You'll need to set up a dhcp server for that vlan or manually assign it. Even with NAT on the CPE the management interface will work the same. But when doing NAT you'll be able to access the radio from its public address as well. There really is no reason to NAT at the radio with VLANs.
Any reason you'd do NAT at the radio? Thank you, Brett A Mansfield > On Jan 20, 2015, at 12:03 PM, Bill Prince <[email protected]> wrote: > > If you're bridging, where does the management VLAN get it's IP address? > > Likewise (or almost likewise), if we're NATting in the CPE, is there a place > to assign the VLAN interface a different IP address? > > bp > <part15sbs{at}gmail{dot}com> > > On 1/20/2015 10:33 AM, Brett A Mansfield wrote: >> UBNT has a good video on this very thing. �If done right, all ssh traffic >> would be passed through the radio to the customers router on the public side >> and the management side will only be accessible internally. >> >> Here is a link to their video on the VLAN setup for management. >> http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529 >> >> Thank you, >> Brett A Mansfield >> >> >>> On Jan 20, 2015, at 11:18 AM, Josh Reynolds <[email protected]> wrote: >>> >>> Management services only respond on the management vlan... >>> >>>> On January 20, 2015 9:17:24 AM AKST, Bill Prince <[email protected]> >>>> wrote: >>>> OK.� Great.� We can put another IP on a management IP on the VLAN.� >>>> How does that block the SSH logins? >>>> >>>> Can you specify that SSH only goes through the management VLAN? >>>> >>>> bp >>>> <part15sbs{at}gmail{dot}com> >>>> >>>> On 1/20/2015 10:14 AM, Josh Reynolds wrote: >>>>> It creates another interface, a tagged one. You specify which interface >>>>> is the management interface. Don't route it out of your network. >>>>> >>>>>> On January 20, 2015 9:13:06 AM AKST, Bill Prince <[email protected]> >>>>>> wrote: >>>>>> My understanding of the UBNT VLAN is that it's all one VLAN? How do you >>>>>> split management/sub traffic? >>>>>> >>>>>> bp >>>>>> <part15sbs{at}gmail{dot}com> >>>>>> >>>>>> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>>>>>> Management. VLAN. >>>>>>> >>>>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince <[email protected]> >>>>>>> wrote: >>>>>>>> >>>>>>>> Not the AP side, but the client side. We have traditionally NATted all >>>>>>>> residential subs on Canopy, and were trying to do the same with UBNT. >>>>>>>> >>>>>>>> With Canopy it's easy, because the NATted TCP stack just passes >>>>>>>> through, >>>>>>>> and if SSH ports are open, it goes to the sub's router (no impact on >>>>>>>> the >>>>>>>> SM). >>>>>>>> >>>>>>>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>>>>>>> >>>>>>>> Just wondering if anyone else has tried the CPE firewall to prevent >>>>>>>> brute-force SSH logins. >>>>>>>> >>>>>>>> I suppose I could cobble together something on the POP router, but >>>>>>>> looking for options. >>>>>>>> >>>>>>>> bp >>>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>>> >>>>>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>>>>>>>> Generally a bad idea to use that firewall (at least on the access >>>>>>>>> point side) as it supposedly cuts into your PPS capacity on the >>>>>>>>> radio. >>>>>>>>> >>>>>>>>> Peter Kranz >>>>>>>>> Founder/CEO - Unwired Ltd >>>>>>>>> www.UnwiredLtd.com >>>>>>>>> Desk: 510-868-1614 x100 >>>>>>>>> Mobile: 510-207-0000 >>>>>>>>> [email protected] >>>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: Af [mailto:[email protected]] On Behalf Of Bill Prince >>>>>>>>> Sent: Monday, January 19, 2015 1:47 PM >>>>>>>>> To: [email protected] >>>>>>>>> Subject: Re: [AFMUG] UBNT firewall >>>>>>>>> >>>>>>>>> Nobody actually using the UBNT firewall? >>>>>>>>> >>>>>>>>> bp >>>>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>>>> >>>>>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>>>>>>>>> We notice that any time we use NAT on UBNT we get a lot of login >>>>>>>>>> attempts via SSH. Are any of you using the firewall built in? It's >>>>>>>>>> not clear from the GUI interface whether this affects input or >>>>>>>>>> forwarding, or both. >>>>>>>>>> >>>>>>>>>> What I'd like to do is block any >>>>>>>>>> SSH logins that are not in one of our >>>>>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>>>>>>>>> traffic. >>>>>>>>>> >>>>>>>>>> Examples? >>>>>>> >>>>>>> -- >>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>> >>>>> -- >>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >
