Has anybody gotten ubnt APs working with a guest network tied to a guest vlan network on the peplink balance 20? I have been banging my head for several days and am close to giving up. I have the vlan set-up on the peplink with an ID of 2 and its own ip range and dhcp server, I setup a new wifi network in the UniFi admin software and tell it to use vlan # 2. I can connect but I never get an IP with dhc. If I manually assign myself an IP and router etc I still can’t ping the router. I could provide some screen shots but i’m hoping somebody must have done this before.
On the Peplink, whichever LAN port the Ubiquiti AP is plugging into needs to be set up as a TRUNK that contains VLan2. Since I assume there is a main VLan for your non-guest wifi access, make sure that VLan is also included in the trunk. Choose the custom trunk type and select all the VLans that would come in on that port.
One catch 22 with the Balance 20 right now is that you cannot have a trunk that includes LAN (untagged) traffic. So, basically if you are trying to put any wifi clients on the LAN, you won’t be able to do so and continue to use VLans – it is one or the other. I am hopeful they add this in with the next firmware release.
If you disabled inter-vlan routing for the Guest VLan, you won’t be able to ping the routers LAN IP, but you should be able to ping the VLan gateway IP. This may be impacted by any “layer 2 segregation” happening in the ubnt.
So I basically need to convert my normal LAN to a VLAN and also have a second guest only vlan? I’m trying to see how I will test this. I always have users on my lan.
The main issue with moving to VLans that I have found is with UPnP and multicast groups. Make sure you test any secondary displays, internet gateway port forwarders, etc. there are a couple of “gotchas” for those when it comes to VLans.
These things bit me when trying to move my devices into VLans, so I bought a Balance One. I still have the PNP problems - but at least I have the guest VLan working now.
Yuck… Your scaring me now. I may cut my loses and move to and UBNT router. My other option is use the built in guest functionality of the ubnt APs although I suspect that won’t pass an audit which is what I am prepping for. It lets you set up a guest network although a network scan still shows the private network even thought nothing will route between the two.
Hi. jmjones gave you good advice. However, we’ve recently done that very thing and our experience has been just a bit different.
Here’s what we did to set up a B20 to work with 4 UniFi APs controlled by a CloudKey (abandoned the Ubiquity java controller running on a PC – really bad memories.) In this network no UniFi Security Gateway is used – that’s the B20’s job and it does it well. (Using v 5.4.11 of the CloudKey controller and v 3.7.49.6201 on the APs.)
Maybe someone has a better idea or can see some “holes” in our approach, but here’s what seems to be working…
On the UniFi controller:
Set up a guest WLAN and assign a VLAN.to that network. Mark it as a guest network.
In User Groups set bandwidth limits for guests if desired.
On the B20:
In LAN | Network | LAN define the guest network with a different subnet than the untagged LAN. Be certain to specify the same VLAN as set with the UniFi controller. Do NOT check inter-VAN routing.
In Network | Port Settings, set the LAN port(s) to which the AP(s) are connected to the default – access and untagged VLANs. (I’d expect this to be a trunked port, but it seems to work as access/untagged. Maybe jmjones or others have comments here …)
This may not apply to you, but we also restricted the guest subnet from accessing certain other subnets of interest – Firewall | Access Rules | Internal Network Firewall Rules.
Here’s how we tested: We used Multi-Ping to check (say, every 5 seconds or so) responses from the guest LAN to various addresses on the owner’s (untagged) LAN, the gateway, various well-known WAN addresses, other addresses on the guest LAN, etc. The untagged LAN is not seen from the guest VLAN.
Notes: I understand you always have users on your LAN. Every time you upload a new config to the Ubiquity AP(s) you are going to bounce your users off as the AP(s) reset. Unavoidable. You might consider setting a different/new AP for test purposes if you can’t escape the “production” environment in which you find yourself.
Also, we do not permit UPNP.
Finally … My opinion? If I had a choice between “All Ubiquity” or “all Pepwave/Peplink” – I’d go with the latter – “no brainer.” We’ve been down that road. Ubiquity dumped us in the mud many times. We can always find our way out of the woods with Peplink. Now that the B20’s can act as an AP controller (that was not always the case), the integration between Pep products is better than ever – much tighter and easier to manage. (Side note: The AC Mini AP is really reasonably priced and works well!)
You should be able to get help from the folks from whom you bought the B20. There are also a number of super-competent Partners and consultants here.
I really would hold out until the next firmware. It is only the balance 20 and balance 30 that have the issue with the trunk. I believe it to be an “oopsie” when delivering the new firmware to so many device models and hardware revisions.
I mean, you are free to do as you wish, you can always run two different SSIDs to the same LAN. you could also set up a second router to be a double NAT type of scenario for guest access. I have been waiting for these feature implementations since the release of 7.0. I am eagerly awaiting the next release. I really want to segregate some devices from the others but cannot because of PNP ssdp discovery crap.
once it is set up, it works very well. For what that is worth.
Could you look at these screen shots. I think I will follow jmjones advice. In either case I tried to follow your instructions. Do you see what I am doing wrong? the AP is on port 2. Leaving the port on internal the VLAN/Guest network never works. Switching to trunk does not let me select Internal/Guest at the same time so putting it only on guest I loose connectivity to the AP. I suspect I know just enough on this suspect to be dangerous :-).
This not the firmware issue and it’s related to the setting that you can define for the trunk port. For more information, please refer to the forum thread below: