hopping between subnets

Okay. I know what i am about to say will show how new I am to this. You can change the subnet???  I have always just used 255.255.255.0. Then my question is... What does that do to the network, when i change the subnet?

[Stin6667]

7 minutes ago, Electronics Wizardy said:

gues account that read only, and login on the systems you want to read and write.

Not sure If it is a guest account that i made but i know it only has permission to read it. The reason I did this was Jelly fin was adding data and had the ability to remove data from the NAS. And to make sure it didn't remove anything permanently, I made a new account with only read permissions. 

[Electronics Wizardy]

3 minutes ago, Stin6667 said:

Okay. I know what i am about to say will show how new I am to this. You can change the subnet???  I have always just used 255.255.255.0. Then my question is... What does that do to the network, when i change the subnet?

the subnet is the network, so something like 192.168.0.0./24. 255.255.255.0 is a subnet mask.

 

Typically you have a subnet for each vlan. Then the router handles the data betwen the subnets.

[Stin6667]

9 minutes ago, Electronics Wizardy said:

make one big subnet for trusted devices.

after learning you can change subnets. makes me want to try that. But I first need to understand what is happening. if you don't mind explaining a little bit, please.

If it IP add is the add to a house, what will the subnet be? the road?

[Electronics Wizardy]

Just now, Stin6667 said:

after learning you can change subnets. makes me want to try that. But I first need to understand what is happening. if you don't mind explaining a little bit, please.

If it IP add is the add to a house, what will the subnet be? the road?

So for ipv4 you have the public IPs and the private ips. The ISP manages the public IPs, so all you can configure here is private ips. 

 

So you create subnets in the range of 192.168.0.0/16,10.0.0.0/8, and 172.16.0.0/12.

 

WIthin those ranges, you create multiple subnets which your devices have IPs in.

[Stin6667]

2 minutes ago, Electronics Wizardy said:

Typically you have a subnet for each vlan. Then the router handles the data betwen the subnets.

So If i am understanding you. The house would be the subnet and the rooms will be the ip. So if I have a single story house (first floor). I only have one subnet. But if I have more than one subnet I have a multiple story house(2nd and 3rd floor).  I can have eveyrthing on the 1st floor making it easier. but a more complext design would be the multi story house

 

[LIGISTX]

I’d check out a bunch of YouTube videos. Sounds like you have some good ideas, but unsure how to execute them or what really does what. 
 

As said above, lawrence systems has some great content on vlans and networking in general. He walks through setting up firewall rules in pfsense. 

[LIGISTX]

2 minutes ago, Stin6667 said:

So If i am understanding you. The house would be the subnet and the rooms will be the ip. So if I have a single story house (first floor). I only have one subnet. But if I have more than one subnet I have a multiple story house(2nd and 3rd floor).  I can have eveyrthing on the 1st floor making it easier. but a more complext design would be the multi story house

 

Not exactly…

 

Give this a read, it also has a helpful picture in there:

 

https://www.techtarget.com/searchnetworking/tip/IP-addressing-and-subnetting-Calculate-a-subnet-mask-using-the-hosts-formula

[Stin6667]

8 minutes ago, Electronics Wizardy said:

So you create subnets in the range of 192.168.0.0/16,10.0.0.0/8, and 172.16.0.0/12.

 

Sorry I do not understand. 
I know the 192.168.0.0 is the standard Ip address.

But what is the 16,10.0.0.0/8....? I am assuming this is another ip address like 10.30.30.0.
or is it 192.168.0.0/16
and 10.0.0.0/8

and 17.16.0.0/12.

I always thought the /24 or /30 tells the range of the ips. Am I wrong?

[Stin6667]

17 minutes ago, LIGISTX said:

Not exactly…

 

Give this a read, it also has a helpful picture in there:

 

https://www.techtarget.com/searchnetworking/tip/IP-addressing-and-subnetting-Calculate-a-subnet-mask-using-the-hosts-formula

Thanks I will give this a read. 

[Electronics Wizardy]

30 minutes ago, Stin6667 said:

Sorry I do not understand. 
I know the 192.168.0.0 is the standard Ip address.

But what is the 16,10.0.0.0/8....? I am assuming this is another ip address like 10.30.30.0.
or is it 192.168.0.0/16
and 10.0.0.0/8

and 17.16.0.0/12.

I always thought the /24 or /30 tells the range of the ips. Am I wrong?

oops its 10.0.0.0/8 not 16.

 

Yup the /24 is the subnet. Means the same thing as 255.255.255.0.

 

YOu should be able to make a subnet on the router and setup a second lan connection, and setup a vlan on the switch to mess around with. I'd do that to see how things work.