Yes, UBNT does support 802.1q. Here is an example in their community pages for what you are wanting to do:
http://community.ubnt.com/t5/airMAX-Configuration-Examples/airMAX-Management-tagged-and-Access-VLAN-untagged-on-Station-LAN/ta-p/1044653 <http://community.ubnt.com/t5/airMAX-Configuration-Examples/airMAX-Management-tagged-and-Access-VLAN-untagged-on-Station-LAN/ta-p/1044653> > On Jan 20, 2015, at 3:03 PM, Jeremy <jeremysmi...@gmail.com> wrote: > > Do UBNT radios support .1Q? > > On Tue, Jan 20, 2015 at 3:02 PM, Jeremy <jeremysmi...@gmail.com > <mailto:jeremysmi...@gmail.com>> wrote: > If we VLAN traffic to each AP already how would we do a management VLAN? > Would we have to make every AP port a trunk port (pruned, of course), and > then let the radio do the tagging and untagging? > > On Tue, Jan 20, 2015 at 1:13 PM, Brett A Mansfield > <br...@silverlakeinternet.com <mailto:br...@silverlakeinternet.com>> wrote: > It's possible there is a bug in the software then. All of my NATd radios on > 5.5.9 and older I can only access the management on the management VLAN, but > all of the ones running 5.5.10 I can access it on both the management VLAN > and untagged interfaces. > > Though there may be something in the configuration causing it. I'm double > checking. It clearly shows management is set to the tagged vlan. Looks like > the bridge is missing in the config though. It must have wiped it out when > NAT was put in place. > > Thank you, > Brett A Mansfield > > On Jan 20, 2015, at 12:39 PM, Josh Reynolds <j...@spitwspots.com > <mailto:j...@spitwspots.com>> wrote: > >> Jesus Christ no. >> No. >> >> SSH, web, SNMP, etc only respond on whatever the management interface is. If >> it's left default, it responds on what's assigned. If you vlan it off, it >> only responds on that vlan. Other untagged traffic goes through as bridged >> or routed depending on what you have configured. >> >> On January 20, 2015 10:12:37 AM AKST, Bill Prince <part15...@gmail.com >> <mailto:part15...@gmail.com>> wrote: >> NATting in the radio just eliminates so many issues. It solved lots of >> issues for us when we did it with Canopy. It was easy because the >> management/NAT are always separated in Canopy. It just became part of our >> standard practice. >> >> So if we're doing NAT on the CPE, management traffic will go to the public >> interface? That seems broken. What defines "management" traffic besides >> SSH/WWW ports? >> >> bp >> <part15sbs{at}gmail{dot}com> >> >> On 1/20/2015 11:07 AM, Brett A Mansfield wrote: >>> You'll need to set up a dhcp server for that vlan or manually assign it. >>> >>> Even with NAT on the CPE the management interface will work the same. But >>> when doing NAT you'll be able to access the radio from its public address >>> as well. There really is no reason to NAT at the radio with VLANs. >>> >>> Any reason you'd do NAT at the radio? >>> >>> Thank you, >>> Brett A Mansfield >>> >>> On Jan 20, 2015, at 12:03 PM, Bill Prince <part15...@gmail.com >>> <mailto:part15...@gmail.com>> wrote: >>> >>>> If you're bridging, where does the management VLAN get it's IP address? >>>> >>>> Likewise (or almost likewise), if we're NATting in the CPE, is there a >>>> place to assign the VLAN interface a different IP address? >>>> >>>> bp >>>> <part15sbs{at}gmail{dot}com> >>>> >>>> On 1/20/2015 10:33 AM, Brett A Mansfield wrote: >>>>> UBNT has a good video on this very thing. �If done right, all ssh >>>>> traffic would be passed through the radio to the customers router on the >>>>> public side and the management side will only be accessible internally. >>>>> >>>>> Here is a link to their video on the VLAN setup for management. >>>>> http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529 >>>>> >>>>> <http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529> >>>>> >>>>> Thank you, >>>>> Brett A Mansfield >>>>> >>>>> >>>>>> On Jan 20, 2015, at 11:18 AM, Josh Reynolds <j...