Unifi wifi setup with guest access.

[StrikedOut]

Very soon we will be replacing our old Cisco switches with new Unifi USW-Pro-48 and the new Cloud key Gen2. We also have 2 access gateways, one is our FortiGate which is our main 200/200Mbps fiber connection, the other is a Draytek to our 40/20 FTTC used as a backup and guest internet. We want to create 2 wifi networks, one connects company hardware to the main LAN, the other to connect and isolate guests using unifi's guest profile to the internet only through the Draytek. 

 

I have created 2 networks, Main for the corporate network and Guest for visitors and associated them to their respective wifi networks. Both have DHCP set to relay with the IP address of the DHCP server, yet in testing on the guest network, the device I connect doesnt get an IP address and using a static IP doesnt allow me to ping anything on the subnet.

 

I am hoping that @BudMan has played enough witht he unifi networks to advise, ideally we want to avoid VLANs as we want to reduce the complexity or our network (there is only around 40 people in this building) and from what I can tell, it is very possible but struggling to get DHCP to relay from the Draytek.

 

Any thoughts?

[StrikedOut]

Quick update.

The Draytek is issuing IP addresses, the switches have valid IP's and I can see them in both the lease and ARP tables but any device that connects via the wireless does not get an IP.

[+BudMan MVC]

  On 27/09/2022 at 11:08, StrikedOut said:

ideally we want to avoid VLANs

Expand  

This would be done with vlans.  Its not complex, setup a vlan for your guest network.  Set that up in the unifi AP to put the vlan ID on the ssid your guests will use.

 

I have zero play/testing with unifi guest feature, but I can you for sure the proper way to do this would be with vlans.  Guest network is normally setup when everything is on the same network and you just limit your guest from talking to other devices, on that same network.  Guest network in soho routers and even unifi is for home users that do not have the ability to setup vlans to be honest.

[StrikedOut]

Thanks @BudMan, although I wanted to avoid VLANs as I have limited experience plus there are only 40 people in htis office but it is inevitable and have started making the change but still having issues.

 

New setttings for the Guest Network are;

Network -> Guest profile. VLAN-only network on ID 99

WiFi -Guest WiFi profile. Double checked the network showed the correct network. Wifi type is standard.

Profiles -> Switch Ports. Created a new profile, left native network as default and added the guest network as a tagged network, left everything else on auto.

On the switch, selected the 2 ports being used for testing and changed the port profile to the new profile created above.

 

I am getting an IP address but no internet access and on a network scan, I see no other devices where there should be several.

 

What am I missing?

[+BudMan MVC]

  On 27/09/2022 at 16:19, StrikedOut said:

Network -> Guest profile. VLAN-only network on ID 99

Expand  

Did you auth to the portal?  I could enable guest services I guess  on unifi and play with it..

 

What gateway are you getting?  Can you ping that IP?  This is your other router right?

[StrikedOut]

  On 27/09/2022 at 20:16, BudMan said:

Did you auth to the portal?  I could enable guest services I guess  on unifi and play with it..

 

What gateway are you getting?  Can you ping that IP?  This is your other router right?

Expand  

'Did you auth to the portal?' - Gonna sound stupid but can you carify what you mean?

 

I can connect to the guest wifi and get a valid IP address and the correct gateway and DNS IP addresses but am unable to ping anything on this subnet, the router is the DHCP server and I can see my device in its ARP and DHCP lease tables.

If I change the network the wifi profile is using to default (no VLAN), it works as expected.

[+BudMan MVC]

Did you enable auth to a portal when you setup your guest network..

 

 

This isn't difficult - you want a "guest" network that is not connected to your normal network.  This is a simple ssid on a vlan.. Turn off all that guest stuff...

[StrikedOut]

Guest Landing page is definately off.

 

 

The Wifi is also set to be a standard type, not guest.

 

 

And the network is set to VLAN-only mode.

 

 

The profile for the switch ports are set as default for the native network and the guest network is tagged.

