 A common question comes up a lot. When you want to set up PF Sense at home, you want to get a UniFi. And UniFi just makes some excellent Wi-Fi equipment. And you don't have a smart switch. You don't have a switch that supports VLANs. You don't want to buy a couple of these, or maybe you do. And you want to have all the networks flow through to create separate networks with one device. Now, easy to do with VLANs. We're going to show you how to do that with a VLAN. So you can create a secure LAN network, a secure secondary LAN network for the Wi-Fi, and then a third network for all the crap devices that you want to connect, but still have one physical device here. Now, what we're doing is we have an unmanaged switch, and this is common. This is a NET gear. It doesn't have all the fancy VLAN support. These are about $30, not expensive, for an 8 port gigabit switch. I actually like them, they're metal as well. I'll leave a link where you can get those. And we have that going in, and this will be our LAN. So we have IGP-0, which is our LAN port. This is where we get our internet from. That goes in IGP-0. We have IGP-1, which is our LAN port. And then we have IGP-2. And we're going to show you how you can split this into two networks. Now, physically, it's one cable. And this purple cable you see here is coming out of the port on the card, right into the brick, out of the brick, to add power to this. So you get the power injector. And now providing Wi-Fi via this APC-ALR. Now, this network is going to be configured so you have a secure LAN network for trusted devices and the other Wi-Fi network. And it's only going to run over one physical cable. Now, ideally, if you have a smart managed switch where Unify makes some really affordable ones, you can bring this out, bring it into a Unify switch, and create a whole lot of different VLANs and things like that. I have a video on how to set up VLANs and PFs on Unify. And I'll leave that in the description below. But we're going to talk about, if you don't have a managed switch, how you can still achieve that so you can still get your multiple networks with one Wi-Fi device so you can have your Wi-Fi toaster on one device and everything else over here and one physical cable. OK, this video is also going to have a couple of assumptions. And if these assumptions are wrong, go through my channel. You can find some other videos on how to set these things up. First, that you know how to set up a Unify and that you have the software, the Unify Controller software set up and configured and the Unify working. Now, you can start by getting the Unify working on your LAN network and then move it over to the LAN Wi-Fi part. Important parts, though, is that the controller, you have that set up properly and have that IP address on the same LAN network and make sure it's accessible. So those are at least a couple of assumptions that you know how to Unify system works and have it working. So this is our test demo site that we have set up called LTS test site. This is that device that was on the table with me, the LTS 100, just generic name we gave, and it's plugged into our LAN Wi-Fi. So let's go jump into the configuration and show you what we have here. So interfaces, assignments, we have our LAN. That was the IGP0, LAN, IGP1, and LAN Wi-Fi. Now, all I did to create this, I called it LAN Wi-Fi just because it's our secure LAN and it's where the Wi-Fi is physically plugged in in IGP2. So we created an assignment, just like you showed in the last video. That's the fourth port that's down at the bottom if we wanted to add another one. Then we went over here, LAN Wi-Fi. We enabled the interface. We gave it the name. We set a static IP address. Now, this is in 192.168.20.1 versus LAN is 1.1. Then we went to our firewall rules. Here's our LAN rule that says LANnet can go anywhere it wants. So the packets can flow freely throughout the LAN rule and LAN Wi-Fi, same thing, because it's a trusted network. It doesn't really have any rules other than a wide open allow rule. So allow anywhere. That means these two networks can talk perfectly fine to each other because the ability is there through this firewall rule that allows that. So now we want to talk about creating the extra networks that where we want to put the insecure things. So back over here to the Unify real quick. We're going to go Settings, Oil List Networks. Here's our default networks. Please note, no VLAN tag, which means when you don't have a tag on here, it automatically goes there. So Spider LAN, I'm going to add it right here. Spider LAN, which is the Wi-Fi name given to this Wi-Fi network, has full access to the LAN Wi-Fi because it's plugged in there. And when we go back over here to our devices, you can see it has an IP address and that range of 192.1620.100. So it's on that LAN. It has it. So if I connect any