Ubiquity vs USGFlex700

NoE
NoE Posts: 30  Freshman Member
First Comment Friend Collector First Anniversary
edited March 2023 in Security

Hello,

I use USGFlex700 and I want to setup Ubiquity WiFi.

I have setup some IP adress pools on USGFlex:

The first pool is an interface defined as DHCP for 192.168.4.0/24, on which Ubiquity switch is plugged, into which Unify Controller and all APs are plugged (all of them are on 192.168.4.0 subnet)

I have then defined two IP address pools (via DHCP on those interfaces):

ge7: 192.168.5.0 - this is reserved for Guest-like access to Ubiquity WiFi Network
ge8: 192.168.6.0 - this is reserved for INTERNAL-like access to Ubiquity WiFi Network.

NOTE: no cables are plugged to ports ge7, ge8 - the interfaces are used just as points to define respective IP pools over them, so USG Flex could recognize packets from those two networks, which are supposed to be used only for WiFi access.

So, I have defined then two WiFi SSIDs on Ubiquity Unify Controller:

which are mapped to two defined WiFi networks:

The network Default is mapped to Guest WiFi and this Guest WiFi has GUEST profile within Ubiquity - it does mean that the network is totally isolated from the rest of the subnets, yet, the DHCP defined via Ubiquity can provide IP addresses and those clients IPs are recognized at USG Flex, because the related pool is defined there - at least this is my reasoning why the users connected to this Guest WiFi do have the connection to Internet.

So, this is fine till now :-)

What I need and what I am trying to achieve, but without any success, is to have the ZsM_Internal WiFi to be really internal, and being able to connect to other machines/services etc on Intranet network, which is on 192.168.1.0 network:

I am really on the ends trying….:-) Please help.

Dusan

Accepted Solution

  • NoE
    NoE Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    Answer ✓

    so after quite a time of thinking I have moved forward….

    I have left the two VLANs defined over interface ge6 as they were, together with DHCP servers defined over them:
    VLAN5: ge6/5: 192.168.5.1 - DHCP server with pool starting at 192.168.5.2
    VLAN6: ge6/6: 192.168.6.1 - DHCP server with pool starting at 192.168.6.2
    There is also 192.168.4.x DHCP subnet defined on ge6 itself - this subnet is dedicated to Ubiquity components - i.e. controller, switches and APS.

    I have then thought about the way the packets are flowing and for a while I have been afraid that the USW-Flex-Mini Unify switches, which I am using, are not supporting VLANs. I have read on the vendors site that they are able to recognize VLANs, so I have relied upon that info.

    What proved to be most important was the need to define NEW "Switch port profile" within Unify Controller, as the netwrok "Default" was using profile "Default" and when I have created the new network ZsM_Internal, this network was trying to use the same "Switch port profile", and this was a problem - at least I have understood it this way.

    So I have created the new "Switch port profile" "Intranet":

    and I have configured every port on every switch to handle ALL Ubiquity profiles and ALL Ubiquity networks:



    Then I have re-defined the WiFi networks within Unify Controller in such a way that ther respective Gateways are THE SAME as the GWs over VLAN interfaces.

    I have then tried to set BOTH networks as DHCP relays. This was successful ONLY for the 1st - DEFAULT, which is a GUEST netowrk.

    For the ZsM_Internal this was not possbile, no matter what I have tried - the only configuration which is really working - i.e. WiFI is nicely broadcasting, and users are getting access to Internet over it is WITH DHCP server defined over it - seems to me a bit stupid as DHCP is already defined over VLAN6 on ge6/6, however, it works.

    So it is workinng, althoug I cannot figure out why, exactly…..

«1

All Replies

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    So. ge2 should communicate with ge8. Am I correct?

    As most firewalls softwares, Zyxel ZLD have on top of interfaces an "higher" level of grouping called "zones". Into Zyxel devices, the default names should be Lan1, Lan2, DMZ, Guest; some devices have Wireless zone too, but don't quote me on that.
    You can identify that into Security Policies: you are asked for zones, than interfaces, than "ip objects" like ranges, subnets, ip, whatever.