@spitwspots.com >>>>>> <mailto:j...@spitwspots.com>> wrote: >>>>>> >>>>>> Management services only respond on the management vlan... >>>>>> >>>>>> On January 20, 2015 9:17:24 AM AKST, Bill Prince <part15...@gmail.com >>>>>> <mailto:part15...@gmail.com>> wrote: >>>>>> OK.� Great.� We can put another IP on a management IP on the >>>>>> VLAN.� How does that block the SSH logins? >>>>>> >>>>>> Can you specify that SSH only goes through the management VLAN? >>>>>> >>>>>> bp >>>>>> <part15sbs{at}gmail{dot}com> >>>>>> >>>>>> On 1/20/2015 10:14 AM, Josh Reynolds wrote: >>>>>>> It creates another interface, a tagged one. You specify which interface >>>>>>> is the management interface. Don't route it out of your network. >>>>>>> >>>>>>> On January 20, 2015 9:13:06 AM AKST, Bill Prince <part15...@gmail.com> >>>>>>> <mailto:part15...@gmail.com> wrote: >>>>>>> My understanding of the UBNT VLAN is that it's all one VLAN? How do you >>>>>>> split management/sub traffic? >>>>>>> >>>>>>> bp >>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>> >>>>>>> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>>>>>>> Management. VLAN. >>>>>>>> >>>>>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince <part15...@gmail.com> >>>>>>>> <mailto:part15...@gmail.com> wrote: >>>>>>>> Not the AP side, but the client side. We have traditionally NATted all >>>>>>>> residential subs on Canopy, and were trying to do the same with UBNT. >>>>>>>> >>>>>>>> With Canopy it's easy, because the NATted TCP stack just passes >>>>>>>> through, >>>>>>>> and if SSH ports are open, it goes to the sub's router (no impact on >>>>>>>> the >>>>>>>> SM). >>>>>>>> >>>>>>>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>>>>>>> >>>>>>>> Just wondering if anyone else has tried the CPE firewall to prevent >>>>>>>> brute-force SSH logins. >>>>>>>> >>>>>>>> I suppose I could cobble together something on the POP router, but >>>>>>>> looking for options. >>>>>>>> >>>>>>>> bp >>>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>>> >>>>>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>>>>>>> Generally a bad idea to use that firewall (at least on the access >>>>>>>> point side) as it supposedly cuts into your PPS capacity on the >>>>>>>> radio. >>>>>>>> >>>>>>>> Peter Kranz >>>>>>>> Founder/CEO - Unwired Ltd >>>>>>>> www.UnwiredLtd.com <http://www.unwiredltd.com/> >>>>>>>> Desk: 510-868-1614 x100 <tel:510-868-1614%20x100> >>>>>>>> Mobile: 510-207-0000 <tel:510-207-0000> >>>>>>>> pkr...@unwiredltd.com <mailto:pkr...@unwiredltd.com> >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] >>>>>>>> On Behalf Of Bill Prince >>>>>>>> Sent: Monday, January 19, 2015 1:47 PM >>>>>>>> To: af@afmug.com <mailto:af@afmug.com> >>>>>>>> Subject: Re: [AFMUG] UBNT firewall >>>>>>>> >>>>>>>> Nobody actually using the UBNT firewall? >>>>>>>> >>>>>>>> bp >>>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>>> >>>>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>>>>>>> We notice that any time we use NAT on UBNT we get a lot of login >>>>>>>> attempts via SSH. Are any of you using the firewall built in? It's >>>>>>>> not clear from the GUI interface whether this affects input or >>>>>>>> forwarding, or both. >>>>>>>> >>>>>>>> What I'd like to do is block any >>>>>>>> SSH logins that are not in one of our >>>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>>>>>>> traffic. >>>>>>>> >>>>>>>> Examples? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>> >>>>>> >>>>>> -- >>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>> >>>> >> >> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. > >