Here are other details and examples: http://community.ubnt.com/t5/airMAX-Configuration-Examples/airMAX-VLANs/ta-p/455741 <http://community.ubnt.com/t5/airMAX-Configuration-Examples/airMAX-VLANs/ta-p/455741>
UBNT has some great articles in their community pages. I recommend you take a look. Google is a great tool for searching them. > On Jan 20, 2015, at 3:34 PM, Brett A Mansfield <br...@silverlakeinternet.com> > wrote: > > Yes, UBNT does support 802.1q. Here is an example in their community pages > for what you are wanting to do: > > http://community.ubnt.com/t5/airMAX-Configuration-Examples/airMAX-Management-tagged-and-Access-VLAN-untagged-on-Station-LAN/ta-p/1044653 > > <http://community.ubnt.com/t5/airMAX-Configuration-Examples/airMAX-Management-tagged-and-Access-VLAN-untagged-on-Station-LAN/ta-p/1044653> > > >> On Jan 20, 2015, at 3:03 PM, Jeremy <jeremysmi...@gmail.com >> <mailto:jeremysmi...@gmail.com>> wrote: >> >> Do UBNT radios support .1Q? >> >> On Tue, Jan 20, 2015 at 3:02 PM, Jeremy <jeremysmi...@gmail.com >> <mailto:jeremysmi...@gmail.com>> wrote: >> If we VLAN traffic to each AP already how would we do a management VLAN? >> Would we have to make every AP port a trunk port (pruned, of course), and >> then let the radio do the tagging and untagging? >> >> On Tue, Jan 20, 2015 at 1:13 PM, Brett A Mansfield >> <br...@silverlakeinternet.com <mailto:br...@silverlakeinternet.com>> wrote: >> It's possible there is a bug in the software then. All of my NATd radios on >> 5.5.9 and older I can only access the management on the management VLAN, but >> all of the ones running 5.5.10 I can access it on both the management VLAN >> and untagged interfaces. >> >> Though there may be something in the configuration causing it. I'm double >> checking. It clearly shows management is set to the tagged vlan. Looks like >> the bridge is missing in the config though. It must have wiped it out when >> NAT was put in place. >> >> Thank you, >> Brett A Mansfield >> >> On Jan 20, 2015, at 12:39 PM, Josh Reynolds <j...@spitwspots.com >> <mailto:j...@spitwspots.com>> wrote: >> >>> Jesus Christ no. >>> No. >>> >>> SSH, web, SNMP, etc only respond on whatever the management interface is. >>> If it's left default, it responds on what's assigned. If you vlan it off, >>> it only responds on that vlan. Other untagged traffic goes through as >>> bridged or routed depending on what you have configured. >>> >>> On January 20, 2015 10:12:37 AM AKST, Bill Prince <part15...@gmail.com >>> <mailto:part15...@gmail.com>> wrote: >>> NATting in the radio just eliminates so many issues. It solved lots of >>> issues for us when we did it with Canopy. It was easy because the >>> management/NAT are always separated in Canopy. It just became part of our >>> standard practice. >>> >>> So if we're doing NAT on the CPE, management traffic will go to the public >>> interface? That seems broken. What defines "management" traffic besides >>> SSH/WWW ports? >>> >>> bp >>> <part15sbs{at}gmail{dot}com> >>> >>> On 1/20/2015 11:07 AM, Brett A Mansfield wrote: >>>> You'll need to set up a dhcp server for that vlan or manually assign it. >>>> >>>> Even with NAT on the CPE the management interface will work the same. But >>>> when doing NAT you'll be able to access the radio from its public address >>>> as well. There really is no reason to NAT at the radio with VLANs. >>>> >>>> Any reason you'd do NAT at the radio? >>>> >>>> Thank you, >>>> Brett A Mansfield >>>> >>>> On Jan 20, 2015, at 12:03 PM, Bill Prince <part15...@gmail.com >>>> <mailto:part15...@gmail.com>> wrote: >>>> >>>>> If you're bridging, where does the management VLAN get it's IP address? >>>>> >>>>> Likewise (or almost likewise), if we're NATting in the CPE, is there a >>>>> place to assign the VLAN interface a different IP address? >>>>> >>>>> bp >>>>> <part15sbs{at}gmail{dot}com> >>>>> >>>>> On 1/20/2015 10:33 AM, Brett A Mansfield wrote: >>>>>> UBNT has a good video on this very thing. �If done right, all ssh >>>>>> traffic would be passed through the radio to the customers router on the >>>>>> public side and the management side will only be accessible internally. >>>>>> >>>>>> Here is a link to their video on the VLAN setup for management. >>>>>> http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529 >>>>>> >>>>>> <http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529> >>>>>> >>>>>> Thank you, >>>>>> Brett A Mansfield >>>>>> >>>>>> >>>>>>> On Jan 20, 2015, at 11:18 AM, Josh Reynolds <j...