 time here for more systems. And we're going to talk today about setting up Unify controller version seven, which is 7025 is the latest as of April of 2022, and using PF sense to define the networks, configure the VLANs and how to make sure they play nice, essentially, and are interoperable with doing this inside the Unify. The reason for this video, we use a lot of PF sense, and we use a lot of Unify, and they do work perfectly fine together. And I've talked before about some of the shortcomings of the Unify routing equipment, which is why we frequently use PF sense instead as the firewall with Unify for switching and access points. This is a video on how to get these two things to work together. But to keep it narrow in scope, I have a video down below about how to get PF sense generally configured and set up. I have my longer video on that. I have a shorter video on specifically setting up PF sense for home networks. And those videos are linked down below, because I'm not going to dive deep into the PF sense firewall rules in this video that we keep it narrower to just to how to configure the VLANs. Everything is time indexed down below, so you can jump to the part that's most relevant to you, because we will be starting with some fundamentals of defining VLANs. But I also have other videos linked where I discuss network design and VLANs and some other broader topics. But before we get into all of this, let's first, are you an individual or company looking for support on a network engineering storage or virtualization project? Is your company or internal IT team looking for someone to proactively monitor your system security or offer strategic guidance to keep your IT systems operating smoothly? Not only would we love to help consulting your project, we also offer fully managed or co-managed IT service plans for businesses in need of IT administration or IT teams in need of additional support. With our expert install team, we can also assist you with all of your structured cabling and Wi-Fi planning projects. If any of this piques your interest, fill out our Hire Us form at laurancesystems.com so we can start crafting a solution that works for you. If you're not interested in Hire Us, but you're looking for other ways you want to support this channel, there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel. And now back to our content. Now the first place I want to start is with this Wikipedia article, because I want some common language that I'll be using to be in the front of the video here. Of course, you can skip ahead if you want, but this is where the troubleshooting is and most frequently people screw up when you're setting up VLANs. Portions of the network that are VLAN aware, I think, is a really important part to highlight here. When I say that in, as it says here in the Wikipedia article, when you have your PF Sense and your UniFi, which are both VLAN aware devices and software products and hardware products here, we're talking about two things that are VLAN aware. Some things are not. That may include your hypervisor. People have trouble when they virtualize PF Sense because the hypervisor adds another layer to your network. If your hypervisor does not automatically pass any type of VLAN traffic, this is one of the first troubleshooting things you run into. Next, when you have switches that are not UniFi involved. So as I said, PF Sense and UniFi are VLAN aware, but other switches in between don't always behave the same way and whether or not they're VLAN aware is going to vary by model and make. But if it's not VLAN aware, it will frequently just throw away the VLAN tags and not pass that traffic on as going forward. So that is a challenge that you run into or I should say we've run into a lot with consultants that we see people that are trying to figure out why they can't get data to traverse the network is going to be portions of the network. We're not VLAN aware and you can have unpredictable behavior. Next, important to understand that not all switches will traverse traffic that's not defined. And what happens is if you set up a VLAN and PF Sense and you put a VLAN aware switch in between PF Sense and UniFi, that switch may not, depending on manufacturer and settings within it, pass along any traffic that is not implicitly defined. So if you define a VLAN and PF Sense, but you don't define it in an intermediary switch, it may not pass the traffic along the UniFi. Now the default behavior of UniFi is to actually take that data that is coming into it and it doesn't care if you've defined all the VLANs. If you create a VLAN and PF Sense, but it is not defined within the UniFi switch system, UniFi software defined networking platform, it will still pass that along to the next switch. It doesn't know what to do with it, but it doesn't do anything bad with it as and throw it away. Some switches, as I said, do this. I just want to put this here because these are just really common problems people have or problems we run into when we're consulting is the extra switches or switches that require implicit definition of each VLAN that you set up. Now, one more thing I want to mention is this little graphic right here. This is your frame format. Now, if you do not have, this is the optional header, the 8021Q header, the extra information for the VLAN tag is just like it sounds, it's an extra piece of traffic information that's in there to separate the networks. You got to remember VLANs, they share bandwidth and they share the physical line, really nothing more than an extra tag to help it define where the traffic