Unifi Layer 3 routing tutorials

Networking & Firewalls
1

I am coming up with a design for an update to an existing network where we have pfSense for the router and pro series switches from Unifi for network VLANs. The current network has 4 VLAN’s:

Untagged- Unifi Management
10 - PC (Managed PC’s and Mac’s)
15 - IOT (Printers and other IOT devices)
30 - Servers (DNS, Time, Synology NAS)

The router is a setup with Netgate 1537 rack mount using one of the SFP+ for the WAN and the other SFP+ for 10 gb to the switch. Solution has been working well but now they want to add cameras and an NVR to the solution, and they look like they are falling on using a new Synology for that purpose.

I was thinking of creating a new VLAN for the cameras and putting the new Synolgoy on the server network but that would put a lot of work on the pfSense box to route the traffic. An alternative I would see is to create a Layer 3 switch configuration with ACL’s between the new camera network and the server network but finding good documentation on Layer 3 configuration is sparce.

I have been trying to convince the client to put the Synology and Camera’s on the same new VLAN would be a better solution but there is still the need to route video the PC network for viewing.

I would like to test the configurations out in the lab and wondering if anyone can provide a good resource on configuring Layer 3 on the switch while using an external router for regular VLAN traffic.

2

I would not set it up this way as there are still not any granular rules available for controlling the routing. Better to have the cameras and Synology on the same network and either have a second NIC in the Synology for the other network or have pfsense have a rule to allow access to only the Synology.

3

Thanks, didn’t think about dual homing the Synology.

4

Sticking the synology on the same network would solve the routing problem, but then you need to think a little more about security & monitoring of that synology server. One nice thing about routing all server related traffic is it centralizes all FW rules and logging.

If you can isolate two NICs at the router for the synology server and the switch connecting the cameras, then you won’t impact your router performance. Basically create a bridge on the router for just those two NICs. This would solve the performance bottle neck at the router.