It's possible there is a bug in the software then. All of my NATd radios on
5.5.9 and older I can only access the management on the management VLAN, but
all of the ones running 5.5.10 I can access it on both the management VLAN and
untagged interfaces.
Though there may be something in the configuration causing it. I'm double
checking. It clearly shows management is set to the tagged vlan. Looks like the
bridge is missing in the config though. It must have wiped it out when NAT was
put in place.
Thank you,
Brett A Mansfield
> On Jan 20, 2015, at 12:39 PM, Josh Reynolds <j...@spitwspots.com> wrote:
>
> Jesus Christ no.
> No.
>
> SSH, web, SNMP, etc only respond on whatever the management interface is. If
> it's left default, it responds on what's assigned. If you vlan it off, it
> only responds on that vlan. Other untagged traffic goes through as bridged or
> routed depending on what you have configured.
>
>> On January 20, 2015 10:12:37 AM AKST, Bill Prince <part15...@gmail.com>
>> wrote:
>> NATting in the radio just eliminates so many issues. It solved lots of
>> issues for us when we did it with Canopy. It was easy because the
>> management/NAT are always separated in Canopy. It just became part of our
>> standard practice.
>>
>> So if we're doing NAT on the CPE, management traffic will go to the public
>> interface? That seems broken. What defines "management" traffic besides
>> SSH/WWW ports?
>>
>> bp
>> <part15sbs{at}gmail{dot}com>
>>
>> On 1/20/2015 11:07 AM, Brett A Mansfield wrote:
>>> You'll need to set up a dhcp server for that vlan or manually assign it.
>>>
>>> Even with NAT on the CPE the management interface will work the same. But
>>> when doing NAT you'll be able to access the radio from its public address
>>> as well. There really is no reason to NAT at the radio with VLANs.
>>>
>>> Any reason you'd do NAT at the radio?
>>>
>>> Thank you,
>>> Brett A Mansfield
>>>
>>> On Jan 20, 2015, at 12:03 PM, Bill Prince <part15...@gmail.com> wrote:
>>>
>>>> If you're bridging, where does the management VLAN get it's IP address?
>>>>
>>>> Likewise (or almost likewise), if we're NATting in the CPE, is there a
>>>> place to assign the VLAN interface a different IP address?
>>>>
>>>> bp
>>>> <part15sbs{at}gmail{dot}com>
>>>>
>>>> On 1/20/2015 10:33 AM, Brett A Mansfield wrote:
>>>>> UBNT has a good video on this very thing. �If done right, all ssh
>>>>> traffic would be passed through the radio to the customers router on the
>>>>> public side and the management side will only be accessible internally.
>>>>>
>>>>> Here is a link to their video on the VLAN setup for management.
>>>>> http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529
>>>>>
>>>>> Thank you,
>>>>> Brett A Mansfield
>>>>>
>>>>>
>>>>>> On Jan 20, 2015, at 11:18 AM, Josh Reynolds <j...@spitwspots.com> wrote:
>>>>>>
>>>>>> Management services only respond on the management vlan...
>>>>>>
>>>>>>> On January 20, 2015 9:17:24 AM AKST, Bill Prince <part15...@gmail.com>
>>>>>>> wrote:
>>>>>>> OK.� Great.� We can put another IP on a management IP on the
>>>>>>> VLAN.� How does that block the SSH logins?
>>>>>>>
>>>>>>> Can you specify that SSH only goes through the management VLAN?
>>>>>>>
>>>>>>> bp
>>>>>>> <part15sbs{at}gmail{dot}com>
>>>>>>>
>>>>>>> On 1/20/2015 10:14 AM, Josh Reynolds wrote:
>>>>>>>> It creates another interface, a tagged one. You specify which
>>>>>>>> interface is the management interface. Don't route it out of your
>>>>>>>> network.
>>>>>>>>
>>>>>>>>> On January 20, 2015 9:13:06 AM AKST, Bill Prince
>>>>>>>>> <part15...@gmail.com> wrote:
>>>>>>>>> My understanding of the UBNT VLAN is that it's all one VLAN? How do
>>>>>>>>> you split management/sub traffic?
>>>>>>>>>
>>>>>>>>> bp
>>>>>>>>> <part15sbs{at}gmail{dot}com>
>>>>>>>>>
>>>>>>>>> On 1/20/2015 10:05 AM, Josh Reynolds wrote:
>>>>>>>>>> Management. VLAN.
>>>>>>>>>>
>>>>>>>>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince
>>>>>>>>>>> <part15...@gmail.com> wrote:
>>>>>>>>>>> Not the AP side, but the client side. We have traditionally NATted
>>>>>>>>>>> all
>>>>>>>>>>> residential subs on Canopy, and were trying to do the same with
>>>>>>>>>>> UBNT.
>>>>>>>>>>>
>>>>>>>>>>> With Canopy it's easy, because the NATted TCP stack just passes
>>>>>>>>>>> through,
>>>>>>>>>>> and if SSH ports are open, it goes to the sub's router (no impact
>>>>>>>>>>> on the
>>>>>>>>>>> SM).
>>>>>>>>>>>
>>>>>>>>>>> Not so with UBNT, as the public IP for NAT is also the IP for the
>>>>>>>>>>> CPE.
>>>>>>>>>>>
>>>>>>>>>>> Just wondering if anyone else has tried the CPE firewall to prevent
>>>>>>>>>>> brute-force SSH logins.
>>>>>>>>>>>
>>>>>>>>>>> I suppose I could cobble together something on the POP router, but
>>>>>>>>>>> looking for options.
>>>>>>>>>>>
>>>>>>>>>>> bp
>>>>>>>>>>> <part15sbs{at}gmail{dot}com>
>>>>>>>>>>>
>>>>>>>>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote:
>>>>>>>>>>>> Generally a bad idea to use that firewall (at least on the access
>>>>>>>>>>>> point side) as it supposedly cuts into your PPS capacity on the
>>>>>>>>>>>> radio.
>>>>>>>>>>>>
>>>>>>>>>>>> Peter Kranz
>>>>>>>>>>>> Founder/CEO - Unwired Ltd
>>>>>>>>>>>> www.UnwiredLtd.com
>>>>>>>>>>>> Desk: 510-868-1614 x100
>>>>>>>>>>>> Mobile: 510-207-0000
>>>>>>>>>>>> pkr...@unwiredltd.com
>>>>>>>>>>>>
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince
>>>>>>>>>>>> Sent: Monday, January 19, 2015 1:47 PM
>>>>>>>>>>>> To: af@afmug.com
>>>>>>>>>>>> Subject: Re: [AFMUG] UBNT firewall
>>>>>>>>>>>>
>>>>>>>>>>>> Nobody actually using the UBNT firewall?
>>>>>>>>>>>>
>>>>>>>>>>>> bp
>>>>>>>>>>>> <part15sbs{at}gmail{dot}com>
>>>>>>>>>>>>
>>>>>>>>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote:
>>>>>>>>>>>>> We notice that any time we use NAT on UBNT we get a lot of login
>>>>>>>>>>>>> attempts via SSH. Are any of you using the firewall built in?
>>>>>>>>>>>>> It's
>>>>>>>>>>>>> not clear from the GUI interface whether this affects input or
>>>>>>>>>>>>> forwarding, or both.
>>>>>>>>>>>>>
>>>>>>>>>>>>> What I'd like to do is block any
>>>>>>>>>>>>> SSH logins that are not in one of our
>>>>>>>>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded
>>>>>>>>>>>>> traffic.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Examples?
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>>>>
>>>>>> --
>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
