DHCP Not working on Unifi Switch for MGMT VLAN

Started by Prkl8r, August 19, 2025, 04:46:34 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
August 20, 2025, 06:32:10 PM #15 Last Edit: August 20, 2025, 06:40:58 PM by meyergru
AFAIK, you cannot set a tagged VLAN 1 at all with Unifi, I did not investigate if VLAN 1 would be passed on a trunk port, but guessing from what I see, this ain't possible, either:

You cannot view this attachment.

Note the "VLAN 1" default - I doubt that you can set both untagged and tagged VLAN 1 - although some of the more recent problems with Unifi switch firmware might indicate otherwise. At least you have to set a default (V)LAN that is untagged - and also, you cannot delete the default (1) VLAN (I just renamed it from "Default" to "Untagged" to make clear what it does.

Reportedly, there are many Unifi switch models that now expose a (security) flaw: During the first seconds after turning them on, they pass traffic on all VLANs at once, that is, it seems like they strip incoming VLAN tags on all ports and pass these on as untagged on all others.

This could indicate, that they aim to be able to adopt new devices on any VLAN... but this should never be done on an otherwise configured switch.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
August 20, 2025, 06:39:43 PM #16
OK, whatever 🤷�♂️

Thanks! At work I connected a dedicated interface to VLAN 1. And at home I run Mikrotik 😉
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 21, 2025, 01:44:12 AM #17 Last Edit: August 21, 2025, 06:59:13 AM by OPNenthu
It sounds like you both prefer VLAN 1 for management in UniFi, so I think I'll stick with the same since it just works and gives the possibility to recover easily.

@meyergru Are you able to expand the list marked "Native VLAN / Network"?  On mine there is a possibility to select "None" there (it's at the bottom).

Once that is done, I am able to select "Default (1)" to be tagged under "Tagged VLAN Management" using the "Custom" radio button.


@Patrick I am torn on whether or not to keep a native/untagged network in OPNsense at all, as a fallback.  Presently I have LAN dedicated for this purpose on igc0, so I can just put any unmanaged switch there and get access to the 192.168.1.0/24 (example) network regardless of my UniFi network being online or not.  If I instead remove this native network and carry VLAN 1 tagged on the trunk as before, what will happen in case I connect an unmanaged switch to that?  Will VLAN 1 act as native on the "dumb" switch and still give me access to 192.168.1.0/24 and the other tags will be dropped?

EDIT: asking also a different way: is the reason why you tag VLAN 1 in order to save an interface/port or is it because untagged presents a security risk?
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 250GB | 4x 2.5GbE (I226-V)
Site 2 |  J4125 | 8GB | 1000GB | 4x 1GbE (I210)
August 21, 2025, 08:51:39 AM #18
The reason is that mixing tagged and untagged on a single interface can lead to unpredictable results in FreeBSD like e.g. DHCP leaking. Then there's the issue of accounting. And netflow.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages 1 2
User actions