TImestamps
00:00 - UniFi Changes to Port VLAN Traffic Restrictions
00:48 UniFi Default Port VLAN Settings
03:41 When to use VLAN Traffic Restrictions
04:25 Where to Set The VLAN Traffic Restrictions
#!/bin/bash
# Check for necessary tools
command -v figlet >/dev/null 2>&1 || { echo >&2 "figlet is not installed. Exiting."; exit 1; }
command -v lolcat >/dev/null 2>&1 || { echo >&2 "lolcat is not installed. Exiting."; exit 1; }
# Function to fetch the current local IP
get_local_ip() {
# Get the name of the primary network interface
local interface=$(ip route | grep default | awk '{print $5}' | head -n1)
# Fetch the IP of that interface and add spaces around dots
ip -4 addr show $interface | grep 'inet' | awk '{print $2}' | cut -d'/' -f1 | sed 's/\./ . /g'
}
# Function to refresh the display
refresh_display() {
# Clear the terminal screen
clear
# Display the current local IP with figlet and color it with lolcat
figlet "Local Address:" | lolcat
figlet "$(get_local_ip)" | lolcat
}
# Display initially
refresh_display
# Wait for space bar to refresh
while true; do
read -n1 -r
if [[ $REPLY == ' ' ]]; then
refresh_display
fi
done
Thank you for this video, Tom! After watching, I now realize there is no way to prevent VLAN hopping with the UniFi Flex Mini switches. This is because these switches do not support traffic restrictions. Below is a screenshot of the Port Manager screen for my UniFi Flex Mini switch. As you can see, there is no option to set traffic restrictions.
After seeing this, I thought it might be possible to “back door” traffic restrictions into the configuration via an Ethernet Port Profile. Unfortunately, when trying this, I see an error message stating:
This profile cannot be assigned since it includes traffic restrictions UniFi Flex Mini #3 cannot support.
After testing, I confirmed I was able to connect to a VLAN not present in the Primary Network field by simply changing the VLAN used on a client NIC.
I am very disappointed that the UniFi Flex Mini switches cannot support true network segmentation. I am also disappointed about how misleading the text included underneath the Primary Network field is. It clearly states Only Home (2) network traffic will be allowed when this is not true. After hovering over the “i” logo, I see a message that is more accurate:
The “Primary Network” is the Native VLAN that is used for untagged traffic (not tagged with a VLAN ID).
Untagged traffic will be tagged with the VLAN set by the Primary Network field. Tagged traffic, without traffic restrictions, will simply be allowed through.
I had to make a minor tweak to the script to get the display working correctly, specifically adding the “-t” command line option to the figlet command:
# Display the current local IP with figlet and color it with lolcat
figlet -t "Local Address:" | lolcat
figlet -t "$(get_local_ip)" | lolcat
Worked fine after that.
The video contents are helping me as I plan the transition from a patchwork of switches to a 48 port unifi switch. Appreciate the walkthrough.
https://twitter.com/TomLawrenceTech
Lawrence Systems's Amazon Page
lawrencesystems | creating Tech Tutorials & Reviews | Patreon