Results 1 to 8 of 8

Thread: Setting up an isolated light show network on Ubiquiti gear

  1. #1
    Join Date
    Jan 2011
    Location
    Warren, NJ
    Posts
    1,727
    Post Thanks / Like

    Default Setting up an isolated light show network on Ubiquiti gear

    So I finally decided to upgrade my home networking equipment after messing around with consumer gear for years. I went ahead and setup the following:

    I am looking for some networking insight for the best way to set up the gear.
    I want to basically set up 3 independent networks (vlans?)
    • isolated network for guests (vlan 10 guest network 192.168.10.1/24)
    • Main home network (corporate lan network 192.168.1.1/24)
    • isolated show network. (vlan20 guest? or corporate? network 192.168.2.1/24)

    I have setup the home and guest network, but I am not sure how to create the show network. Do I set it up as a corporate, vlan only, or a guest network? I want it isolated so the show network can not see or talk to the home network, but I want to also be able to login to the FPP and the other devices on the show network from the home network. I am assuming that I need to setup some firewall rules or static routes to isolate the show network.? I believe it I set it up as another "guest" network , the devices can not talk to each other. Any suggestions on how to setup the rules to isolate the show network and allow access from the home network?

    I setup the NanostationM2 Loco and an old test PC on a switched port on the switch and set the port up to just send the vlan20 show network traffic to port and that is how I plan to send the show traffic to the yard. I assume that is the right way to isolate the Nanostation? I set up the switch port and not the nanostation to do vlan20.

    For extra credit, what do I need to open up access on the USG gateway from the internet to allow me to check up on the show from remote and still maintain some security?

    Thanks!
    Last edited by jklingert; 10-11-2018 at 12:32 PM.
    2012 Second Animated Christmas
    http://vimeo.com/33886466
    http://www.christmasinwarren.com

    Become a Supporting Member of DIYC! Click Here
    Tip: Backup your sequences on a free cloud storage site like Dropbox. Click Here for free 2Gb storage.

    Click here to show/hide my display details ...



  2. #2
    Join Date
    Nov 2009
    Location
    South Jersey
    Posts
    2,016
    Post Thanks / Like

    Default Re: Setting up an isolated light show network on Ubiquiti gear

    Jack
    I have all of that stuff except for the gateway. I do have an Edgerouter X and it has provisions for 2 subnets. .1 and .2 like you want. Honestly if my network had an issue I would have to go through every tutorial again to refresh myself on how Ubiquiti gear works. Thank goodness it does work so well because I always forget how I got there. I also threw in a 24 port managed switch, but forgot it's IP. Anyhow I have 2 subnets, each with access to the internet. I have 2 Nanostation M2's. I have one feeding my wireless ESP's, about 20 and the other feeds my Pi's. The ESP's don't like anything else, especially phones connected to their AP. They are such Prima donnas. Couple of things with the Nanostations; if you plan on multicast turn off Airmax and Multicast Enhancement, shoot just turn them off anyway. So you want 3 networks. I would have to look at your switch, maybe someone else knows off hand. I do not. Even if I did at one time I would have forgotten how to set it up again.

    What is doing your routing?

  3. Thanks jklingert thanked for this post
  4. #3
    Join Date
    Dec 2015
    Location
    New Hampshire
    Posts
    152
    Post Thanks / Like

    Default Re: Setting up an isolated light show network on Ubiquiti gear

    I don't have the USG so I can't advise as to how to create the needed VLANs on that device. Have you searched the Ubiquiti community forums for assistance? You're also going to need VLAN routing enabled because I presume you're going to want to access the show VLAN from your home VLAN (in other words, you'll want to manage your show devices from your home PC connected to your home network and/or WIFI network). There are a TON of Ubiquiti setup videos on YouTube as well (Willie Howe and CrossTalk Solutions come to mind) so I'd check there as well.

  5. Thanks jklingert thanked for this post
  6. #4
    Join Date
    Jan 2011
    Location
    Warren, NJ
    Posts
    1,727
    Post Thanks / Like

    Default Re: Setting up an isolated light show network on Ubiquiti gear

    Quote Originally Posted by scootchu View Post
    What is doing your routing?
    The Ubiquiti USG is the gateway/firewall/router. It is similar to your edgerouter x in function.

    I also put a raspberry pi on the network using https://unifipi.com/ as my unifi controller.
    Last edited by jklingert; 10-10-2018 at 09:55 AM.
    2012 Second Animated Christmas
    http://vimeo.com/33886466
    http://www.christmasinwarren.com

    Become a Supporting Member of DIYC! Click Here
    Tip: Backup your sequences on a free cloud storage site like Dropbox. Click Here for free 2Gb storage.

    Click here to show/hide my display details ...



