UBNT EdgeRouter LAN Config Issue

krisleslie

Stepping back to take another stab at this issue.

@Dashrender from the Edge Router, how should the interface be set up for my LAN?

Dashrender

@krisleslie said in UBNT EdgeRouter LAN Config Issue:

Stepping back to take another stab at this issue.

@Dashrender from the Edge Router, how should the interface be set up for my LAN?

ug way back machine here...

you still have devices pointing at multiple /22 IPs for default gateways?

krisleslie

Yes and I apologize brother.

I guess for me, I need to break this down into chunks and accomplish specific things first. I'm still a bit "noob".

From the Ubiquiti router, of course, it's been wiped and re-setup. I have one interface still set up with the 10.10.2.x through 4.x from the router.

I'm not clear if moving forward starting from the router, what has to be accomplished.

Dashrender

@krisleslie said in UBNT EdgeRouter LAN Config Issue:

Yes and I apologize brother.

I guess for me, I need to break this down into chunks and accomplish specific things first. I'm still a bit "noob".

From the Ubiquiti router, of course, it's been wiped and re-setup. I have one interface still set up with the 10.10.2.x through 4.x from the router.

I'm not clear if moving forward starting from the router, what has to be accomplished.

Got it.
I think from a router standpoint, as long as you have the normal NAT features enabled, you're good to go. Nothing more on the router should be needed.

krisleslie

So from the router we still have 3 different lans set up. There is 2.x, 3.x and 4.x

I assume the 0.x and 1.x were originally intended to be reserved for the ROBO (kinda backwards). However, because that is an issue in itself for another post Ill let that one go lol

Dashrender

@krisleslie said in UBNT EdgeRouter LAN Config Issue:

So from the router we still have 3 different lans set up. There is 2.x, 3.x and 4.x

I assume the 0.x and 1.x were originally intended to be reserved for the ROBO (kinda backwards). However, because that is an issue in itself for another post Ill let that one go lol

Once you start using a /22 on the 2.x network, you'll have instant access to 0.x and 1.x networks.

JaredBusch

In your final design, what do you want your LAN gateway to be and what do you want your public WiFi gateway to be?

I would use this setup.

Plan your LAN to be 10.10.0.0/22. This means LAN computers will function on 10.10.0.1 - 10.10.3.254.
Plan your Public WiFi on 10.10.4.0/24. This mean you will use 10.10.4.1 - 10.10.4.254. It also means if you need a larger Public WiFi space, you ca expand it so a /23 or even /22 without overlapping you LAN.

On your ERL
eth0 setup for your WAN

eth1 setup for your LAN with IP addresses:
10.10.0.1/22 - New permanent LAN Gateway (use this one when you run the setup wizard)
10.10.2.1/22 - one of the existing gateways
10.10.3.1/22 - one of the existing gateways

eth2 setup for your WiFi with IP address:
10.10.4.1/24

If your Public WiFi is a VLAN on a shared UAP with the private WiFi (very common) then instead of eth2, you set up a VLAN on eth1 with the 10.10.4.1/24 address.

JaredBusch

Then you verify everything works as is.

Once you have this setup, you can add a firewall rule to block access form the 10.10.4.0/24 subnet to the LAN subnet and ensure everything works as intended.

Now, you can begin to change your stuff.

First, go to all static devices and change their subnet mask from whatever they are to 255.255.252.0 but do not change their current IP address or their current gateway as that would be potentially disruptive to the working environment.

Change your VPN tunnels to use the new subnet.

Next change your DHCP scope to hand out the 10.10.0.0/22 scope and the new gateway IP of 10.10.0.1/21

Once all the dynamic stuff has a new IP address, change the default gateway in the static devices.

You can also now change the IP address of the static devices if you want to reorganize them. But that is just a normal management task, not critical to the functionality.

krisleslie

Thanks guys!

So for my interface on eth1 include the following:
10.10.0.1
10.10.1.1
10.10.2.1
10.10.3.1

I use Ubiquiti for the wireless also and the company wifi is using whatever is free from the dhcp server scope (the windows 2012 r2 box). So when I reset the Guest Wifi just only include 10.10.4.1 and when I need more space, just switch from /24 to /22 as need permits.

