BurntOC Posted August 4, 2022 Share Posted August 4, 2022 I’ve been at this a long time, but in an attempt to cut down this long thread even a bit I’m going to try to get to the what I have and what I want to see if one of you experts can solve this. Here’s what I have: · Unraid server running 6.10.3 · I350-T4V2 for Unraid (eth0,eth1,eth2,eth3) · Realtek 2.5GB NIC – passed through to VM on GUEST VLAN · 3 VLANS: o MGMT (corresponds to 192.168.20.x/24) o GUEST (corresponds to 192.168.60.x/24) o IOT (corresponds to 192.168.70.x/24) · Unifi switches and APs with non-Unifi firewall Here are my goals: · Maximize security (especially keeping container traffic mostly in GUEST and IOT networks and segregated from management traffic whenever possible), and keep VMs in GUEST network · Single VLAN per interface I originally had eth0 with an address in the 192.168.10.x range, with the MGMT VLAN on it. · Eth1 was unused · Eth2 had no interface IP, but was on VLAN GUEST with an IP assigned to the VLAN interface. · Eth3 had no interface IP, but was on VLAN IOT with an IP assigned to the VLAN interface. That seemed to work well until recently, but I swapped some servers around and though it seems to be set this way my Unraid gui and SSH access is seeing all sort of slowness and drops. I spoke about it here, but I got no response: https://forums.unraid.net/topic/126512-recent-constant-disconnects-and-web-gui-extremely-slow-diagnostics-zip-attached/ As of right now I can ping from Unraid console and get DNS resolution, but it fails to get a response and things like Community Apps fail to populate. I’ve tried dozens of options including moving the MGMT VLAN to eth1, but I’m running into issues ranging from DNS resolution to continued slowness. Also, maybe I’m just being an idiot because I feel like my brain is broken, but with one VLAN per interface I’d think I could set the appropriate native VLANs on my Unifi switch ports with nothing else tagged and it would work, but it doesn’t seem to work unless I set those as tagged ports on those VLANs. I’ve read literally dozens of threads and web pages about this and I can’t see anyone who has clearly addressed this. I was hoping @bonienl@Vr2Io or one of the other gurus here could tell me how I SHOULD have this set up so that my switch ports are tagged or untagged as they should be, my interfaces are set properly, and maybe even if I have to change my interface rules to re-prioritize interfaces as the slow GUI and disconnects makes dealing with the whole setup unbearable. THANK YOU for any assistance. Quote Link to comment
Vr2Io Posted August 5, 2022 Share Posted August 5, 2022 (edited) 9 hours ago, BurntOC said: my switch ports are tagged or untagged as they should be To tag or not, it depends on both side setting, just note an interface only can Untag with one VLAN, but could be Tag with other VLAN or all VLAN. As you plan "single VLAN per interface", so, to make it simple, you can setting - Interface in Unraid without VLAN, but setting in switch to assign their VLAN and Untag it. ( For max security, switch port set accept Untag only, MGT interface should be Untag for Unraid ) or - Interface in Unraid with VLAN, switch side must match and Tag it. ( For max security, switch port set accept Tag only ) In general, this immediately know correct or not, once have incorrect setting, it will fail to connect and won't intermittent. If intermittent found, this shouldn't relate Tag or Untag issue. So, it quite straightforward in this part, and I have use different price range switch, none of them got unexpected result. ( Pls also note, IP won't affect in this part, general switch only work in layer 2 ) 9 hours ago, BurntOC said: but it fails to get a response and things like Community Apps fail to populate. 9 hours ago, BurntOC said: I’m running into issues ranging from DNS resolution to continued slowness. Problem usually on routing side ( router / firewall ), if you apply VLAN on network, router & firewall must VLAN capable and must work well, what router you use ? Do you use private DNS on local network ? If not, any different if use router to public DNS or direct public DNS ? 9 hours ago, BurntOC said: Unifi APs This part also problematic, I haven't Unifi AP, but I have try different AP, all couldn't work normal with VLAN, except recent new one ( Netgear WAC510 ), so I apply VLAN again in WiFi now ( before apply blocking in router/switch ). If still got problem, pls provide setting screen dump in Unraid and Unifi controller. Edited August 5, 2022 by Vr2Io Quote Link to comment
Vr2Io Posted August 5, 2022 Share Posted August 5, 2022 (edited) And I also want to give some concept to you which about IP and VLAN. Above is my router setting, you can found different VLAN ( A,B,C,D,E just make it easy reading ) can assign with same/different subnet. You will found VLAN A,D,E assign with same subnet. Although they all in same subnet, but not all can communicate each other due to different VLAN, only same VLAN device can communicate each other, but all will route to same gateway, DNS and DHCP for assign IP. For VLAN_B + LAN_2 and VLAN_C + LAN_3, this quite simple as most people will do, just two standalone VLAN & IP subnet, they have individual DHCP, Gatway and DNS too. Anyway all provide by same VLAN router. Edited August 5, 2022 by Vr2Io Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.