Today is part 2 on our series about setting up a Ubiquiti EdgeRouter X and access point. The audio portion of this episode covers the following topics:

1. Creating true VLAN isolation

I made a boo-boo last week in that my setup did not create true VLAN isolation. The way I fixed it was to create a new 192.168.3.x network, assign VLAN 3 to it, and then pass it out of port 4 (where the AP is connected) of the Edge Router X.

However, the good news is that Ubiquiti has a great KB article to create VLAN isolation. Follow that and you'll be good to go.

2. Setting up a managed wireless controller

If you want to use a guest network with a voucher system, you need to either be running the UniFi controller software on a machine at all times, or host it in the cloud.

What I did is picked up some cheap VMs from CloudAtCost and then installed the UniFi software (following this article) on a Ubuntu VM I created.

What I found is that after I installed the software, the UniFi ports were not open and listening properly. I had missed implementing the loopback firewall rule, and I also recommend inserting some additional firewall rules so only your public IP can talk to the controller. Here's what my base ruleset looks like:

sudo apt-get install iptables-persistent
sudo service iptables-persistent start
sudo iptables -F
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 8081 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 8443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 8880 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 8843 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 27117 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables-save > /etc/iptables/rules.v4

3. Point your AP to the cloud-hosted controller

Once my Ubuntu cloud-hosted UniFi controller was setup, I went through the basic setup of the AP, I SSH'd in and pointed the controller to be "adopted" by following this article. The key commands are:

set-inform http://ip.address-of.my-cloud.controller:8080/inform

Then, you log into your cloud-hosted controller, and follow the instructions to setup a guest access point with a voucher system. Cool and nerdy = fun! :-)

Edit: listener Mike suggested listeners check out this write-up on installing Unifi in the cloud as well, as it contains additional info on installing Fail2Ban and further protection of the login page if you wanted to leave it "open."