I fail to isolate Unifi VLANs that are connected to a single port of my SOPHOS XGS firewall.
Only Cloudkey (Controller V8) is used, no USG, DREAMMACHINE or other Unifi Security Gateway is used.
WIFI clients connect to different SSIDs and get the IP addresses in the correct range. VLANs and DHCP servers are defined on SOPHOS
But clients and the gateways in neighbouring VLANS are visible and can be pinged.
The pings seem to be routed on the unifi switches and to not arrive at the Sophos firewall port. (no traffic on the Sophos and DROP ALL rules for inter-vlan traffic on the Sophos firewall are ignored)
I tried with GUEST, L2 isolation and any other setting but I can prevent VLAN hopping.
Question: Do I need a unifi security gateway to define unifi firewall rules (e.g. drop all LAN-2-LAN) to get the VLAN isolation working?
“Native VLAN” is what you would expect, but for “Tagged VLAN Management” the options of “Allow All” and “Block All” are named a bit confusingly in my opinion. Also it defaults to “Allow All”, so all VLANs are tagged. For access ports, you presumably want to set it to “Block All”, which means any incoming tagged packets on that port will be dropped.
That being said, I don’t believe Unifi switches, even ones with L3 routing capability, will route any traffic between networks with just that option. So this doesn’t really seem like it applies to your situation, as a client would actually have to be VLAN-aware and set the VLAN ID in the frame which most clients don’t do out of the box.
I see no problems when I assign a single VLAN to a switch port - change the native VLAN to the desired VLAN and select “block all”. Works fine if only a single VLAN is assigned to a port, e.g. for a server.
But I do not get it working for Access Points, that publish several SSIDs like a TRUNK PORT
In the past I did Unifi setups always with a USG or other security gateway devices and can not recall having this problem. I recall to have firewall rules “Drop all” from source “LAN GROUP VLAN100,220,230” to destination “LAN GROUP VLAN100,220,230” to block all traffic between VLANs.
Also guest network isolation was setup automatically, captive portal included.
So I was wondering if inserting a USG might solve my problem.
→ will the USG firewall rules only be appllied to traffic that goes through the USG interfaces or will the USG allow to define rule execution on the switches?
On the Sophos I have
Port 8 Native * LAN (Vlan1) with DHCP scope 192.168.100.10-200 / GW is 192.168.100.254
Port8.220 VLAN with ID220 and DHCP scope192.168.220.10-200 / GW is 192.168.220.254
Port8.230 VLAN with ID230 and DHCP scope 192.168.220.10-200 / GW is 192.168.230.254
So when unboxing the Unifi geat all devices get their IPs in the 192.168.100.x range:
Cloudkey 192.168.100.14
Switch 192.168.100.10
In the unifi controller I have
Network “DEFAULT” VLAN1 → 192.168.100.254/24 paired with WIFI “TEST100”
Network VLAN220 with ID 220 → 192.168.220.254/23 paired with WIFI “TEST220”
Network VLAN230 with ID 230 → 192.168.230.254/23 paired with WIFI “TEST220”
I tried the different settings for the “Tagged VLAN Managemen” and see these results:
Tagged VLAN Managment set to ALLOW ALL: all Wifi work (correct IP range, correct gateway address → Internet works, but no VLAN Isolation)
Tagged VLAN Managment set to BLOCK ALL: Only WIFI “TEST100” works (correct IP range, correct gateway address → Internet works, no other VLAN visible) / WIFI “TEST220 @VLAN220” and TEST230 @ VLAN230" connect but no connection to DHCP server or gateway possible
Tagged VLAN Managment set to CUSTOM: same as “Allow all” but obviously only to the allowed VLANs
As I understand it you tested different options for the VLAN settings of the switch port that connects to the router (i.e., the uplink from the point of view of the switch). Is that correct? Because obviously the uplink, as well as all the ports that connect to APs, need to have all of the VLANs tagged which are used for WiFi networks. Otherwise there wouldn’t be a path from the WiFi clients to the router. The security (which client is connected to which network) for wireless clients using WiFi is handled by the APs themselves, not by the switch. This is different from wired clients, which use Ethernet.
VLAN is part of the Ethernet standard. To my knowledge, WiFi neither implements nor encapsulates Ethernet. Rather, to enable interoperability between wired and wireless machines, the Ethernet payload and elements of the header are contained in a WiFi MAC frame. However, this doesn’t include the VLAN header. So it’s technically impossible for a WiFi client to “tag” a packet / frame. It’s the AP’s job to do the tagging based on the SSID which the client is connected to.
"As I understand it you tested different options for the VLAN settings of the switch port that connects to the router (i.e., the uplink from the point of view of the switch). Is that correct? Because obviously the uplink, as well as all the ports that connect to APs, need to have all of the VLANs tagged which are used for WiFi networks. Otherwise there wouldn’t be a path from the WiFi clients to the router. "
→ That’s why I compare the port to an access port with a trunk port
“The security (which client is connected to which network) for wireless clients using WiFi is handled by the APs themselves, not by the switch. This is different from wired clients, which use Ethernet.”
→ This seem to work as each SSID get assigned the correct VLAN and DHCP address
VLAN is part of the Ethernet standard. To my knowledge, WiFi neither implements nor encapsulates Ethernet. Rather, to enable interoperability between wired and wireless machines, the Ethernet payload and elements of the header are contained in a WiFi MAC frame. However, this doesn’t include the VLAN header. So it’s technically impossible for a WiFi client to “tag” a packet / frame. It’s the AP’s job to do the tagging based on the SSID which the client is connected to.
→ I think to understand that the tagging is not my problem as the SSID match the VLAN id
This is my test bench:
The Sophos firewall is installed in a live network. The unify test bench is connected to a free port.
With the packet capture tool I see which traffic arrives at the firewall.
I have firewall rules that block traffic between VLAN1, VLAN229 and VLAN230.
I see no dropped packages for rule violation for traffic between the 3 networks.
Also disconnecting the trunk port firwall/swith does not have impact on the traffice between the 3 networks.
Therefore I assume that the switch is the location where the 3 network can talk to each other.
The “test bench” is like:
Unifi Switch with dedicted cloud controller
1 computer connected to Unifi Swtich with Native VLAN1 with IP 192.168.100.199
1 computer connected to Unifi Switch with Native VLAN220 with IP 192.168.220.199
1 Computer connected to Unifi Switch with Native VLAN230 with IP 192.168.230.199
Unifi Access Point with IP 192.168.100.15 with 3 SSIDs "TEST100, TEST220,
TEST230
1 Computer connected to Unifi SSID TEST100 and IP 192.168.100.99
1 Computer connected to Unifi SSID TEST220 and IP 192.168.220.99
1 Computer connected to Unifi SSID TEST230 and IP 192.168.230.99
After each change in the controller settings I ping to the other IP address and check which devices respod. I also run nslookup to check for DNS service and with DHCP explorer I check which DHCP servers are accessible.
It is woth to mention that I know the IP scopes of the neighbouring VLANs and explicitly ping them. It might be a valid argument that for an visitor these IP scopes are unknown and not discoverable. But “protection by obscurity” is not the safety standard I’m aiming for.
