Tomato + Unifi AP - How to use vlan?

[jkroeder]

I have Shibbys Tomato running on an Asus N66U. I recently purchased a Ubiquiti Unifi AP.

I have the 2.4ghz radio on the N66U running as my "main" wifi connection.
I have a VLAN and Virtual Wireless interface set up as a guest network.

This is how I currently have it set up

LAN

VLAN

Virtual Wireless Interface

Now, let's say I disable the virtual wireless interface on the N66U. I want the Unifi unit to be the one broadcasting the guest network. How do I achieve this?

In this screen, do I just set the vlan ID option to #3 (refer to the screenshot above where I have my virtual wireless set to vlan #3)? The following isn't my own screenshot. That's why it's set to 4.

I tried this and whenever the client tries to connect, it doesn't seem to get an IP from DHCP. My Nexus 7, for instance, just stops at "Authenticating"

I know the Unifi interface has its own "Guest Policy" option. But is it better to have the router control the vlan?

Thanks!

 

[avos]

So you want the Unifi AP to just do the Guest network? At 192.168.2.1/24? And have the Unifi controller still on 192.168.1.1/24?

If that is the case you want all the ports to have a VID of 1 which is your br0 and tagged for br1 which looks to be vlan 3 for you.

Then you can plug the UniFi into any port and setup the guest network to have a vlan of 3.

You shouldn't have to deal with any of the virtual wireless interface stuff inside of tomato because you aren't doing multiple wireless interfaces on the router. The UniFi is plugging into a LAN port.

Note: I haven't used Tomato in years. But what you are trying to do should just be a simple vlan tagging of a port. It is a little confusing how they are laying it out though.

 

[JoeMcJoe]

I leave the guest control to the Unifi APs on my network. I don't use VLANs.

My LAN has the IP address range 192.168.1.X

In the Unifi, Settings > Guest Control > Access Control > Restricted Subnets > Add: 192.168.1.0/24

This stops any user on the guest network to connecting to any IP on my LAN. All they can do it access the internet.

 

[jkroeder]

Thanks for the replies. Networking isn't my strongest point.

Ideally, I would have the Unifi broadcast both networks. That way I have my router broadcasting SSID #1 on one side of the house and the Unifi broadcasting both SSID#1 and the guest network. AFAIK, it wouldn't be completely seamless with only one Unifi AP but that's okay for now.

But essentially, yes, I want the guest network being broadcasted from the Unifi only.

The Virtual wireless interface was being used as a guest network before I got the Unifi.

Thank you both. I'll give avos' suggestion a try and if it doesn't work out, I'll leave the guest network to the Unifi itself then to make things simpler.

I read that without using vlans, it wasn't as secure. That's why I wanted to do it this way.

This was how someone explained it here. I guess device discovery isn't that big of a deal though for residential use.

Yes and no. It's "pretty good" security, but not "great". The Unifi 'restricted subnets' blocks TCP and UDP traffic in those subnets, so users won't be able to get in to open ports, or really do much damage. However, ICMP is still allowed, so a large amount of device discovery and scouting can still be performed. An attacker would likely need another avenue in to actually run exploits, but they could get a shopping list of device names, IP addresses, and MAC addresses.



So yes, the restricted subnets are way better than nothing, but are still a bit 'leaky'.

http://community.spiceworks.com/topic/395624-unifi-guest-control-no-vlan-security

 

[JoeMcJoe]

Yes with the Unifi restricted network, the clients can still see some traffic and use apps like Fing to discover devices on the same network.

With the Unifi APs, you can tag a VLAN to single SSID.

If you got the virtual wireless working ok on the router with SSID#1, then you could easily add SSID#1 to the Unifi too, using the same security.

I use Shibby Tomato also, but I don't use the Wifi on it, I have two Unifi APs. Sorry, I can't help you with that.

 

[avos]

Are the checkboxes under tagged ever not grayed out? If that means the router doesn't support tagged traffic and only supports untagged traffic you aren't going to be able to use different subnets for guest and private on the UniFi. At least not without a smart switch in between.