Skip to main content
andreAnnexis
andreAnnexis
New Member
March 1, 2018
Question

Ubiquity Unify Guest wifi with separate VLANs for guest and cloud key

  • March 1, 2018
  • 1 reply
  • 21908 views

Hello,

 

Some keywords:

Fortigate 60E

separate VLANs 

Ubiquity Unify Cloud key and AC-pro access points 

Guest wifi hotspot with captive portal and voucher system (ubiquity unify)

 

Problem: can't access the Ubiquity Unify captive portal from the guest wifi network

 

Setup: 

Fortigate 60E connects to internet via WAN port, switches connected with trunks to the internal ports on the Fortigate.

3 VLANs with DHCP pools for business (1), guest (30) and private (20) set up on Fortigate for wired and WIFI networks.

Ubiquity Unify (for WIFI) with cloud key and access points are connected to VLAN1.

 

Configuration works fine for wired ports as well as wireless. Depending on selected network (wired or WIFI) correct IPs are assigned, network access restrictions, internet policies applied and bandwidth restrictions are correct.  So far so good.

 

The moment I make in the Ubiquity control panel the guest network a hotspot with a captive portal for log in with vouchers for internet access I get a hick up: when connecting with a device to the guest WIFI (VLAN 30), a correct IP address gets assigned and the browser opens to get to the captive portal for log in. Problem is the page doesn't open and the browser gives a connection time out after a while.

 

My guess is that the captive portal is managed and issued by the unify cloud key, which has a VLAN1 IP address. The guest device that tries to connect to the captive portal so it can log in and get access to internet has a VLAN 30 IP address. There is a good reason that guest are on a separate VLAN and I want to keep that segregation for security purposes. I have experimented with creating a policy rule that allows traffic from VLAN 30 to the Cloud key specific IP but no luck so far.

 

How can I get this to work (guest on VLAN 30 to use the WIFI to access internet with a voucher and authentication through the captive portal) without compromising the separation between the VLANs? I think that the solution is in a policy between the 2 VLAN's to allow for this specific traffic but am not sure as the first few attempts to set up such a rule failed on me. 

 

Ubiquity support suggests creating DMZ for the cloud key, but I am not sure if a DMZ is what I am happy with. Maybe one of you has had this combination before and found a reliable and safe solution?

 

Thanks,

 

André Pasman

1 reply

Jirka1
Jirka1
Explorer II
March 1, 2018

Hello André and welcome,

we have it built just like you. You have three choices:

1) using policy to access from VLAN30 to VLAN1 (I do not see why it should not work) 2) place UniFi CTRL into VLAN30 3) create the DMZ and place CTRL into

We have option 1 where we only allow access to the Captive Portal Portal and it works

 

Jirka

andreAnnexis
andreAnnexisAuthor
New Member
March 1, 2018

Hello Jirka,

 

Option 1 is my preferred solution. 

What I have done so far:

Created an address in Fortigate with the name cloud key, type subnet, range 192.168.10.30, any interface.

(The cloud key is on Vlan1 with IP address 192.168.10.30)

 

Then I created a policy with incoming interface Guest (that is the guest VLAN 30), outgoing interface business (internal). (That is VLAN 1)

Source: all

Destination: Cloud Key 

Schedule: allways

Service: all

Action: accept

Nat switched on and use outgoing interface address

Security profiles on default settings.

 

This did not work. What did I forget or do wrong? Maybe you can can suggest me the appropriate address/policy setting? Also, I have enabled all services for now. But I would like to limit that to only the bare minimum required to let the captive portal work.   Thanks for your help.
ede_pfau
SuperUser
ede_pfau
SuperUser
March 1, 2018

Disable NAT. I cannot see why you would need it here.

Terms & ConditionsAccessibility statement