is. This is also important to remember that the native VLAN, the default port when it's missing that traffic becomes what may be referred to as VLAN one in some places, but essentially your native traffic versus your tag traffic. But all that traffic is traversing down the same line. So there's always that potential if someone's on the native network, depending on configuration, if that data passes through them, they would be able to pull those tags and you can actually capture all the packets on that particular line, not just the native VLAN, but any VLAN tags separated out in this sweet example, if you're doing a packet capture with wire shark, everything that traverses that whole line right there that may or may not be what you're looking for, but it's just something to be aware of that all the data goes through that one pipe. All right, now let's get to the functional part of setting this up. Now, this configuration is based on the video about securing and setting up good PF sense firewall rules for your home video that is linked down below. So as I said, I won't be diving deep into the rules, but these are actually the same networks I have to find the internet comes in and goes into when and then for well clarification, I've labeled it IGB to it's also called LTS underscore Tom inside of PF sense, because you can give practical names to it, but the interface is IGB to support and understand that you'll see when we set up the VLANs inside of PF sense. So for scope of this particular part of the video, we're only talking about two networks 172 1616 zero is the native I put VLAN one, but it's also native VLAN. So we understand that's the same thing, no VLAN tag on it, that's your default traffic that's going to come out of this, then we have added 192 168 60.0 slash 24 as VLAN 60. Physically, they come out of a single wire from IGB to and they go into port 24 on my unified switch. Now, a couple important notes, the default settings and I put the settings for the ports we're talking about on here, but unless you've changed things, the default settings for unified is all as in let all traffic in and pass all traffic to the next device. That means if you have another unified switch, you want the settings between the two switches to be all all on the outgoing switch, all on the incoming switch between the connectivity. This allows all VLAN traffic to head over to the next switch. That way, as we define it on a specific port, we will be able to do that on any switch within the network provider, all connected with the all in between them. This also goes for the unified access points. They are VLAN aware. If you're dealing with a non unified access point that is not VLAN aware, then yes, you would take and set something other than all to the port that would be out of scope of this particular video. But we're assuming you're using a VLAN aware or specifically a unified one, then with the unified you want the all which is port 24 and then port 16 where this is plugged in the access point to be set to all the unified access point itself as you define an SSID has the option to look at the VLAN tags. So all the different traffic and even though it's only one VLAN, we can have many VLANs attached to this one IGB two port. We actually have more than one you'll see later in the video, but they all come to the access point. And then the function of the access point says, all right, you've defined these VLANs, which one do I send by default? It's going to send the native. But when we set up a SSID, we have the option of choosing any of the defined VLANs within P within the unified controller to tag those and assign those to the SSID. So that's what we're going to do next to show you how that part of the system works where we define them in PF sense and define them in unify and eventually define them in an SSID. Now first, let's talk about defining them in PF sense. Right here under VLANs, we have VLAN 60 and we have this other extra VLAN that I have on here, little out of scope, but we'll have that one defined as well. If you wanted to find a VLAN, the first problem and mistake many people make is looking at the parent interface, choose the proper parent interface. That's why I labeled them like this, because when you're looking at them from this aspect inside of PF sense, you see the parent interface number IGB2, for example, and then you would set the tag, just type in whatever the tag you want, you can define them. If you're using any VA land priority out of scope of this video, but that is an extra piece of information is within there, refer back to that Wikipedia article, give it a description. This VLAN is for something, whatever you want to put it in there, maybe something right, always important. So that's how you define them pretty simple. When we're going to go over to the interface assignments, this is where they have more common names, you see IGB2 is called the easier to remember LTS Tom name right here. And but then here's that VLAN 1337 and the one that we're talking about for this video, VLAN 60, and you can see they're attached to these interfaces of IGB2. This means physically that port is going to have all that extra traffic for these two VLANs on it. We're only going to be using one of them for this particular part of the demonstration, but you get the idea that you'll assign these as interfaces. And that's covered in my other PF sense videos. Now let's go over to unifying to find them there. Now we're going to click on the gear icon for settings. We're going to go to networks. Now for networks, you have your default