UniFi: How to Securely Configure Switch Port VLAN Traffic Restrictions and Avoid VLAN Hopping [YouTube Release]

Youtube Releases
1

Additional Resources:

Connecting With Us

Lawrence Systems Shirts and Swag

►👕 https://lawrence.video/swag/

AFFILIATES & REFERRAL LINKS

Amazon Affiliate Store
:shopping_cart: Lawrence Systems's Amazon Page

All Of Our Affiliates that help us out and can get you discounts!
:shopping_cart: https://www.lawrencesystems.com/partners-and-affiliates/

Gear we use on Kit
:shopping_cart: Kit

Use OfferCode LTSERVICES to get 10% off your order at
:shopping_cart: Tech Supply Direct - Refurbished Tech at Unbeatable Prices

Digital Ocean Offer Code
:shopping_cart: DigitalOcean | Cloud Hosting for Builders

HostiFi UniFi Cloud Hosting Service
:shopping_cart: HostiFi - UniFi Cloud Hosting

Protect you privacy with a VPN from Private Internet Access
:shopping_cart: Buy VPN with Credit Card or PayPal | Private Internet Access

Patreon
:moneybag: lawrencesystems | creating Tech Tutorials & Reviews | Patreon

TImestamps
00:00 - UniFi Changes to Port VLAN Traffic Restrictions
00:48 UniFi Default Port VLAN Settings
03:41 When to use VLAN Traffic Restrictions
04:25 Where to Set The VLAN Traffic Restrictions

#unifi #networking

2

The bash script for displaying the IP address

#!/bin/bash

# Check for necessary tools
command -v figlet >/dev/null 2>&1 || { echo >&2 "figlet is not installed. Exiting."; exit 1; }
command -v lolcat >/dev/null 2>&1 || { echo >&2 "lolcat is not installed. Exiting."; exit 1; }

# Function to fetch the current local IP
get_local_ip() {
    # Get the name of the primary network interface
    local interface=$(ip route | grep default | awk '{print $5}' | head -n1)

    # Fetch the IP of that interface and add spaces around dots
    ip -4 addr show $interface | grep 'inet' | awk '{print $2}' | cut -d'/' -f1 | sed 's/\./ . /g'
}

# Function to refresh the display
refresh_display() {
    # Clear the terminal screen
    clear

    # Display the current local IP with figlet and color it with lolcat
    figlet "Local  Address:" | lolcat
    figlet "$(get_local_ip)" | lolcat
}

# Display initially
refresh_display

# Wait for space bar to refresh
while true; do
    read -n1 -r
    if [[ $REPLY == ' ' ]]; then
        refresh_display
    fi
done
3

Thank you for this video, Tom! After watching, I now realize there is no way to prevent VLAN hopping with the UniFi Flex Mini switches. This is because these switches do not support traffic restrictions. Below is a screenshot of the Port Manager screen for my UniFi Flex Mini switch. As you can see, there is no option to set traffic restrictions.
image

After seeing this, I thought it might be possible to “back door” traffic restrictions into the configuration via an Ethernet Port Profile. Unfortunately, when trying this, I see an error message stating:

This profile cannot be assigned since it includes traffic restrictions UniFi Flex Mini #3 cannot support.

After testing, I confirmed I was able to connect to a VLAN not present in the Primary Network field by simply changing the VLAN used on a client NIC.

I am very disappointed that the UniFi Flex Mini switches cannot support true network segmentation. I am also disappointed about how misleading the text included underneath the Primary Network field is. It clearly states Only Home (2) network traffic will be allowed when this is not true. After hovering over the “i” logo, I see a message that is more accurate:

The “Primary Network” is the Native VLAN that is used for untagged traffic (not tagged with a VLAN ID).

Untagged traffic will be tagged with the VLAN set by the Primary Network field. Tagged traffic, without traffic restrictions, will simply be allowed through.

4

@LTS_Tom what’s the benefit of using this way of Traffic Restrictions rather than using Ethernet Port Profiles?

5

Port profiles are just a way to create a template with settings such as the traffic restrictions and apply it to a group of ports.