device to there, it will work. And now I have a Wi-Fi device directly plugged into my system along with my LAN system. So the two can talk back and forth with each other. Now, something real quick we want to cover here is another thing we're going to add before we get to adding the insecure network. And that's MDNS Support. Because one thing is, if they're on two separate networks, although they can pass freely between each other, you'll also need MDNS working between them for things like the Chromecast to work. So we're going to cover that real quick here. Systems, package manager. And you see, I got this set up and plugged in here. So all you have to do is go here. This is the Viya net. Easy to find any available packages. We're going to turn this on. And away we go. This will allow MDNS requests to go back and forth across there. Now, we're going to come back to this later because we want to add a deny interface. We want it on these. But the next one we're going to add here is once we add our crap Wi-Fi network, we're going to add that to the deny. Now, you may or may not want to. It really depends on how you set things up. If you have the Chromecast, you may want to think that of a trusted device and you want it on there. Or you may not. This is kind of your own personal decision here. But this is the tool that you use to allow the MDNS protocol to go across the networks is this. This is what bridges that MDNS protocol across those. Because it uses, like I said, it's a special discovery protocol. You can read more about it later. But I just want to cover that because someone's going to ask, how do I get these things bridged? So we're going to leave it actually off for the moment. But this is where you do that. This is the tool you use. It's really easy. Just turn it on. And deny the interfaces you don't want it. Or maybe you want it on the interfaces because you want to be able to discover those devices. Because I will mention that once we do these rules, LAN and LAN Wi-Fi can still see things in the crap network. But the reverse isn't true. So you're firewalled so you can see them, but they can't get back to you. So that may create some issues, though, if you extend MDNS across there depending on the device. All right, so let's get started on the interfaces. We got the assignments. We got the LAN, LAN Wi-Fi. We can route traffic. And it automatically goes to spider LAN. So anyway you connect on there becomes part of your secure network. Let's create that insecure crap network. Assignments. We're going to go over here to VLAN, add. Now by default, it chooses the top one, which happens to be WAN. We want IGB2. So we're going to go here to IGB2. We're going to give it a VLAN ID of 30. This is arbitrary. It's a number between 1 and 4094. Don't choose 1. That can cause some issues if that's your trunk. But we're just going to choose 30. We're not going to worry about anything else, but we're going to call this our crap Wi-Fi. So IGB2, because that's physically the port the purple cable is plugged into. VLAN tag 30, description, crap Wi-Fi. Now we're going to go back over here to face assignments. And you assign this as an interface. So we're going to head and add. Now you notice it says VLAN 30 on IGB2. Save. Let's give it a new name. Crap Wi-Fi, enable interface. Static. Let's give it 30.1. If you've seen that, it was the same one I used in my other demo. Slash 24, save, apply. Now, as I've mentioned before in other videos, anytime you add an interface, it shows up as a tab everywhere else for things like DHCP servers. So we're going to go to crap Wi-Fi. We're going to enable DHCP, set our ranges, save. So now crap Wi-Fi has there. And by default, PF Sense doesn't have any rules created for crap Wi-Fi. So we have to create a rule or nothing will route on there. So go here, address family, any. Now this is the part where we're actually going to pause and go back because we can create the rule and we'll say allow all. Just allow traffic and we'll hit save. But obviously this may create a problem because ideally we don't want crap Wi-Fi getting back to our two secure lands over here. So we're going to apply it and we'll go here and fix it. We're going to create an alias. This is one of the ways you can do this. This is a pretty easy. So I can put some block rules in or we're going to create an alias and we're going to say secure LAN network. Now what we did here is misspell trusted. Secure trusted LAN, so you have a secure LAN, secure trusted LAN network. This network and this network are both slash 24. Here's our LAN, here's our LAN Wi-Fi. Save, apply, we've created an alias. That way when we go here, we're going back to rules, crap Wi-Fi, have this wide open rule. And like I showed in my last video, you can simply do single host or alias. If you type alias' work, I've done a video on this