and I do not have a unified routing device in here. So none of these settings really affect much, but this is where you can set your default one. You don't actually have to unify doesn't care because we're not using any of this, but this does allow you to set the IP address even when you don't have a network to find within here. If you want to set up what they refer to as the main network, the default LAN one network, but it's really not in use because I don't have a unified routing device, but you can see I do. We have these VLAN only and VLAN only. So let's go ahead and create a network. And if you do this and let's call it test, select router, there's no router in here. And we actually want VLAN only. If you're not using any of the unified routing equipment, you can check the VLAN only, and then you can define it. Obviously, if you're using your unified routing equipment, this gets a little bit more complicated. And yes, it defines on a routing equipment at the same time, but the VLAN only means we're only defining VLANs on unified access points and switches, no routing equipment involved in this. So we've picked the tag, we already got VLAN 60 created and one let me create again, but whatever the tag number you come up with is, you put that in here, and away you go. There's a couple of options you can do on a per network basis out of scope of this will say set the VLAN tag. So if we go back and look at these networks, and we look at this one right here, we see VLAN only, VLAN ID 60 matches what's in PF sense. That's incredibly important because following standards, you can't have different numbers or it won't work because it won't know what tag to look for. Then we're going to go over here to Wi-Fi and show you how that's done. Right here is the CAM LAN, the camera network. And when I click on this, you can see that VLAN only, you can choose the pull down and I can choose if I wanted different options, whether it's the LTS Tom native network, the LTS 1337 or this other one I've defined, we'll cover later in the video. But that's it. That's all you have to do when you're creating and we can even go back over to Wi-Fi here. If you create new network, you can see the pull down works the same way. This is how you define it. And as long as you have the port setting going to this device set to all on the switch, great, it's going to send all the traffic, but then the defining part inside the access point is defined right here to say only pull this particular VLAN and create an SSID with it. This is how you get the different networks all segmented out inside of here. Now let's actually look at the switch settings themselves. So if we go back here to unified devices and we want to leave here, I don't want to make any changes. We'll look at the ports on here. Now I have a lot of cameras plugged in. So CAM LAN 60 is an ideal place for where we want these cameras. So if we look and I mentioned port 24, the uplink is set to all, but we want to go into look at these ports here. You notice it says profile CAM LAN on it. Make this a little bit bigger. And the way you do this is really simple. You go to the ports and look at the port right here. And then we're going to go in the port profiles. This is something that I think unified should fix. They used to have the pull down go down further. And this is overlooked frequently of going, I don't know where my networks are. I'm just rolling down with a mouse to see them right here. And I can change any of these ports to be on different networks. I want this port assigned to CAM LAN. So we just go down here, we choose CAM LAN. And now this particular port is attached to that VLAN 60 tag. And the data coming out of that port, because if it was set to all, all VLANs would come out of the port. When we narrow it down to say CAM LAN, like we do here or any one of these other defined VLANs, you've now narrowed it in scope. So it becomes what comes out of that port native. No other traffic from the other VLANs comes out of that port. It becomes the native traffic now for CAM LAN. And that's it. That's how you define the VLANs. That's how you get them to work on any individual port or an SS ID. Now I want to go into a slightly more advanced scenario that you may run into because well, there's sometimes some unique networks you get set up or how I've got my network set up here. Now if your use case was exactly what I showed in the last diagram, stop there, don't confuse yourself with this one here. But this is to answer the question about a slightly common use case and a little bit more advanced of the way you want to set things up. And also another way to think about how VLANs work on here. Now we have VLAN 60 defined inside a PF sense, but you may have noticed we don't have VLAN 10 defined inside a PF sense. That's because 192.168.1.0.24 comes out of port IGP one natively comes natively out of that port, which means the port setting and that happens to go into port 18. We set the port to VLAN 10. This setting allows for all the other ports that are set to VLAN 10 because we're going to define VLAN 10 inside of unify only any ports set to VLAN 10 you can think of as its own switching network. So even though the switches and multiple switches, remember between two switches, we still want all set between them, but all the ports that we set to VLAN tag 10 act as a specialized switch, essentially. So it's just a switch, but it's always native. There's no other VLAN traffic going in there. This is allows me to, instead of having all the traffic shared between one physical interface to take this other