Support Downloads Community

UniFi Video is an obsolete product line.

This application and its related devices will no longer receive any manner of technical support, including functional and security updates. Additionally, there will be no further updates to Help Center content pertaining to UniFi Video.

UniFi - VLAN Traffic Tagging

Overview

This article provides an overview of how VLAN traffic gets tagged on UniFi. If you are searching for how to configure VLANs on UniFi, please see our UniFi - Using VLANs with UniFi Wireless, Routing & Switching Hardware article.

Table of Contents

  1. Tagging and Untagging Traffic
  2. Guest Portals and VLANs
  3. Related Articles

Tagging and Untagging Traffic

Back to Top

So, how does VLAN traffic get tagged on UniFi? In short, the UniFi access point (AP) tags packets when they go out from WLAN to wire. When tagged traffic comes in from the wire, it will untag it and forward it to WLAN. Take in consideration the following points:

  1. Traffic initiated from the AP is untagged and sent through br0 (or bond0 if link aggregation is enabled). This includes management traffic and RADIUS traffic, as described below:
    1. AP <-> UniFi Network application (management traffic)
    2. AP <-> RADIUS (when WPA-EAP is used)
  2. Traffic from WLAN without VLAN configured is untagged (the athX is bridged to br0).
  3. Traffic from WLAN with VLAN configured is always tagged (athX bridged to br0.VLAN to eth0.VLAN):
    1. AP <-> RADIUS (when WPA Enterprise is used)
    2. Station -> AP (tags) -> switch
    3. Station <- AP (untags) <- switch

Whether it's redirected (to the guest portal) doesn't matter. When WLAN is configured with VLAN, the traffic will be tagged when it leaves the AP. However, after traffic is tagged by the AP, it's up to you where it should be passed upstream.

EXAMPLE
Management network: 10.1.0.0/24
Guest VLAN network: 10.2.0.0/24
 
Switch
AP connected to port 5 (VLAN 1-untagged and VLAN 5-tagged)
Ubuntu connected to port 1 (VLAN 1-untagged and VLAN 5-tagged)
UniFi Network application connected to port 8 (VLAN 1-untagged)
 
Ubuntu (acting as a Router)
eth0: 10.1.0.2/24, routable to the Internet (gateway 10.1.0.1)
eth0.5: 10.2.0.1/24, NATed to eth0
 
UniFi Network application is at 10.1.0.26.

Guest Portals and VLANs

Back to Top

It's natural to think of a VLAN when guest access is mentioned since guests placed in their own VLAN, are isolated from other parts of the network. However, there are a few technical details worth mentioning talk about.

Let's start with the basic VLAN deployment where the guest portal is not enabled:

  1. UniFi AP tags WLAN->wire traffic.
  2. AP-UniFi Network application is untagged.
  3. UniFi Network application is likely running on untagged interface.

So what would happen when the guest portal is enabled with VLAN? When the guest portal is enabled, the UniFi Network application acts as a portal server and the guests will be redirected to http://unifi_ip:unifi_http_portal_port/guest/.

Related Articles

Back to Top

UniFi - USW: Using VLANs with UniFi Wireless, Routing & Switching Hardware

Intro to Networking - Introduction to Virtual LANs (VLANs) and Tagging

Was this article helpful?
61 out of 191 found this helpful