All Unifi equipment (USG-Pro, myriad of switches, mostly AC Pros)
We’ve got about 50 VLANs/networks. Users get dumped onto their own isolated VLAN based on their RADIUS user when connecting to the network via WPA2-Enterprise. Everyone connects to a single SSID.
- John connects to BusinessWifi SSID with WPA2-Enterprise username and password that dumps him onto VLAN 1000, 10.0.0.0/24.
- Greg connects to BusinessWifi SSID with WPA2-Enterprise username and password that dumps him onto VLAN 1001, 10.0.1.0/24.
- Larry connects to BusinessWifi SSID … onto VLAN 1050, 10.0.50.0/24.
We have a firewall rule in place that blocks InterVLAN traffic. We created one Network Group that contains all of the VLANs (10.0.0.0/24, 10.0.1.0/24, …, 10.0.50.0/24) and drop all connections in that Network Group with the following settings:
- Drop Established and Related
- Don’t match on IPsec
- on LAN_IN
Here is a common setup example for an individual user:
- John’s laptop is connected with IP 10.0.0.5
- John’s iPhone is connected with IP 10.0.0.6
- John’s printer is connected with IP 10.0.0.250 (static)
When the printer is first powered on, John’s laptop and phone can see and print to his printer without issue.
The use case for this weird setup is this: John can be in his office, or in the lobby, or in someone else’s office, etc. connected to the single “MyBusinessSSID” and always be on his own isolated VLAN, so that he can communicate to other devices on his isolated VLAN regardless of where he’s at on campus. Mainly used to be able to print from anywhere on campus.
After some minutes (or hours, I haven’t observed much consistency), the printer stops accepting print jobs, stops responding to pings. This is indicative of the network traffic getting dropped, in my opinion, but I can’t think of why. Since they’re on the same network, they shouldn’t be subject to the InterVLAN firewall rule that we’ve created. Power cycling the printer is enough to get it to resume normal activity responding to pings and accepting print jobs.
This is not specific to one brand of printer or one brand of computer. It’s 100% network related but I don’t know what exactly.