    You can also see the zone assigned to the interface editing the interface itself; unfortunately as default, Zyxel assigne the same name for interfaces and zones but whatever. You can assign more interfaces on the same zone, but only one zone for any interface.

    As default setting, LAN1 and LAN2 zones are allowed to communitate without hassle. Routing is automatically defined when editing the interfaces and their ip address, and the policy is there. So maybe assigne ge2 as LAN1 and ge8 as LAN2 zone, if security policy was not completely zapped away, should do the trick.
    Zones can be customized and can be added but only when interfaces are available. Zyxel firmwares consider "interfaces" also vLANS and more things".
    This… at least as fast explaination.

    Otherwise, if you want on the same subnet ge2 and ge8 (would get rid of the necessity of security policy and routing policy between these two) you have to create a bridge between them, but long story short I strongly advise against that choice.

    I'd love to see the outcome of your issue, if possible.

    Have a lot of fun, your setup seems really promising from the devices here shared.

  • NoE
    NoE Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary

    @mMontana thanks for your answer.

    Yes, the zones….perhaps this will be the key - I have assigned ge8 to LAN zone, the default Zyxel zone, but I am not 100% sure, if this zone is the same as for interface ge2 (I have left the customer's building just half hour ago, so I cannot check at the moment).

    I like your hint, pretyy obvious, that ge2 should communicate with ge8 - perhaps I was too desperate out of much trying not to realize this….

    Thanks again, I will try to play with the zones assignments…

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    Little hint: scoop deep into Security Policies before design editing ;)

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 2023

    You could use one port on Zywall and VLAN the other subnets on it each with their own zone

  • NoE
    NoE Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    edited March 2023

    @PeterUK I did something similar as one of many tries: I have defined VLAN6 within ge8 where there is defined pool of adresses: 192.168.6.0/24 for Intranet WiFi IPs and then I have defined the WiFi network ZsM_Internal within Ubiquity as "VLAN only" with the same VLAN ID - i.e. 6.
    It did not helped.

    So perhaps I would try your approach to have - for example two VLANs:
    VLAN5 for Guest WiFi IPs
    VLAN6 for Intranet WiFi IPs
    and both VLANs would be guarded by some new zone - for example:
    WiFi_LAN
    for which I can try to define policies similar to policies for LAN zone….

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 2023

    I've never used a Ubiquity AP but if it can run in standalone and supports VLANs for given SSID it should work.

    Do you have a switch doing PoE? As you need to setup VLANs on that.

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    Unifi Ubiquiti APs are centrally managed by a software/server installed on a computer or a "key" which is a… PoE powered computer with a dedicated Debian-based Distro.

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    …so using any PoE will not work with Ubiquiti AP?

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    I'm sorry, PeterUK, but I think I can't completely get your question. If you'll rephrase it I might provide you a better answer.

    Ubiquiti UniFi switches and APs are PoE compliant; in detail, UniFi APs are PoE-powered only (an injector/power adapter is in the box) and works correctly with other PoE-compliant switches.
    However, using UniFi gear only this can be centrally configured through the software. I hope this shed some lights and useful information to you.

  • NoE
    NoE Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    edited March 2023

    @mMontana @PeterUK Ubiquity has different design from the rest of WiFi manufacturers. The master of masters is always so called "Unify Controller", which is sold as a hardware blackbox, or it could be installed as a server-like system on some machine (but this is really cumbersome).
    Another powerful and useful component within Ubiquity network is a Ubiquity PoE switch - I have few of them in the customer's network. All AP's are cabled to that switch.
    All components of Ubiquity network are PoE.
    Such a network then is nicely manageable.

    Unify Controller guards everything in Ubiquity network. All APs are managed from this single point, all VLANs, all DHCPs, all restrictions, SSIDs, IPs, all component setup is managed from this place - via web interface. The screenshots I have provided are from this web interface.

Security Highlight