Tagging and Untagging Traffic

So, how does VLAN traffic get tagged on UniFi? In short, the UniFi access point (AP) tags packets when they go out from WLAN to wire. When tagged traffic comes in from the wire, it will untag it and forward it to WLAN. Take in consideration the following points:

  1. Traffic initiated from the AP is untagged and sent through br0 (or bond0 if link aggregation is enabled). This includes management traffic and RADIUS traffic, as described below:
    1. AP <-> UniFi Network application (management traffic)
    2. AP <-> RADIUS (when WPA-EAP is used)
  2. Traffic from WLAN without VLAN configured is untagged (the athX is bridged to br0).
  3. Traffic from WLAN with VLAN configured is always tagged (athX bridged to br0.VLAN to eth0.VLAN):
    1. AP <-> RADIUS (when WPA Enterprise is used)
    2. Station -> AP (tags) -> switch
    3. Station <- AP (untags) <- switch

Whether it’s redirected (to the guest portal) doesn’t matter. When WLAN is configured with VLAN, the traffic will be tagged when it leaves the AP. However, after traffic is tagged by the AP, it’s up to you where it should be passed upstream.

EXAMPLE
Management network: 10.1.0.0/24
Guest VLAN network: 10.2.0.0/24
Switch
AP connected to port 5 (VLAN 1-untagged and VLAN 5-tagged)
Ubuntu connected to port 1 (VLAN 1-untagged and VLAN 5-tagged)
UniFi Network application connected to port 8 (VLAN 1-untagged): usually a windows/linux machine, which pushes out the configure to AP via vlan1 (management network)
Ubuntu (acting as a Router)
eth0: 10.1.0.2/24, routable to the Internet (gateway 10.1.0.1)
eth0.5: 10.2.0.1/24, NATed to eth0
UniFi Network application is at 10.1.0.26.

Guest Portals and VLANs

 

It’s natural to think of a VLAN when guest access is mentioned since guests placed in their own VLAN, are isolated from other parts of the network. However, there are a few technical details worth mentioning talk about.

Let’s start with the basic VLAN deployment where the guest portal is not enabled:

  1. UniFi AP tags WLAN->wire traffic.
  2. AP-UniFi Network application is untagged.
  3. UniFi Network application is likely running on untagged interface.