 

 

And this profile is set on the ports I am testing with, I believe I have set it all correctly so taking a closer look at the router to see if there is something set on there I haddnt seen previously. It has been in use for some time and I have seen some settings that I wouldnt have set in other systems.

Edited September 28, 2022 by StrikedOut

[StrikedOut]

Quick update.

Completed this last weekend and what stumped me was the term for the trunk ports, UNifi just use an 'All' profile. So now have 5, USW-Pro-48-PoE Plus a could of Flex switches in areas not originally designed to be networked and the original nano AP, all using 3 VLANs for main, guest and CCTV.

These are the finished results for our comms cabinet.

So satisfying the get this finilly finished with a much needed shove from @BudMan.

[+BudMan MVC]

What an improvement - sweet!

 

But that is not how you mount an AP hehehehe

[StrikedOut]

  On 11/11/2022 at 00:46, BudMan said:

What an improvement - sweet!

 

But that is not how you mount an AP hehehehe

Expand  

But mounting it that way makes the wi-fi stronger in the vertical right?? 😉 

That was a temp so the cable was used, it now screwed to the wall. Still got a couple of changes to go, The fiber needs to be routed under those cables and secured, got new fiber to swap out but not had a day off this month so it can wait a little while!

[+BudMan MVC]

  On 11/11/2022 at 09:25, StrikedOut said:

way makes the wi-fi stronger in the vertical right?? 😉 

Expand  

Yeah sure, and the metal cabinet also amplifies the signal - hehehe rofl

[Matthew S.]

  On 11/11/2022 at 15:08, BudMan said:

Yeah sure, and the metal cabinet also amplifies the signal - hehehe rofl

Expand  

At least it's not inside a mesh cabinet... seen that before at a DC...

[StrikedOut]

  On 11/11/2022 at 23:21, Matthew S. said:

At least it's not inside a mesh cabinet... seen that before at a DC...

Expand  

To be honest, I am finding the APs in 'less that ideal' positions at this office. In cupboards, behind printers etc. Not a priority as the signal is strong enough to work but its on my todo when the more important tasks are complete.

[+BudMan MVC]

That is odd, since most offices have drop ceilings - which makes it very simple to correctly place and install APs

Does this office not have a drop ceiling? Getting a ethernet into a cupboard seems odd for sure.

 

[StrikedOut]

  On 13/11/2022 at 13:23, BudMan said:

That is odd, since most offices have drop ceilings - which makes it very simple to correctly place and install APs

Does this office not have a drop ceiling? Getting a ethernet into a cupboard seems odd for sure.

 

Expand  

Has drop ceilings and raised floors, was just a lazy approach to the instal. Those that did get put into the ceiling were placed on top of the tiles. Shame, it only takes a couple minutes to install properly. This place is going to be a work in progress for a while but the company are good and seem ready to back the choices being made. We have an £18k budget to replace our storage with a high speed device, currently using 2 small SOHO NAS, one QNAP, the other Synology 1U, 4 bay storage and there are 3 USB attached storage devices connected to servers. Also have agreed a second high capacity NAS for archive, CCTV and other non critical storage. On top of the other quility of work life improvements, going to be a fun year.

[+BudMan MVC]

  On 13/11/2022 at 22:57, StrikedOut said:

are 3 USB attached storage devices connected to servers

Expand  

Well seems you have some real lowing hanging fruit to pick..  WTF so they had no it before, the the guy was just clueless??

[StrikedOut]

They had IT and he is still with us but the person making the decisions wasnt IT so the decisions were dubious and the whole approach was turn it off and back on/have you Googled it. Still, moving in the right direction.

[+BudMan MVC]

  On 14/11/2022 at 13:18, StrikedOut said:

turn it off and back on/have you Googled it.

Expand  

Which are valid IT troubleshooting methods heheh ROFL..  Just ask anybody that has a home router - they will tell you how to fix anything. Just have to reboot it and let it sit for 30 seconds then plug it back in.