Oct 052019
 
Ubiquiti UniFi Controller Login Screen

When deploying a new UniFi network using Ubiquiti UniFi hardware and the controller, you may wish to change the management VLAN, and/or the VLAN that the hardware uses to communicate with the UniFi Controller.

In this post, I’m going to go over how to do this, as well as troubleshoot if something should go wrong.

Please note that I’m focusing on the theory and understanding as to how communication is handled, instead of providing step by step instructions which is what readers are usually accustomed to on this blog.

Why would we do this?

Some users (myself included) like to avoid using the default management VLAN of 1. This can be for a number of reasons such as reducing the security vulnerability footprint, customizing for specific customers or environments, or we just like to change it from the default VLAN.

How do we do this?

When you choose to change the default management VLAN, typically you need to maintain a network/subnet on untagged VLAN1. This is because when you purchase or deploy new UniFi equipment, it will always try to obtain an IP on untagged VLAN 1, and try to contact the controller using this network.

By having a functioning “provisioning” network and subnet on VLAN 1, the devices can obtain their configuration, and provision from there.

Once the device is provisioned and attached to the UniFi controller, you can configure it to use a different VLAN as it’s management VLAN.

Keep in mind that you must make the controller available on both the untagged “provisioning” VLAN 1, as well as the new custom management VLAN as well. In my case, I make all the subnets routable so that the UniFi controller is available no matter what subnet and/or VLAN your on.

How do we secure this?

In my example above, I have very restrictive firewall rules on the firewall that is routing the different VLANs and subnets. The only traffic that is allowed to be routed to the untagged “provisioning” VLAN 1 is traffic destined for the UniFi controller, and only the ports that are required for provisioning. All other traffic is restricted, including internet access.

Essentially the only thing that functions on VLAN 1 is routing to the UniFi controller, and DNS for the lookup of the host record “unifi”.

What will happen if I’m doing this wrong?

If you’ve done this wrong, you may notice that original provisioning works, then the AP or switch disappear and go offline after the management VLAN change on the device. This is because it can’t contact the controller after it changes its default management VLAN to the new one you specified.

If the device never contacts the UniFi controller in the first place, then the device isn’t able to contact the controller on the untagged VLAN 1. You need to make sure that the various provisioning methods are available and functioning, and that the subnet is routable and firewall rules allow communication from that subnet to the UniFi controller.

How do we test this?

In my environment on untagged VLAN 1 as well as my custom management VLAN, you can open a browser and type in “unifi” and it will resolve and connect to the UniFi controller. This means it’s available on the default VLAN that the devices look for, as well as the custom management VLAN.

I find using the A host record the easiest way to do this. Please note that my UniFi controller only has one static IP address on the custom management VLAN.

  6 Responses to “Change management VLAN on Ubiquiti UniFi Hardware and Controller”

  1. […] Change management VLAN on Ubiquiti UniFi Hardware and Controller […]

  2. How did you make the Unifi Controller available on both a tagged VLAN and the general untagged network? Does it live in (as in the IP address is in) the subnet of VLAN 1/untagged, but you route to it from other VLANs via a L3 device? Thanks!

  3. Hi Jamie,

    Thanks for reaching out. I have a few of the subnets on different VLANs routable. I do the routing on a Sophos UTM which has multiple (virtual) adapters sitting on each different subnet/VLAN. This way it can provide routing and I can enforce strict firewall controls.

    This way, when a UniFi device is attached to the network on the default untagged network, the only thing it has access to is a DHCP/DNS server, and the UniFi controller which resides on a different subnet. It performs the DNS lookup of “unifi”, provisions and then changes to the appropriate VLAN for management.

    Hope this helps!

    Cheers,
    Stephen

  4. Thanks Stephen. So the controller lives on a VLAN, but is accessible from the untagged VLAN 1 through an L3 device (UTM). And out of the box, Unifi gear is preconfigured to resolve the FQDN “unifi” to provision to the controller, hence the DNS record? You don’t have to console into a Unifi switch for example to set the controller FQDN for provisioning? Thanks.

  5. Hi Jamie,

    That is correct (the routing, VLANs, and L3 routing). And yes, provisioning is all automatic, no SSHing needed.

    You can find all the different adoption methods available here: https://help.ubnt.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers

    You can use DNS, DHCP, etc… I just chose DNS because it’s easy and my Sophos UTM has a built in DNS server that I use for subnets/VLANs that I don’t want or have servers on.

    Stephen

  6. […] you’ve purchased some Ubiquiti UniFi hardware… You have configured it, possibly even changed your management VLAN. Now it’s time to get production […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)