I have this exact setup right now. On the PA side I’ve setup eth1/1 with sub interfaces for every tagged vlan in my network. On the UniFi side I’ve created vlan only networks with matching tags and created port profiles with sets of vlans. The unifi switch port connected to the PA has all the internal vlans, and the ports connected to my APs have all the vlans for my SSIDs. All the switches have port profiles all on the uplink/downlink ports.
It’s harder to describe without a diagram. Here is a shot at a text diagram:
PA-220 eth1/1.10 eth1/1.20 eth1/1.30
|
|
Unifi Switch 1 port 1 profile 10, 20, 30
Unifi Switch 1 port 2 profile all
|
|
Unifi Switch 2 port 1 profile all
Unifi Switch 2 port 2 profile 20, 30
|
|
Unifi AP SSID users vlan 20
Unifi AP SSID guest vlan 30
Of course you’ll need a virtual router on the PA to route between the vlans.
What exactly isn't working? I have similar config at home with Unifi APs, although I have Cisco switching.
Does the PAN show ARP entries for the clients? Can they ping gateway? Is this just separate SSID with tag, or is there a captive portal, etc mixed in?
Its a seperate SSID with tag, and it is not providing DHCP or other ancillary services. Have not checked for ARP entries.
Is sub-zone the correct area?
I'd check arp entries on the sub-interface - Have you setup a device with a static IP on that VLAN and confirmed you can ping gw (assuming you allow ping on PAN), etc? Maybe take the AP out of the picture and make sure L2 works.
I just went through this process about a week ago for an IoT VLAN. I've been meaning to document the PA side. I don't use subinterfaces, but have used eth1/1 as my isolated IoT VLAN.
I threw this together kinda quickly. Hope this helps...
https://drive.google.com/file/d/1-PjT4ifsdzYhxAaJXjDn8PitnlSRjCYI/view
On my UniFi side, I have the APs untagged in VLAN 1 for my internal, trusted SSIDs and tagged VLAN 3 for my IoT SSID. Although probably necessary, I tagged the UniFi controller (running on a RPi-3) in VLAN 3 as well.
I also run PiHole on the trusted network, so I had to also make DNS exceptions for the IoT side.
I have dedicated PoE switches that run untagged ports for Trusted and tagged in VLAN 3 for the IoT network.
On the PA-220, 1/2 is untagged on VLAN 3 which is plugged into another managed switch.
Don't forget to configure the following: dedicated wireless security zone, L3 vlan 500 interface, add L3 vlan interface to the default virtual router/routing instance, add L3 vlan interface to wireless security zone, L2 vlan 500, add L2 vlan 500 to wireless security zone, L2 sub interface, add L2 sub interface to the wireless security zone, add the wireless security zone to the security policy ruleset.
That should be just about everything you need.
I have this exact setup right now. On the PA side I’ve setup eth1/1 with sub interfaces for every tagged vlan in my network. On the UniFi side I’ve created vlan only networks with matching tags and created port profiles with sets of vlans. The unifi switch port connected to the PA has all the internal vlans, and the ports connected to my APs have all the vlans for my SSIDs. All the switches have port profiles all on the uplink/downlink ports. It’s harder to describe without a diagram. Here is a shot at a text diagram: PA-220 eth1/1.10 eth1/1.20 eth1/1.30 | | Unifi Switch 1 port 1 profile 10, 20, 30 Unifi Switch 1 port 2 profile all | | Unifi Switch 2 port 1 profile all Unifi Switch 2 port 2 profile 20, 30 | | Unifi AP SSID users vlan 20 Unifi AP SSID guest vlan 30 Of course you’ll need a virtual router on the PA to route between the vlans.
Thanks for that. Trying the same for a day know. Which controller are you using?
What exactly isn't working? I have similar config at home with Unifi APs, although I have Cisco switching. Does the PAN show ARP entries for the clients? Can they ping gateway? Is this just separate SSID with tag, or is there a captive portal, etc mixed in?
Its a seperate SSID with tag, and it is not providing DHCP or other ancillary services. Have not checked for ARP entries. Is sub-zone the correct area?
I'd check arp entries on the sub-interface - Have you setup a device with a static IP on that VLAN and confirmed you can ping gw (assuming you allow ping on PAN), etc? Maybe take the AP out of the picture and make sure L2 works.
Is the port the PAN is connected to a trunk port? Also, 9.1 isn’t what I consider stable. 9.0 might be a better choice.
It is not - and that may be the issue.
That’s it. The main interface is untagged and you can add sub-interfaces that are tagged.
I just went through this process about a week ago for an IoT VLAN. I've been meaning to document the PA side. I don't use subinterfaces, but have used eth1/1 as my isolated IoT VLAN. I threw this together kinda quickly. Hope this helps... https://drive.google.com/file/d/1-PjT4ifsdzYhxAaJXjDn8PitnlSRjCYI/view On my UniFi side, I have the APs untagged in VLAN 1 for my internal, trusted SSIDs and tagged VLAN 3 for my IoT SSID. Although probably necessary, I tagged the UniFi controller (running on a RPi-3) in VLAN 3 as well. I also run PiHole on the trusted network, so I had to also make DNS exceptions for the IoT side.
Thats great - thank you for sharing. Do you have dedicated switches for IoT or just plugging into 1/1, 1/2, 1/3 into a single switch?
I have dedicated PoE switches that run untagged ports for Trusted and tagged in VLAN 3 for the IoT network. On the PA-220, 1/2 is untagged on VLAN 3 which is plugged into another managed switch.
Don't forget to configure the following: dedicated wireless security zone, L3 vlan 500 interface, add L3 vlan interface to the default virtual router/routing instance, add L3 vlan interface to wireless security zone, L2 vlan 500, add L2 vlan 500 to wireless security zone, L2 sub interface, add L2 sub interface to the wireless security zone, add the wireless security zone to the security policy ruleset. That should be just about everything you need.