From MattWiki
noteThis Page was written with UniFi Controller version 5.0.7 in mind, and may not work correctly with other versions.

In short, UniFi AP tags packets when it goes out from WLAN to wire. When tagged traffic comes in from the wire, it will untag it and forward it to WLAN. We have compiled a deployment example to better explain the actual configuration of VLAN-ready switches.

Traffic tagging / untagging

  1. Traffic initiated from AP is untagged (sent through br0). This includes management traffic and RADIUS traffic, as described below:
    1. AP <-> Controller (management traffic)
    2. AP <-> RADIUS (when WPA-Enterprise is used)
  2. Traffic from WLAN without VLAN configured is untagged (the athX is bridged to br0)
  3. Traffic from WLAN with VLAN configured is always tagged (athX bridged to br0.VLAN to eth0.VLAN):
    1. AP <-> RADIUS (when WPA-Enterprise is used)
    2. Station -> AP (tags) -> switch
    3. Station <- AP (untags) <- switch

Whether it's redirected (to the guest portal) doesn't matter. When WLAN is configured with VLAN, the traffic will be tagged when it leaves the AP. However, after traffic is tagged by the AP, it's up to you to where how it should be passed upstream.

Here's an example:

My management network:
Guest VLAN network:

AP connected to port 5 (vlan1-untagged and vlan5-tagged)
Ubuntu connected to port 1 (vlan1-untagged and vlan5-tagged)
Controller connected to port 8 (vlan1-untagged)

Ubuntu (act as a Router)
eth0:, routable to the Interet (gateway
eth0.5:, NATed to eth0

Controller is at

Guest portals

It's natural to think of a VLAN guest access is mentioned, since guests placed in their own VLAN are isolated from other parts of the network. However, there are a few technical details to talk about.

Let's start with the basic VLAN deployment where guest portal is not enabled:

1. UniFi AP tags wlan->wire traffic
2. AP-controller is untagged
3. controller is likely running on untagged interface
4. configured inside the AP:

guest --- br0.3 --- eth0.3 --3--+
          br0 ------------------+--u,3---port1
corp  -----+

Deployment example:

  • port8 connecting to router's DMZ port, add port8 as member of vlan3 and untagging. enable DHCP server on your DMZ
  • port5 connecting to internal network, have port5 untagged.

What happens when Guest portal enabled with VLAN

When guest portal is enabled, the controller acts as a portal server and the guests will be redirected to http://unifi_ip:unifi_http_portal_port/guest/. This is where the issues may arise - guest is on vlan3, bridged to DMZ, there's no way it can reach unifi_ip:unifi_http_portal_port.

In the scenario above, one solution to the problem is to add rules to your router

  1. add route for traffic from DMZ->unifi_ip
  2. allow DMZ->unifi_ip:unifi_http_portal_port

Another solution, where we envision this moving up in scale, is to have the controller running at NOC or cloud.