Do UBNT radios support .1Q? On Tue, Jan 20, 2015 at 3:02 PM, Jeremy <[email protected]> wrote:
> If we VLAN traffic to each AP already how would we do a management VLAN? > Would we have to make every AP port a trunk port (pruned, of course), and > then let the radio do the tagging and untagging? > > On Tue, Jan 20, 2015 at 1:13 PM, Brett A Mansfield < > [email protected]> wrote: > >> It's possible there is a bug in the software then. All of my NATd radios >> on 5.5.9 and older I can only access the management on the management VLAN, >> but all of the ones running 5.5.10 I can access it on both the management >> VLAN and untagged interfaces. >> >> Though there may be something in the configuration causing it. I'm double >> checking. It clearly shows management is set to the tagged vlan. Looks like >> the bridge is missing in the config though. It must have wiped it out when >> NAT was put in place. >> >> Thank you, >> Brett A Mansfield >> >> On Jan 20, 2015, at 12:39 PM, Josh Reynolds <[email protected]> wrote: >> >> Jesus Christ no. >> No. >> >> SSH, web, SNMP, etc only respond on whatever the management interface is. >> If it's left default, it responds on what's assigned. If you vlan it off, >> it only responds on that vlan. Other untagged traffic goes through as >> bridged or routed depending on what you have configured. >> >> On January 20, 2015 10:12:37 AM AKST, Bill Prince <[email protected]> >> wrote: >>> >>> NATting in the radio just eliminates so many issues. It solved lots of >>> issues for us when we did it with Canopy. It was easy because the >>> management/NAT are always separated in Canopy. It just became part of our >>> standard practice. >>> >>> So if we're doing NAT on the CPE, management traffic will go to the >>> public interface? That seems broken. What defines "management" traffic >>> besides SSH/WWW ports? >>> >>> bp >>> <part15sbs{at}gmail{dot}com> >>> >>> >>> On 1/20/2015 11:07 AM, Brett A Mansfield wrote: >>> >>> You'll need to set up a dhcp server for that vlan or manually assign it. >>> >>> Even with NAT on the CPE the management interface will work the same. >>> But when doing NAT you'll be able to access the radio from its public >>> address as well. There really is no reason to NAT at the radio with VLANs. >>> >>> Any reason you'd do NAT at the radio? >>> >>> Thank you, >>> Brett A Mansfield >>> >>> On Jan 20, 2015, at 12:03 PM, Bill Prince <[email protected]> wrote: >>> >>> If you're bridging, where does the management VLAN get it's IP >>> address? >>> >>> Likewise (or almost likewise), if we're NATting in the CPE, is there a >>> place to assign the VLAN interface a different IP address? >>> >>> bp >>> <part15sbs{at}gmail{dot}com> >>> >>> >>> On 1/20/2015 10:33 AM, Brett A Mansfield wrote: >>> >>> UBNT has a good video on this very thing. �If done right, all ssh >>> traffic would be passed through the radio to the customers router on the >>> public side and the management side will only be accessible internally. >>> >>> Here is a link to their video on the VLAN setup for management. >>> >>> http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529 >>> >>> Thank you, >>> Brett A Mansfield >>> >>> >>> On Jan 20, 2015, at 11:18 AM, Josh Reynolds <[email protected]> >>> wrote: >>> >>> Management services only respond on the management vlan... >>> >>> On January 20, 2015 9:17:24 AM AKST, Bill Prince <[email protected]> >>> wrote: >>>> >>>> OK.� Great.� We can put another IP on a management IP on the >>>> VLAN.� How does that block the SSH logins? >>>> >>>> Can you specify that SSH only goes through the management VLAN? >>>> >>>> bp >>>> <part15sbs{at}gmail{dot}com> >>>> >>>> >>>> On 1/20/2015 10:14 AM, Josh Reynolds wrote: >>>> >>>> It creates another interface, a tagged one. You specify which interface >>>> is the management interface. Don't route it out of your network. >>>> >>>> On January 20, 2015 9:13:06 AM AKST, Bill Prince <[email protected]> >>>> <[email protected]> wrote: >>>>> >>>>> My understanding of the UBNT VLAN is that it's all one VLAN? How do >>>>> you split management/sub traffic? >>>>> >>>>> bp >>>>> <part15sbs{at}gmail{dot}com> >>>>> >>>>> >>>>> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>>>> >>>>> Management. VLAN. >>>>> >>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince <[email protected]> >>>>> <[email protected]> wrote: >>>>>> >>>>>> Not the AP side, but the client side. We have traditionally NATted all >>>>>> residential subs on Canopy, and were trying to do the same with UBNT. >>>>>> >>>>>> With Canopy it's easy, because the NATted TCP stack just passes through, >>>>>> and if SSH ports are open, it goes to the sub's router (no impact on the >>>>>> SM). >>>>>> >>>>>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>>>>> >>>>>> Just wondering if anyone else has tried the CPE firewall to prevent >>>>>> brute-force SSH logins. >>>>>> >>>>>> I suppose I could cobble together something on the POP router, but >>>>>> looking for options. >>>>>> >>>>>> bp >>>>>> <part15sbs{at}gmail{dot}com> >>>>>> >>>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>>>>>> >>>>>>> Generally a bad idea to use that firewall (at least on the access >>>>>>> point side) as it supposedly cuts into your PPS capacity on the >>>>>>> radio. >>>>>>> >>>>>>> Peter Kranz >>>>>>> Founder/CEO - Unwired Ltd >>>>>>> www.UnwiredLtd.com <http://www.unwiredltd.com/> >>>>>>> Desk: 510-868-1614 x100 >>>>>>> Mobile: 510-207-0000 >>>>>>> [email protected] >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Af [mailto:[email protected] <[email protected]>] On >>>>>>> Behalf Of Bill Prince >>>>>>> Sent: Monday, January 19, 2015 1:47 PM >>>>>>> To: [email protected] >>>>>>> Subject: Re: [AFMUG] UBNT firewall >>>>>>> >>>>>>> Nobody actually using the UBNT firewall? >>>>>>> >>>>>>> bp >>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>> >>>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>>>>>>> >>>>>>>> We notice that any time we use NAT on UBNT we get a lot of login >>>>>>>> attempts via SSH. Are any of you using the firewall built in? It's >>>>>>>> not clear from the GUI interface whether this affects input or >>>>>>>> forwarding, or both. >>>>>>>> >>>>>>>> What I'd like to do is block any >>>>>>>> SSH logins that are not in one of our >>>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>>>>>>> traffic. >>>>>>>> >>>>>>>> Examples? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> -- >>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>> >>>>> >>>>> >>>> -- >>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>> >>>> >>>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>> >>> >>> >>> >>> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> >> >
