Awesome! Thanks Brett. On Tue, Jan 20, 2015 at 3:38 PM, Brett A Mansfield < br...@silverlakeinternet.com> wrote:
> Here are other details and examples: > > > http://community.ubnt.com/t5/airMAX-Configuration-Examples/airMAX-VLANs/ta-p/455741 > > UBNT has some great articles in their community pages. I recommend you > take a look. Google is a great tool for searching them. > > > On Jan 20, 2015, at 3:34 PM, Brett A Mansfield < > br...@silverlakeinternet.com> wrote: > > Yes, UBNT does support 802.1q. Here is an example in their community > pages for what you are wanting to do: > > > http://community.ubnt.com/t5/airMAX-Configuration-Examples/airMAX-Management-tagged-and-Access-VLAN-untagged-on-Station-LAN/ta-p/1044653 > > > On Jan 20, 2015, at 3:03 PM, Jeremy <jeremysmi...@gmail.com> wrote: > > Do UBNT radios support .1Q? > > On Tue, Jan 20, 2015 at 3:02 PM, Jeremy <jeremysmi...@gmail.com> wrote: > >> If we VLAN traffic to each AP already how would we do a management VLAN? >> Would we have to make every AP port a trunk port (pruned, of course), and >> then let the radio do the tagging and untagging? >> >> On Tue, Jan 20, 2015 at 1:13 PM, Brett A Mansfield < >> br...@silverlakeinternet.com> wrote: >> >>> It's possible there is a bug in the software then. All of my NATd radios >>> on 5.5.9 and older I can only access the management on the management VLAN, >>> but all of the ones running 5.5.10 I can access it on both the management >>> VLAN and untagged interfaces. >>> >>> Though there may be something in the configuration causing it. I'm >>> double checking. It clearly shows management is set to the tagged vlan. >>> Looks like the bridge is missing in the config though. It must have wiped >>> it out when NAT was put in place. >>> >>> Thank you, >>> Brett A Mansfield >>> >>> On Jan 20, 2015, at 12:39 PM, Josh Reynolds <j...@spitwspots.com> wrote: >>> >>> Jesus Christ no. >>> No. >>> >>> SSH, web, SNMP, etc only respond on whatever the management interface >>> is. If it's left default, it responds on what's assigned. If you vlan it >>> off, it only responds on that vlan. Other untagged traffic goes through as >>> bridged or routed depending on what you have configured. >>> >>> On January 20, 2015 10:12:37 AM AKST, Bill Prince <part15...@gmail.com> >>> wrote: >>>> >>>> NATting in the radio just eliminates so many issues. It solved lots of >>>> issues for us when we did it with Canopy. It was easy because the >>>> management/NAT are always separated in Canopy. It just became part of our >>>> standard practice. >>>> >>>> So if we're doing NAT on the CPE, management traffic will go to the >>>> public interface? That seems broken. What defines "management" traffic >>>> besides SSH/WWW ports? >>>> >>>> bp >>>> <part15sbs{at}gmail{dot}com> >>>> >>>> >>>> On 1/20/2015 11:07 AM, Brett A Mansfield wrote: >>>> >>>> You'll need to set up a dhcp server for that vlan or manually assign >>>> it. >>>> >>>> Even with NAT on the CPE the management interface will work the same. >>>> But when doing NAT you'll be able to access the radio from its public >>>> address as well. There really is no reason to NAT at the radio with VLANs. >>>> >>>> Any reason you'd do NAT at the radio? >>>> >>>> Thank you, >>>> Brett A Mansfield >>>> >>>> On Jan 20, 2015, at 12:03 PM, Bill Prince <part15...@gmail.com> wrote: >>>> >>>> If you're bridging, where does the management VLAN get it's IP >>>> address? >>>> >>>> Likewise (or almost likewise), if we're NATting in the CPE, is there a >>>> place to assign the VLAN interface a different IP address? >>>> >>>> bp >>>> <part15sbs{at}gmail{dot}com> >>>> >>>> >>>> On 1/20/2015 10:33 AM, Brett A Mansfield wrote: >>>> >>>> UBNT has a good video on this very thing. �If done right, all ssh >>>> traffic would be passed through the radio to the customers router on the >>>> public side and the management side will only be accessible internally. >>>> >>>> Here is a link to their video on the VLAN setup for management. >>>> >>>> http://community.ubnt.com/t5/airMAX-Frequently-Asked/airMAX-VLAN-management/ta-p/472529 >>>> >>>> Thank you, >>>> Brett A Mansfield >>>> >>>> >>>> On Jan 20, 2015, at 11:18 AM, Josh Reynolds <j...