Dashrender

@jaredbusch said in UBNT EdgeRouter LAN Config Issue:

a larger Public WiFi space, you ca expand it so a /23 or even /22 without overlapping you LAN.

lastly after everything is moved to using 10.10.0.1/22 as the gateway, you can remove the other IPs from the ERL

Dashrender

@krisleslie said in UBNT EdgeRouter LAN Config Issue:

Thanks guys!

So for my interface on eth1 include the following:
10.10.0.1
10.10.1.1
10.10.2.1
10.10.3.1

If you aren't using 10.10.1.1 right now, you can skip it.

krisleslie

I guess the confusing part for me, is from my point of view, I'm trying to figure out why would I need all 4 of the LANS there on the router? I assume this is so the router can see between each network and route.

Dashrender

@krisleslie said in UBNT EdgeRouter LAN Config Issue:

So when I reset the Guest Wifi just only include 10.10.4.1 and when I need more space, just switch from /24 to /22 as need permits.

Correct.
Depending on how you setup the guest network, you'll need to have it set to use the correct VLAN. This can be one at the SSID level on the controller.

krisleslie

Not using it but if this would lessen the burden, I would go ahead and get it done now vs waiting for it to fall in my pants months down the road lol.

Dashrender

@krisleslie said in UBNT EdgeRouter LAN Config Issue:

I guess the confusing part for me, is from my point of view, I'm trying to figure out why would I need all 4 of the LANS there on the router? I assume this is so the router can see between each network and route.

It's because you don't want to break what you have today.

krisleslie

GOTCHA!

So what should have occured originally was, when the router was configured, it should have only included the 10.10.0.1 gateway for the eth1 interface. Then from the Windows Server, when setting up the scope, each scope should have been spelled out as 10.10.0.1 - 10.10.3.254 then I could have came back and made one more scope to only be 10.10.4.1 through 10.10.4.254 (just for guest wifi).

JaredBusch

@dashrender said in UBNT EdgeRouter LAN Config Issue:

@krisleslie said in UBNT EdgeRouter LAN Config Issue:

I guess the confusing part for me, is from my point of view, I'm trying to figure out why would I need all 4 of the LANS there on the router? I assume this is so the router can see between each network and route.

It's because you don't want to break what you have today.

Correct. This design I laid out is a swing migration design.

It lets everything work as it currently functions throughout the entire process.

Dashrender

@krisleslie said in UBNT EdgeRouter LAN Config Issue:

GOTCHA!

So what should have occured originally was, when the router was configured, it should have only included the 10.10.0.1 gateway for the eth1 interface. Then from the Windows Server, when setting up the scope, each scope should have been spelled out as 10.10.0.1 - 10.10.3.254 then I could have came back and made one more scope to only be 10.10.4.1 through 10.10.4.254 (just for guest wifi).

Correct, but that said - I wouldn't use Windows to give DHCP to your Guest network for a few reasons:

1. you'd have to allow traffic from the guest network onto the production network so the Windows Server could answer those requests, or you'd have to dual zone the Windows server into both networks.
2. Any device you provide DHCP or DNS services to, you have to have a CAL for. This gets expensive fast.

Instead, I'd enable DHCP on the ER for that network. No licenses required, everything stays completely separate.

krisleslie

@dashrender said in UBNT EdgeRouter LAN Config Issue:

ired, everything stays completely separa

I wouldn't have a license issue either way, I have DC but your right that would mean I would have fun to deal with. I wasn't intending for the guest WIFi to be on windows anyways, I use the same wifi at home it's just easier to keep up with it on the ubiquiti.

Dashrender

@krisleslie said in UBNT EdgeRouter LAN Config Issue:

@dashrender said in UBNT EdgeRouter LAN Config Issue:

ired, everything stays completely separa

I wouldn't have a license issue either way, I have DC

Huh? What does DC mean or have to do with licensing? If you're talking about Windows Server DataCenter edition - that only covers the VMs on that host, it does not cover user CALs.