Vlans on Unifi
Vlans on Unifi
Hello, I’m glad you’re diving into networking! I see you have a lot to organize and improve. Let’s simplify your setup and clarify your goals.
Current setup summary:
- Router → PFSense → Main switch → Unified Access → NAS connection → PCs
- NAS connected to small server via open port
- Computers connect to the internet through separate networks
- Consoles, TV, and gaming devices on individual VLANs
- Desire: Devices read NAS but can’t modify it; Wi-Fi networks isolated; consoles/TV on separate VLANs; computers communicate without issues
Your ideas are solid. Here’s a clearer path:
1. **NAS Read Access**
- Ensure all devices can read from the NAS (use shared folder or web interface).
- Keep your NAS account separate but accessible via a secure method (e.g., cloud key or SSO).
2. **Wi-Fi Isolation**
- Create distinct Wi-Fi networks for each group: PCs, consoles, TV, etc.
- Use PFSense or another router to assign static IPs and restrict access per VLAN.
3. **Separate Networks for Consoles & TV**
- Assign dedicated VLANs for gaming devices and media equipment.
- Configure routers/APs to block unnecessary traffic between these groups.
4. **Inter-Computer Communication**
- Ensure all computers are on the same local network (same subnet).
- Use a router or switch with port security to allow communication only between intended devices.
5. **Cloud Key / Segmentation**
- If using cloud key, set it up to manage access to specific VLANs or services.
- Alternatively, use a firewall rule or VLAN tagging to control traffic.
For Unifi switches:
- Create VLANs for each group (PCs, consoles, TV, NAS).
- Assign IP ranges accordingly and configure routing between them.
- Enable port security and access control lists (ACLs) to maintain separation.
If you’d like, I can walk you through step-by-step configuration for PFSense, Unifi VLANs, or cloud key setup. Just let me know which part you want to tackle first!
Check if all your switches are Ubiquiti or L2 capable. Vlans are set up on the router and given tags, which are then applied in switch configurations to allocate vlans to ports or assign SSIDs to access points. Tom from Lawrence Systems shares YouTube tutorials for configuring these on pfSense and Ubiquiti. Note that you can't assign write rights via vlans; use NAS file permissions instead. Vlans only divide your network for security, not physically separate devices. To block traffic between vlans, define firewall rules. Start by identifying which device groups need isolation, then create the corresponding vlans and rules. My current vlans are: 1. Management – covers server IPMI and NAS admin. 2. IoT – targets insecure IoT gadgets like smart switches and home devices. 3. Guest – for users needing basic internet access. I’m still refining my network layout, and choosing the right vlan can be tricky.
You should start by organizing your thoughts clearly. Since you're new to dynamic firewall rules, consider breaking them into simple sections like device types, allowed traffic, and conditions. Practice by setting up similar rules in a safe environment first. Don’t forget to test each rule thoroughly before deploying it fully. Your recent experience with connecting WIFI to the pfSense box is a great start—keep refining your approach!
This will handle all permissions and read/write configurations directly on the NAS using those settings. It won’t be influenced by VLANs. I aim to prevent data from moving between subnets so the router only sees traffic that reaches the NAS. I’d create a read-only account and log in only on the devices you need access to. Check if the access points support VLANs—likely they don’t, probably just a guest network. You can configure the guest network for devices needing internet access without LAN privileges. Set up VLANs on the switch, match subnets on the router, and define routing rules between networks if needed. Based on what you mentioned, I’d opt for a single large subnet for trusted devices. Adding another subnet and VLANs on the switch would be straightforward.
I understand you're ready to share your thoughts. It seems you're exploring changes to your network setup. You mentioned using a default subnet and are curious about the impact of switching it. Let me know how I can assist further!
Uncertain if it's a guest account I created, but I understand it only has read access. I did this because Jelly fin was adding data and could delete it from the NAS. To ensure nothing was lost permanently, I set up a new account with just read permissions.
The network is referred to as the subnet, such as 192.168.0.0/24. The subnet mask is 255.255.255.0. Usually, a separate subnet exists for each VLAN. The router manages communication between these subnets.
I’m curious about how changing subnets works. If you’re okay with me breaking it down, could you explain a bit? When an IP address is added to a network, what does that mean for the subnet? It’s like assigning a new area or section of the road.