Pass Through Single VLAN Ubiquity Mesh

My situation unforunately precludes me from running a wire to this area, so I am using mesh wifi between two Unifi AP’s. It works great, but I have a wifi IP Camera at this location and would rather plug the IP Camera into ethernet (less devices on the airwaves would be helpful… appartment living and all).

I can’t quite figure out how one would go about using the etherent port on my UAP AC Pro and having it only pass a single vlan (I don’t want to pass the entire trunk to the IP camera… I have a vlan just for those devices).

Is this possible?

Not exactly the same, but I have a similar setup:

  • ubi APs in multiple locations, all wired backhaul
  • a weird IoT device that I don’t trust on my normal network
  • an openwrt router connected to a cable modem
  • a couple PoE switches, one of which is a ubi “managed” switch

And here is what I have done:

  • the port on the managed switch that the untrusted IoT device is plugged into is configured to be a different VLAN (3) and untagged. The IoT device doesn’t need anything VLAN config wise
  • the uplink port on the managed switch is configured to carry my normal VLAN (1) and also the IoT VLAN(3)
  • at the openwrt router I have a separate network defined for the IoT stuff, on that vlan (3), using it’s own rfc1918 network, and rules that allow devices on that network to do DHCP and DNS and talk outbound to the internet, but that’s all (I don’t restrict what they talk to the internet, but at some point I’d like to capture what they are doing and lock it down more)
  • on the ubi AP side, I have a couple wireless networks with different ESSIDs, including one “guest” network. The guest also uses a different VLAN (2) and has a similar setup at the router: different subnet, only allowed to do DHCP/DNS/outbound. In the ubi settings you can configure particular wireless networks to use a particular VLAN.

OK so in your case you are using wifi for backhaul and using a port on the AP to “gateway” the wired network, which is a common thing to do. You are trying to make it so the camera can’t see the other main traffic. In order to do so:

  • the connection the camera is using needs to be connected to an untagged vlan port upstream, so that it will only receive traffic for that particular VLAN
  • remember that without this, VLANs don’t prevent traffic on the wire, they just let clients ignore stuff that’s not for them. But if a device is hacked to the point where they control the network, nothing prevents them from listening to everything(sort of like squelch on a radio)
  • there is such a thing as “private VLANs” in higher end networking gear that provide this traffic isolation thing, but that’s different
  • I don’t know if ubi’s “gateway” feature has a way to make that port “untagged” on a vlan, theoretically possible I guess.
  • alternatively, you can put a managed switch in between the AP and the camera. I got one the 8 port ubi switches on ebay for this (they were sold out on the site when I was doing this) because it was actually the cheapest option for a managed switch with vlan support at the time. Since then there are cheap options for managed switches with vlan support (and even 2.5g/10g ports!). So then all vlans would make it to the AP and then the switch, and the switch would only send the particular camera vlan packets on to the camera.

Does this achieve what you are trying to do?
Let us know if you figure out a way to do it from within the AP itself using ubi’s controller, that would be super interesting.

1 Like

I think this would be the solution, I just don’t think its worth it. I will just leave the camera as a wifi device. It has been working fine, I would just like to get less things on the wifi bands where and when I can.

1 Like