interface. This is a common setup you'll find in a lot of networks where you don't necessarily need everything defined inside of or tied to a single interface because well, there's bandwidth limitations because you're sharing physical media. But now each one of these ports has full one gig access to the network and lots of traffic can be traversing back and forth between the VLAN 10 network. And it's not going to interfere or be in competition with the bandwidth that I'm using for ports tied to the other native network. So a little bit more advanced config, but it still works the same way. So let's go ahead and dive into the details on this one. And first, as I mentioned, it's not defined at all in the VLANs and PF sense. It is defined though, because we is important to understand what interface this is. We referred to this as the NSFW LAN, same as from that video I referenced earlier, and it's on IGB one physical port IGB one, which now connects to and this is where we'll switch over to the Unify. We go over to the Unify here and we go to the settings and we want to look at the networks and IGB one is the port but inside here we want it tied to specifically NSFW net with VLAN ID 10. This is arbitrary. You can sign it whatever because we're defining it only inside of here. Then let's go back over and look at the connections. And if we go over to the Unify switch again, we go to the settings. We want to look at the port right here. And if we look at port 18, I have it labeled PF sense NSFW network device uplink. So it comes physically out of port IGB one goes into port 18, but because we're not using any VLAN tags or if I were to change this right here, we've got it set to VLAN tag here, but we're not tagging anything in the PF sense. We want it coming into natively NSFW net. If I were to change this port to all, I would now mix the traffic and cause a mess. It would bring both interfaces into the switch and they were both native in the same area. Therefore you would get random DHCP requests and overlapping networks and a headache to deal with. So because we've narrowed this in scope and we say, nope, treat this right here with NSFW net, pull this in and only share it to any other ports that you have to find with NSFW net. So we go back over here and we look at something like port 23. I don't want my son's computer on my LTS Tom network. I consider his gaming computer is something that I want an NSFW net. So I've defined each device, such as my son's computer over to the NSFW net. That way anything that's plugged into there always is on that same network. As I said, all the ports together because, because you're defining the VLAN within the unified controller, but not in PF sense. So all these ports being set to NSFW net act as a switch, even though they may be across multiple devices, they all act together as if you're plugging them into the same network because they're not dealing with any VLANs from the PF sense. It's all just different devices connected to all these same switch ports all marked this way. This also applies to SSIDs. So when you go over here to the settings and we look at the Wi-Fi networks and you look at this one right here referred to as beer, you'll notice beer is tied to this as well. Now once again, all is a setting going to feed the access point. And then it realizes that in the definition of the SSID and how we defined it in the software defined controller here, it's going to peel off the NSFW net and it knows that that's connected to that uplink port. It says, all right, we share everything on this as a switch and it stands over to the SSID. Therefore, this doesn't allow any of the mixing the traffic and now we have all of the traffic information that we want only for that particular network going out only on this SSID. You're not mixing or conflating any of the other networks together. Now these couple scenarios I just covered are pretty basic still, but I wanted people to start to get the hang of some of the VLANs. I always like reading what questions and comments come from this because I do plan in the future to do another small office network setup video this year that will really break down things like LLDP and a few other features that are beyond the scope of this particular video, but there's still a lot more you can do when it comes to tagging when VLANs, setting different ports and defining different things such as phone networks and stuff like that with the LLDP. There's there's still a lot more that I didn't cover. I wanted to keep this narrow in scope, but I will do some future videos. And of course I'm always reading the comments and the forums and listen to feedback to see what aspects people maybe need a little more help with, a little better definition of so we can get more people understanding how these networks work because that's really the goal of a lot of these videos is getting people a better understanding of how these networks work. I think Unify has done a great job compared to some of the other switch manufacturers of generally making VLANs easier to manage. That being said, you're still dealing with a little bit more complicated topic of networking when you think about tagging and having lots of traffic be parsed by different switches. But hey, nonetheless, I think it's interesting and it's all part of the learning process. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to laurancesystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly, so check back frequently. And finally, our forums. Forums.LauranceSystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.