before. You type the first letter and it'll autocomplete and list them. So we're going to say can go anywhere, invert the match, single host or alias, secure LAN. So we're saying anywhere but the secure LANs. Now this is nice that way if you ever added more secure LANs later or other places that you want this not to be able to go, you simply keep adding that to the alias and that will block the crap Wi-Fi from going there. So that's simple, we've created it. Now let's take a look here at the, how this looks. So here's your interfaces. We have LAN, LAN, crap Wi-Fi and the LAN Wi-Fi and you can see all the addresses and they're all up and available. Just so you know, this is that physical layer I'm talking about. We'll see these are physically the same interface so you'll see both of these working or not working at the same time if something's plugged into them. So now how do we create that in a unified? Well, this is really easy. So if we look back over here at our interface assignments we know we have this as VLAN 30, so we set up. So we're gonna go over here, just take a look real quick. Wireless networks. We're gonna create a new wireless network. Here's where our crap Wi-Fi things go. Password, no password, whatever you want there. Advanced options, this is the easy part. Just go here, just has to match. So we created VLAN 30, use VLAN 30, save. That's gonna provision. And now you see the VLAN tag right here. VLAN 30, open. So now we have that crap Wi-Fi and we've set a VLAN to it. Now all the other rules apply just like anything else. You can go here to firewall rules and anything you wanna do, filter out, block, set limits, everything you can apply to this just as if it was a physical interface even though it's a VLAN interface. So here's all your rules and you're done. Now, anything that we kept connect to our crap Wi-Fi thing doesn't get to our spider LAN and unifies being that they're commercial network equipment. They support VLANs and VLANs are secure and not easy to hop out of in case you're wondering. And this is how you create those really simple, create a VLAN, have it separate, have it secure, but physically have one device. That's all there is to this setup. We're done. Anything you connect there is there. So now our unified device is broadcasting both. You can connect to either. One connects to your LAN Wi-Fi and can get back and forth between things and one goes to your crap Wi-Fi. And then the Avaya service, we're gonna deny it here. You can enable and we'll hit save. And now this is enabled but denied for the crap Wi-Fi. That way those devices don't get MDNS and Discovery and back and forth between the rest of the network so you put your things you care about or need to get broadcasting to on the LAN Wi-Fi and then the crap Wi-Fi you can have over there. Now there's more trickery you can do and maybe you'll cover another video about how to get things back and forth across and filter it and create lots of more rules. But this is the basics for getting a setup and getting you going with easy one device, no managed switches and being able to do this. Now, obviously this gets easier with a managed switch and I've covered that in some of my other Unify videos before when you have a managed switch you just go create VLANs on the switch and then you can go back and forth. I'll be doing some more future videos on that as well but this will get you started. Great if you wanna put in a PF sense with a Unify AP, one Unify AP but then create separate networks but not have a whole problem with all those other little issues back and forth of having multiple, having to buy multiple devices just to keep these things secure. Hopefully this was helpful. Thanks for watching. If you like this video, go ahead and click the thumbs up. Leave us some feedback below to let us know any details, what you like and didn't like as well because we love hearing the feedback or if you just wanna say thanks, leave a comment. If you wanted to be notified of new videos as they come out, go ahead and hit the subscribe and the bell icon that lets YouTube know that you're interested in notifications. Hopefully they send them as we've learned with YouTube. Anyways, if you wanna contract us for consulting services you go ahead and hit launch systems.com and you can reach out to us for all the projects that we can do and help you. We work with a lot of small businesses, IT companies, even some large companies and you can farm different work out to us or just hire us as a consultant to help design your network. Also, if you wanna help the channel in other ways, we have a Patreon, we have affiliate links, you'll find them in the description and you'll also find recommendations to other affiliate links and things you can sign up for on laurancesystems.com. Once again, thanks for watching and I'll see you in the next video.