@spitwspots.com >>>>>>> <mailto:j...@spitwspots.com>> wrote: >>>>>>> >>>>>>> Management services only respond on the management vlan... >>>>>>> >>>>>>> On January 20, 2015 9:17:24 AM AKST, Bill Prince <part15...@gmail.com >>>>>>> <mailto:part15...@gmail.com>> wrote: >>>>>>> OK.� Great.� We can put another IP on a management IP on the >>>>>>> VLAN.� How does that block the SSH logins? >>>>>>> >>>>>>> Can you specify that SSH only goes through the management VLAN? >>>>>>> >>>>>>> bp >>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>> >>>>>>> On 1/20/2015 10:14 AM, Josh Reynolds wrote: >>>>>>>> It creates another interface, a tagged one. You specify which >>>>>>>> interface is the management interface. Don't route it out of your >>>>>>>> network. >>>>>>>> >>>>>>>> On January 20, 2015 9:13:06 AM AKST, Bill Prince <part15...@gmail.com> >>>>>>>> <mailto:part15...@gmail.com> wrote: >>>>>>>> My understanding of the UBNT VLAN is that it's all one VLAN? How do >>>>>>>> you split management/sub traffic? >>>>>>>> >>>>>>>> bp >>>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>>> >>>>>>>> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>>>>>>>> Management. VLAN. >>>>>>>>> >>>>>>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince >>>>>>>>> <part15...@gmail.com> <mailto:part15...@gmail.com> wrote: >>>>>>>>> Not the AP side, but the client side. We have traditionally NATted >>>>>>>>> all >>>>>>>>> residential subs on Canopy, and were trying to do the same with UBNT. >>>>>>>>> >>>>>>>>> With Canopy it's easy, because the NATted TCP stack just passes >>>>>>>>> through, >>>>>>>>> and if SSH ports are open, it goes to the sub's router (no impact on >>>>>>>>> the >>>>>>>>> SM). >>>>>>>>> >>>>>>>>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>>>>>>>> >>>>>>>>> Just wondering if anyone else has tried the CPE firewall to prevent >>>>>>>>> brute-force SSH logins. >>>>>>>>> >>>>>>>>> I suppose I could cobble together something on the POP router, but >>>>>>>>> looking for options. >>>>>>>>> >>>>>>>>> bp >>>>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>>>> >>>>>>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>>>>>>>> Generally a bad idea to use that firewall (at least on the access >>>>>>>>> point side) as it supposedly cuts into your PPS capacity on the >>>>>>>>> radio. >>>>>>>>> >>>>>>>>> Peter Kranz >>>>>>>>> Founder/CEO - Unwired Ltd >>>>>>>>> www.UnwiredLtd.com <http://www.unwiredltd.com/> >>>>>>>>> Desk: 510-868-1614 x100 <tel:510-868-1614%20x100> >>>>>>>>> Mobile: 510-207-0000 <tel:510-207-0000> >>>>>>>>> pkr...@unwiredltd.com <mailto:pkr...@unwiredltd.com> >>>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] >>>>>>>>> On Behalf Of Bill Prince >>>>>>>>> Sent: Monday, January 19, 2015 1:47 PM >>>>>>>>> To: af@afmug.com <mailto:af@afmug.com> >>>>>>>>> Subject: Re: [AFMUG] UBNT firewall >>>>>>>>> >>>>>>>>> Nobody actually using the UBNT firewall? >>>>>>>>> >>>>>>>>> bp >>>>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>>>> >>>>>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>>>>>>>> We notice that any time we use NAT on UBNT we get a lot of login >>>>>>>>> attempts via SSH. Are any of you using the firewall built in? It's >>>>>>>>> not clear from the GUI interface whether this affects input or >>>>>>>>> forwarding, or both. >>>>>>>>> >>>>>>>>> What I'd like to do is block any >>>>>>>>> SSH logins that are not in one of our >>>>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>>>>>>>> traffic. >>>>>>>>> >>>>>>>>> Examples? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>> >>>>> >>> >>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> >> >
