On a Unify Aggregation Switch Pro and Unifi 7.2.94, I want to create a VLAN that is completely isolated from any other VLANs, tagged or untagged.
Note that I am not using any Unifi Gateway, just the switches and APs and a locally hosted controller (I use PFSense as the firewall/router).
Say I want to make VLAN 50 isolated from all others. So even if, on another VLAN, I set my computer to use VLAN 50 (tagged), the switch would not allow me to access any hosts on VLAN 50 or pass packets to those ports I have designated as VLAN 50 (untagged).
When I create a port profile, I can select the VLAN-only network for VLAN 50 as the Native Network.
On the pull down below, it asks which tagged networks are allowed. This field seems to default to “Select All” and there is no option for “none”. That seems to allow tagged access.
Or would I approach it differently, creating a profile that allows all tagged VLANS except VLAN 50 and assigning every other port in my entire network to use it? That seems error prone enough to be unreliable.
How can I configure things to reliably achieve what I am trying to do?
P.S. If you are wondering what I am trying to achieve, I am trying to use VLAN 50 to pass my ISP fiber wan connection over to the WAN port on the PFSense firewall. I am unable to plug that fiber directly into the firewall because its SFP port won’t come up unless I pass it through a switch first. I’m trying to avoid having to use a separate physical switch for this purpose.
What you’re trying to do is perfectly achievable. I’m doing this for the similar purpose of connecting my modem to the virtualized firewall.
In fact, you can think of a VLAN-capable switch logically as a bunch of independent unmanaged switches. An untagged switch port would correspond to a port on that network’s switch. A trunk port (multiple tagged VLANs and possibly an untagged VLAN) can be thought of as running a cable from each tagged network’s switch to the same computer and plugging into distinct NICs there. People (in general, i’m not trying to single you out specifically) often seem to understand that analogy of the multiple switches just fine, while struggling to understand the concept of VLANs.
So what you need to do in Unifi is simply to add a new network of type “Third-party Gateway” (formerly known as “VLAN only” or something the like) and then select that for the port profile on each port you want to connect. There is no need to create a separate port profile, as there are implicit port groups for each network already, which have that network untagged and don’t contain any tagged networks.
If you absolutely want to create a port group for this, that’s also possible. There seems to be some confustion about the selector for the “Allowed Networks”. The “Select All” you’re seeing isn’t an option itself, instead if you click it, it will select all the individual networks. Networks that are actually selected will appear in a little bubble inside the input field, like in this example:
