A question about Unifi’s handling of the native/default VLAN…
I have a pfSense firewall/gateway (call it “pfSense”), a hardware Cloudkey and several Unifi switches and wireless Access Points.
On pfSense there is a LAN subnet (call it x.x.8.0) which is not associated with any VLAN. On pfSense there are several VLANs defined (say 10 & 20) with corresponding subnets defined. The Unifi equipment has “VLAN only” networks 10 & 20 defined.
Unifi has a pre-defined “Corporate” network 192.168.1.0/24 which I completely ignore.
The native VLAN is 1 in Unifi gear and cannot be changed (?) Is it therefore correct that my LAN subnet (8) will end up on VLAN 1 because it is not associated with any VLAN ? Is it more secure to define another VLAN (call it 8) and associate this with the LAN 8 subnet in order to prevent this fallback to VLAN 1 ? i.e. ensure every subnet is associated with a some VLAN that is not 1.
Is this default Corporate network of 192.168.1.0/24 is associated with VLAN 1 ? No obvious indication. Is it possible to delete this network ?
When you don’t apply any VLAN tags it is native VLAN one. I don’t think there is a way to delete the VLAN one from UniFi, but nor is there any reason to do so that I can think of. As for security to prevent someone from plugging something in that might get the native VLAN you would be more secure disabling ports that are not in use.
Have Netgear switches, they come with a couple of default vlans. I’ve just left these alone and started my numbering from 10 onwards for vlans.
If you set up vlans you will have the reverse situation, a default LAN you do not use. Personally I would use vlans even if I just had my ISP and Guest networks which I would guess you have now. That way you don’t have to give full network access to friends who just want to access the internet. It will be much easier to implement additional vlans later if you need them for say VPN / IoT / IPcams etc.
Given your kit you can also setup 802.1x if you are extra paranoid
Thank you. I set up a management vlan and a few others for IOT etc which works fine. My default main pfSense LAN then ends up on VLAN1 on the switch. As Tom said above, not really sure if this is an issue or not, but just for fun I set up another VLAN and associated that with the default pfSense LAN, which results in nothing using VLAN1. Maybe a waste of time (?), but pretty easy to do …
If I was in your shoes, I would leave the LAN on the subnet 1, you probably needed it this way to also set up pfsense and the switch. Then set the management vlan at 10 with subnet 10, ISP with 20 etc.
So you ought to be able to access pfsense from
192.168.1.1,
192.168.10.1,
192.168.20.1 etc.
Think this will make your life easier if for some reason you need to swap out your switch for another brand.
