this post was submitted on 03 Jan 2025
5 points (100.0% liked)

Ubiquiti

677 readers
3 users here now

Unofficial Ubiquiti community.

Discover innovations, troubleshoot, and optimize your Ubiquiti products and software.

founded 2 years ago
MODERATORS
Fenk@lemmy.ml
5
Ubiquiti MAC ACLs not working (lemmy.world)
submitted 6 months ago by root@lemmy.world to c/ubiquiti@lemmy.ml
4 comments fedilink hide all child comments
 

I recently got into Ubiquiti, and am trying to limit intra-vlan communications.

I have a Proxmox server hosting a couple VMs that are on the same VLAN (192.168.8.0/24).

These two devices can ping each other, even after I follow the guide here. I've tried just adding that VLAN to the Device Isolation (ACL) section in Settings > Network as I believe this should just block everything within that VLAN, as well as trying to add explicit rules in the ACL to block client A -> B and B -> A with no luck.

I feel like I must be missing something simple. Has anyone done this successfully?

top 4 comments
sorted by: hot top controversial new old
[–] greyfox@lemmy.world 1 points 6 months ago (1 children)

If they are on the same vlan and the same proxmox server the packets likely never leave your proxmox server. The bridge interface on your virtual host acts like its own switch so packets between those VMs would never hit the Ubiquiti ACLs.

If you have another nic on the host you could attach each VM to a different NIC which would force that traffic through the switch.

I assume these are Ubiquiti's Unifi switches not the Edgeswitches? The Edgeswitches can't be managed through Unifi but have a lot more capabilities like community vlans which would be another potential solution for intra-vlan isolation.

Proxmox might have its own options to solve this but I am not familiar with their capabilities.

[–] root@lemmy.world 1 points 6 months ago

Thanks so much for the reply! Yes this is a Ubiquiti switch and everything is a lot more clear to me now with the understanding that this traffic is never even reaching my switch. I'm currently running on a NUC which has a management port and another trunked port for my VMs, but in the future maybe I could grab something with more NICs. There also is a PVE firewall in Proxmox that I might play with a bit.

[–] doodledup@lemmy.world -1 points 3 months ago (1 children)

I'm not running Proxmos but I have the same issue. I have two different physical devices in the same VLAN with Device Isolation activated. They can still ping each other.

Have you been able to figure this out?

My hardware: UDM-Pro & USW-Pro

[–] root@lemmy.world 1 points 3 months ago

Unfortunately not. My understanding is that things on the same host will not hit the firewall before hitting each other. In my case there is a firewall built into Proxmox which can solve this.