Ubiquity vs USGFlex700

Options
2»

All Replies

  • mMontana
    mMontana Posts: 1,304  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I think the part "explain and tell" was enough for a Zyxel competitor. I hope that this won't considered unpolite due to the place we are.

  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited March 2023
    Options

    So I have tried today many kinds of setup, but without desired outcome.

    Main try was to create VLAN on ZyWALL - VLAN8 in my case, which I hav defined over interface ge8. The VLAN interface - vlan8 - was defined also as DHCP server with its own range - 192.168.8.x. The intent behind this was that I would define the corresponding Ubiquity SSID: ZsM_Internal via Ubiquity network Internal, which would be defined as pure VLAN-network - with the same VLAN ID as on ZyWALL interface ge8 - i.e. VLAN ID:8.

    This did not worked.

    It is quite maddening to me, that whatever I tried, anly the ZsM_Public worked, as this was defined as GUEST WiFi within Ubiquity. It seems to me that Ubiquity gives a **** about any setup over it. But perhaps it is my lack of knowledge, I do not know :-D

    What I have done - at least - is the separation of those WiFi packekts by defining its own zone - LAN1 - within ZyWall:

    ZyWall_1.png

    All of these ZyWALL interfaces - ge6, ge7, ge8 - are governed by zone LAN1:

    ZyWall_2.png

    while interface:
    ge6 - Ubizuity PPoE switch is plugged into respective physical port of ZyWALL
    ge7 - DHCP pool of addresses 192.168.5.x for GUEST WiFi
    ge8 - DHCP pool of addresses 192.168.8.x for Intranet WiFi

    I have set also the Policy Control for LAN1 in very broad and general approach:

    ZyWall_3.png

    with the intent then to restrict WiFi usage by "Policy Control" just to Internet related services together with DHCP services (so I would not fool Ubiquity controller):

    ZyWall_4.png

    while I have defined Service Group "WiFi_allowed" like following:

    ZyWall_5.png

    But this did not worked at all - although I have got "Connected, Secured" when trying WiFi, no web page couldbe access.

    So I have deactivated these "Policy Control" (as seen in the screenshot)

    But even after deactivating it - so no restrictions are applied to the connection - no web page could be accessed.

    1. WiFi SSIDs are visible, one can connect to it and one gets "Connected, Secured" status of WiFi connection, however, in reality, no website loads - perhaps the group does not include a must needful bunch of services to achive this
      OR
    2. LAN1 zone is somehow not enough, although I have set it very much like LAN zone - as you could see I have excluded ZyWALL from both Policies:
      1. LAN_Outgoing
      2. LAN_to_Device

    Thanks for any points, experiences with the similar challenges.

    NoE

  • PeterUK
    PeterUK Posts: 2,770  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Thats where your going wrong when I say “one port on Zywall and VLAN the other subnets on it” I mean use ONE port like GE6 add a VLAN ON GE6 and another VLAN ON GE6 you don't need GE7 or 8

  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options

    @PeterUK yes, you're right.

    I have proceed with VLANs now, I have created two over ge6:

    ZyWall_6.png

    Both VLANs and ge6 interface are within zone LAN1:

    ZyWall_7.png

    The security policy of LAN1 is:

    ZyWall_8.png

    The restriction via Policy Route to access only Internet works niicely:

    ZyWall_9.png

    However the problem persists: only Guest WiFi defined over Default network profile within Ubiquity controller works.

    Even the almost same setup for Internal WiFi which is in fact creating new Ubiquity network "ZsM_Internal" with the SAME setup except for the IP address range…..and it does not work. Perhaps the issue stems from something Ubiquity specific.

  • PeterUK
    PeterUK Posts: 2,770  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023
    Options

    Is the AP connected to the USG without a switch?

    Have you setup SSID on the given VLAN?

  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited March 2023
    Options

    All components of Unify network are interconnected via Unify switches. One of these switches is wired directly into ZyWALL port ge6.
    On ZyWALL's port ge6 DHCP server 192.168.4.x is defined which gives all Unify components IP from this range - this is behaving correctly.
    I am defining the SSID within Unify network only. I have not defined them within ZyWALL - I suppose this feature of ZyWALL is for standalone APs.

    I am thinking now about the way the packets from the two VLANs are routed and what is the GW for them.
    The switch USW-Flex-mini supports VLANs, so there should not be a problem.
    Not sure if I understand it correctly, but it seems to me that the GW for each VLAN is defined on ZyWALL as its starting IP:
    ge6/5: 192.168.5.1
    ge6/6: 192.168.6.1

    However, within Unify network the GWs are defined too for each Unify network - I have defined them as the very second IP from each VLAN network, defined by ZyWALL:
    GUEST WiFi:192.168.5.2
    INTERNAL WiFi:192.168.6.2

    Perhaps this is wrong - perhaps the main GW for WiFi - from the point of view of ZyWALL should be IP defined for ge6 interface:
    192.168.4.1
    So to have in control all the WiFi mess behind this IP and translate each IP from WiFi to IP form 192.168.4.x.

    Not sure, just thinking out loud.

  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Answer ✓
    Options

    so after quite a time of thinking I have moved forward….

    I have left the two VLANs defined over interface ge6 as they were, together with DHCP servers defined over them:
    VLAN5: ge6/5: 192.168.5.1 - DHCP server with pool starting at 192.168.5.2
    VLAN6: ge6/6: 192.168.6.1 - DHCP server with pool starting at 192.168.6.2
    There is also 192.168.4.x DHCP subnet defined on ge6 itself - this subnet is dedicated to Ubiquity components - i.e. controller, switches and APS.

    I have then thought about the way the packets are flowing and for a while I have been afraid that the USW-Flex-Mini Unify switches, which I am using, are not supporting VLANs. I have read on the vendors site that they are able to recognize VLANs, so I have relied upon that info.

    What proved to be most important was the need to define NEW "Switch port profile" within Unify Controller, as the netwrok "Default" was using profile "Default" and when I have created the new network ZsM_Internal, this network was trying to use the same "Switch port profile", and this was a problem - at least I have understood it this way.

    So I have created the new "Switch port profile" "Intranet":

    ZyWall_13.png

    and I have configured every port on every switch to handle ALL Ubiquity profiles and ALL Ubiquity networks:

    ZyWall_14.png



    Then I have re-defined the WiFi networks within Unify Controller in such a way that ther respective Gateways are THE SAME as the GWs over VLAN interfaces.

    ZyWall_11.png
    ZyWall_15.png

    I have then tried to set BOTH networks as DHCP relays. This was successful ONLY for the 1st - DEFAULT, which is a GUEST netowrk.

    ZyWall_12.png

    For the ZsM_Internal this was not possbile, no matter what I have tried - the only configuration which is really working - i.e. WiFI is nicely broadcasting, and users are getting access to Internet over it is WITH DHCP server defined over it - seems to me a bit stupid as DHCP is already defined over VLAN6 on ge6/6, however, it works.

    ZyWall_16.png

    So it is workinng, althoug I cannot figure out why, exactly…..

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)