@spitwspots.com> >>>> wrote: >>>> >>>> Management services only respond on the management vlan... >>>> >>>> On January 20, 2015 9:17:24 AM AKST, Bill Prince <part15...@gmail.com> >>>> wrote: >>>>> >>>>> OK.� Great.� We can put another IP on a management IP on the >>>>> VLAN.� How does that block the SSH logins? >>>>> >>>>> Can you specify that SSH only goes through the management VLAN? >>>>> >>>>> bp >>>>> <part15sbs{at}gmail{dot}com> >>>>> >>>>> >>>>> On 1/20/2015 10:14 AM, Josh Reynolds wrote: >>>>> >>>>> It creates another interface, a tagged one. You specify which >>>>> interface is the management interface. Don't route it out of your network. >>>>> >>>>> On January 20, 2015 9:13:06 AM AKST, Bill Prince <part15...@gmail.com> >>>>> <part15...@gmail.com> wrote: >>>>>> >>>>>> My understanding of the UBNT VLAN is that it's all one VLAN? How do >>>>>> you split management/sub traffic? >>>>>> >>>>>> bp >>>>>> <part15sbs{at}gmail{dot}com> >>>>>> >>>>>> >>>>>> On 1/20/2015 10:05 AM, Josh Reynolds wrote: >>>>>> >>>>>> Management. VLAN. >>>>>> >>>>>> On January 20, 2015 8:51:22 AM AKST, Bill Prince >>>>>> <part15...@gmail.com> <part15...@gmail.com> wrote: >>>>>>> >>>>>>> Not the AP side, but the client side. We have traditionally NATted all >>>>>>> residential subs on Canopy, and were trying to do the same with UBNT. >>>>>>> >>>>>>> With Canopy it's easy, because the NATted TCP stack just passes through, >>>>>>> and if SSH ports are open, it goes to the sub's router (no impact on the >>>>>>> SM). >>>>>>> >>>>>>> Not so with UBNT, as the public IP for NAT is also the IP for the CPE. >>>>>>> >>>>>>> Just wondering if anyone else has tried the CPE firewall to prevent >>>>>>> brute-force SSH logins. >>>>>>> >>>>>>> I suppose I could cobble together something on the POP router, but >>>>>>> looking for options. >>>>>>> >>>>>>> bp >>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>> >>>>>>> On 1/20/2015 9:37 AM, Peter Kranz wrote: >>>>>>>> >>>>>>>> Generally a bad idea to use that firewall (at least on the access >>>>>>>> point side) as it supposedly cuts into your PPS capacity on the >>>>>>>> radio. >>>>>>>> >>>>>>>> Peter Kranz >>>>>>>> Founder/CEO - Unwired Ltd >>>>>>>> www.UnwiredLtd.com <http://www.unwiredltd.com/> >>>>>>>> Desk: 510-868-1614 x100 >>>>>>>> Mobile: 510-207-0000 >>>>>>>> pkr...@unwiredltd.com >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] On >>>>>>>> Behalf Of Bill Prince >>>>>>>> Sent: Monday, January 19, 2015 1:47 PM >>>>>>>> To: af@afmug.com >>>>>>>> Subject: Re: [AFMUG] UBNT firewall >>>>>>>> >>>>>>>> Nobody actually using the UBNT firewall? >>>>>>>> >>>>>>>> bp >>>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>>> >>>>>>>> On 1/14/2015 11:25 AM, Bill Prince wrote: >>>>>>>>> >>>>>>>>> We notice that any time we use NAT on UBNT we get a lot of login >>>>>>>>> attempts via SSH. Are any of you using the firewall built in? It's >>>>>>>>> not clear from the GUI interface whether this affects input or >>>>>>>>> forwarding, or both. >>>>>>>>> >>>>>>>>> What I'd like to do is block any >>>>>>>>> SSH logins that are not in one of our >>>>>>>>> subnets, but I'm afraid if I turn it on, it will affect forwarded >>>>>>>>> traffic. >>>>>>>>> >>>>>>>>> Examples? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> -- >>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>>> >>>>>> >>>>>> >>>>> -- >>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>> >>>>> >>>>> >>>> -- >>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>> >>>> >>>> >>>> >>>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>> >>> >> > > >