UniFi - VLAN Traffic Tagging


This article provides an overview of how VLAN traffic gets tagged on UniFi. If you are searching for how to configure VLANs on UniFi, please see our UniFi - Using VLANs with UniFi Wireless, Routing & Switching Hardware article.

Table of Contents

  1. Tagging and Untagging Traffic
  2. Guest Portals and VLANs
  3. Related Articles

Tagging and Untagging Traffic

Back to Top

So, how does VLAN traffic get tagged on UniFi? In short, the UniFi access point (AP) tags packets when they go out from WLAN to wire. When tagged traffic comes in from the wire, it will untag it and forward it to WLAN. Take in consideration the following points:

  1. Traffic initiated from the AP is untagged and sent through br0 (or bond0 if link aggregation is enabled). This includes management traffic and RADIUS traffic, as described below:
    1. AP <-> Controller (management traffic)
    2. AP <-> RADIUS (when WPA-EAP is used)
  2. Traffic from WLAN without VLAN configured is untagged (the athX is bridged to br0).
  3. Traffic from WLAN with VLAN configured is always tagged (athX bridged to br0.VLAN to eth0.VLAN):
    1. AP <-> RADIUS (when WPA Enterprise is used)
    2. Station -> AP (tags) -> switch
    3. Station <- AP (untags) <- switch

Whether it's redirected (to the guest portal) doesn't matter. When WLAN is configured with VLAN, the traffic will be tagged when it leaves the AP. However, after traffic is tagged by the AP, it's up to you where it should be passed upstream.

Management network:
Guest VLAN network:
AP connected to port 5 (VLAN 1-untagged and VLAN 5-tagged)
Ubuntu connected to port 1 (VLAN 1-untagged and VLAN 5-tagged)
Controller connected to port 8 (VLAN 1-untagged)
Ubuntu (acting as a Router)
eth0:, routable to the Internet (gateway
eth0.5:, NATed to eth0
Controller is at

Guest Portals and VLANs

Back to Top

It's natural to think of a VLAN when guest access is mentioned since guests placed in their own VLAN, are isolated from other parts of the network. However, there are a few technical details worth mentioning talk about.

Let's start with the basic VLAN deployment where the guest portal is not enabled:

  1. UniFi AP tags WLAN->wire traffic.
  2. AP-controller is untagged.
  3. Controller is likely running on untagged interface.
  4. Configured inside the AP: guest --- br0.3 --- eth0.3 --3--+ br0 ------------------+--u,3---port1 corp -----+
  • port8 connecting to router's DMZ port, add port8 as a member of VLAN 3 and untagging. Enable DHCP server on your DMZ.
  • port5 connecting to an internal network, have port5 untagged.

So what would happen when the guest portal is enabled with VLAN? When the guest portal is enabled, the UniFi Controller acts as a portal server and the guests will be redirected to http://unifi_ip:unifi_http_portal_port/guest/. Some issues might arise, for example a guest is on VLAN 3, bridged to DMZ, and can't reach unifi_ip:unifi_http_portal_port. This issue could be addressed by adding rules to the router:

  1. Add a route for traffic from DMZ->unifi_ip
  2. Allow DMZ->unifi_ip:unifi_http_portal_port

Related Articles

Back to Top

UniFi - USW: Using VLANs with UniFi Wireless, Routing & Switching Hardware

Intro to Networking - Introduction to Virtual LANs (VLANs) and Tagging

Was this article helpful?
18 out of 57 found this helpful
Can't find what you're looking for?
Visit our worldwide community of Ubiquiti experts for more answers
Visit the Ubiquiti Community