  7. #5
    Join Date
    Jan 2011
    Location
    Warren, NJ
    Posts
    1,727
    Post Thanks / Like

    Default Re: Setting up an isolated light show network on Ubiquiti gear

    Quote Originally Posted by scootchu View Post
    Couple of things with the Nanostations; if you plan on multicast turn off Airmax and Multicast Enhancement
    On the Nanostations I turned off Airmax and Multicast Enhancement.

    nano1.JPG

    nano3.JPG

    I have also read elsewhere to turn down the the wireless channel width to 20MHz.

    nano2.JPG
    Last edited by jklingert; 10-11-2018 at 12:10 PM.
    2012 Second Animated Christmas
    http://vimeo.com/33886466
    http://www.christmasinwarren.com

    Become a Supporting Member of DIYC! Click Here
    Tip: Backup your sequences on a free cloud storage site like Dropbox. Click Here for free 2Gb storage.

    Click here to show/hide my display details ...



  8. #6
    Join Date
    Jan 2016
    Location
    Lizella, GA
    Posts
    1,230
    Post Thanks / Like

    Default Re: Setting up an isolated light show network on Ubiquiti gear

    As far as managing my show network, I run my PC wired to the show network and then use WiFi to my home network for internet access and such. Don't need to worry about any fancy routing. Also I am using a Pi w/ FPP to run my show. So it too is wired to the show network and connects to the internet over home WiFi, for Time, Updates and data uploads.

    And yes use the 20MHz channel width, ESPs can't communicate on the 40 MHz
    Matt

  9. #7
    Join Date
    Dec 2012
    Location
    Framingham, MA
    Posts
    452
    Post Thanks / Like

    Default Re: Setting up an isolated light show network on Ubiquiti gear

    I use a USG (and all unify access points and switched) for my network and use a VLAN to isolate things. Unfortunately, I'm out of the country right now so cannot look at how things are configured.

    If I remember correctly, it's just another corporate lan, assign the vlan number to something unused, make sure it's DHCP range is setup correctly, and it just worked. If you have unify managed switches, you can configure individual ports on the switches to be on a specific port. For example, my FPP/BBB master is connected to a switch in the garage and I have that port assigned to VLAN2 (my show network) and it will automatically pull the IP via dhcp from the proper network. I also use UAP-AC-Pro's for all the wifi. I do have one dedicated to the show though and it only exposes the show ESSID's. Again, on the config for the Access point, you can assign a vlan for each of the ESSID's. Once setup, everything on the show network has full internet access and everything on the home network can see the show network devices directly. (cannot browse to them as they are a separate network, but you can mount/ping/login/http via name/IP directly.

    For the remote management, there are a couple of options. One is to create a port forward rule in the firewall config for a specific port to map to your master. That's by far the simplest. The other option is to completely configure a OpenVPN setup on the USG. It supports that. You can then fully VPN into your network and have direct access to everything. That's way harder to configure. I haven't actually tried it.
    Dan Kulp

  10. Thanks jklingert thanked for this post
    Likes jklingert liked this post
  11. #8
    Join Date
    Jan 2011
    Location
    Warren, NJ
    Posts
    1,727
    Post Thanks / Like

    Default Re: Setting up an isolated light show network on Ubiquiti gear

    Quote Originally Posted by dkulp View Post
    If I remember correctly, it's just another corporate lan, assign the vlan number to something unused, make sure it's DHCP range is setup correctly, and it just worked.
    I think I am getting there now. I setup the lightshow network as another corporate network with a vlan assigned.

    networks1.jpg


    I also had to add a rule (#2000) to the Lan In Firewall to allow devices on the lightshow network to answer back to the main lan. I am not a network guru, but I think i needed to add rule #2001 to stop traffic from coming from the lightshow to the main lan except for responses allowed by rule #2000. I thought I read that the Unifi gear by default allows communications across the vlans unless prohibited?

    firewall1.jpg


    Quote Originally Posted by dkulp View Post
    If you have unify managed switches, you can configure individual ports on the switches to be on a specific port.
    I used a similar idea, I have a managed switch and i have the Nanostation LocoM2 and an old test pc hanging off of it. I set the switch port up to only allow the lightshow vlan to go out of it/ That way the other networks are not blasted out to the yard.

    port8.JPG

    Quote Originally Posted by dkulp View Post
    For the remote management, there are a couple of options. One is to create a port forward rule in the firewall config for a specific port to map to your master. That's by far the simplest. The other option is to completely configure a OpenVPN setup on the USG. It supports that. You can then fully VPN into your network and have direct access to everything. That's way harder to configure. I haven't actually tried it.
    I found a video on setting up the remote vpn. I followed his directions and it works great!




    Mission Accomplished
    Thank you to all of the forum members for your support and hints!
    Last edited by jklingert; 10-11-2018 at 05:52 PM.
    2012 Second Animated Christmas
    http://vimeo.com/33886466
    http://www.christmasinwarren.com

    Become a Supporting Member of DIYC! Click Here
    Tip: Backup your sequences on a free cloud storage site like Dropbox. Click Here for free 2Gb storage.

    Click here to show/hide my display details ...



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •