With the release of the US-8-150W, UAP-IW and the new UAP-AC Series Access Points, now is perfect time to start looking at UniFi as a complete network solution for Home, SOHO and Enterprise Networks including Motels and Hotels. This blog will explain how to configure multiple networks using VLANs including a corporate and guest network.
Ensure you have a UniFi Security Gateway, UniFi Switch, and UniFi Access Point. We will start with a single wireless network which was setup using the Setup Wizard.
We will start by creating a Guest Network which customers can access via wired connection to the switch or by connecting to a UniFi wireless access point. Navigate to Settings > Networks > Create New Network. This network will have a VLAN ID of 2 and Network Address range of 192.168.2.x/24.
We will use the default corporate network that was created with UniFi (192.168.1.x/24) as our main corporate LAN, however we would like to separate our VoIP network as well so we will create another network below with a VLAN ID of 3 and Network Address range of 192.168.3.x/24.
Our Networks Page should now look like the following:
We now want to enable the Guest Portal settings and enable Hotspot functionality for our Guest Network so that guests require a voucher to authenticate on the network. After clicking Apply, you canverify that you have two wireless networks, The Corporate Network is my network I created when going through UniFi's Setup Wizard initially and the second network is our Guest Wireless.
Now that our networks are all setup, we can start locking down the switch ports. Currently your Access Point should be broadcasting two networks (Corporate Network and Guest Wireless). Connecting to the Corporate network should require a WPA2 password to connect and give you an ip address of 192.168.1.x with full access to the network and internet while connecting to the Guest Wireless should give you an ip address of 192.168.2.x and redirect you to the voucher authorisation portal page.
We now want start restricting some of the ports on the switch. By default all of the ports are currently set to allow all networks and passing the untagged corporate network which means all of the ports currently give you access to the corporate network. Any ports you wish to be on the corporate network can be left with the default settings shown below:
We now want to isolate Port 6 as a Guest Network port. This can be easily done by editing Port 6 and setting Networks/VLANs to our Guest Network.
We can do the same for Port 7 but instead assigning it to our VoIP Network.
We can now start testing however you will need to wait until the UniFi Switch has reprovisioned itself with the latest configuration which can take a couple of minutes. Once provisioning is complete try connecting a computer to port 5, 6 and 7. Port 5 should give you a 192.168.1.x IP, port 7 should give you a 192.168.3.x IP and port 6 should connect you to the guest network with an IP address of 192.168.2.x. Devices will be able to traverse VLANs / Networks and communicate with each other by default, if you wish to restrict VLANs to their own subnet then you will need to block communication using firewall rules which are not currently available in the UniFi Controller. The one exception of this is of course the Guest Network which is completely isolated.
The UniFi Security Gateway controls the WWW, WAN and LAN status icons on the Dashboard. It is possible to use another VLAN capable switch (i.e. MikroTik or EdgeSwitch) and maintain the Dashboard Status icons and also pass VLAN capable traffic through the network (i.e. you can tag VLANs like the Guest Network through a non UniFi Switch).