Unifi CK Gen2, multisite, user groups and vlan

Hi there,

I have a bit of odd situation. At site 1, we have Cisco switches, 1 CK gen2, 1 Fortigate 100e firewall and a Edgrouter for vpn tunnels to other sites.
We have 5 other sites, all using Edgerouters with vpn tunnels to site 1.
Only site 1 has VLANS. The other sites not.
Wifi on all sites are managed by the CloudKey.
We want to create groups/rules, where users will have connection on wifi to only internet, or internet and voip, or internet and lan, etc.
How can this be done the best way?
I can’t find any documentation for the CK, other than a QSG, which does not show much.
Making rules or groups in the Forti firewall doesn’t make sense, since the other sites all have their own internet connection.
We are planning to switch out all the Edgerouters for Forti firewalls, but this will be somewhere in the future.
I know, many will hate me for mentioning the Fortigate here, but it’s a management decision. PFsense is way cheaper, but we do not have local support for it, and I myself, am not familiar with firewall setups.

All the rules would be done in the firewalls not in the Cloudkey

1 Like

That’s the problem. We don’t have firewalls at the other 5 sites. The Edgerouters don’t have firewall functions, as far as I know.

Been a long time since I have played with an Edge Router but I am fairly sure they do have firewall functions. As Tom said, not much to do in the cloudkey short of creating the ssid’s that are tagged on the vlans you setup elsewhere.

What ever you do you are going to need a way to identify your clients to the firewall so that it knows what ACL’s to apply.

My go to would be to setup a vlan per access group, drop a subnet on each vlan and filter based on the subnet. You can then untag wired devices on the correct vlan and create a separate ssid for each vlan. Keep in mind that unifi recommend 4 or less ssid’s per AP so don’t go crazy.

You could do it by fixing IP address’ on client devices (via your DHCP server) as well but that’s easier to work around if you are concerned about security (which, you sould be)

RADIUS would also be an option but by the sounds of what you are saying might be a bit over the top for your setup / available resourced.

Using Fortigate is a wise decision.
Replacing EdgeRouters with Fortigate is an even wiser decision :slight_smile:

Now, as said by Tom and others, at the moment you will need to create your firewall rules independently on each firewall (1 x FG100E and 5 x EdgeRouter) to manage the access at each of you sites.

Once you have migrated all your EdgeRouter to Fortigate, you will be able to manage them all from one console either online or via FortiManager. And if you want to extend your WiFi capabilities, another wise decision will be to replace your Ubiquiti by FortiAP (much more capable and powerful access point from Fortinet - look that the specs for FortiAP 321E for example) and the management of all your infrastructure will be greatly simplified and much more secure than it is now.