MTU VLAN Configuration
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Hi!
Rookie here... don't laugh at my stupid question!
I have Ubiquiti Unifi Security Gateway and Wireless access points.
I created a new SSID (from the Unifi Portal) to utilize VLAN2 for the purpose of security and to gain more IP addresses.
I need to have my TPLINK Switches (I have 3) direct the VLAN2 traffic coming in from the APs straight out to the the internet without access to the network.
From what I gather, I must "TRUNK" the port that goes from the switch to the Security Gateway. But what I am looking at is the MTU VLAN Configuration. My gut tells me to "ENABLE" Port 1 on this switch as it is the port that connects to the Security Gateway.
I must admit that I have not run the firmware update, just realized it was available and I cannot shut down the network until after hours.
There is no such thing as stupid questions. 
Right, the port going to the USG must be a tagged port, meaning it must not remove the VLAN tag on egress.
Multi-Tenant Unit (MTU) VLAN is not able to do this. MTU VLAN is kind of a »one-click setup« where one uplink port will create several VLANs. Each VLAN will have two ports as members – the uplink port and another port –, so all »tenant« ports are connected to the uplink port while communication between devices on the »tenant« ports is prohibited. Traffic will always be untagged in this scenario.
What you need is 802.1Q VLAN which gives you finer control over VLAN setups including marking a port as a tagged (»trunk«) port. Just choose a port you want to use as uplink and assigned it as a tagged member of VLAN 2. This is your Internet-only VLAN going to the USG.
If your AP has only one WLAN (SSID), then assign the port to the AP as an untagged member of VLAN 2, too. Its Primary VLAN ID (PVID) must be 2. That's all what is required.
If your AP has Multi-SSIDs and you have bound those SSIDs to different VLANs (say, 1 for LAN, 2 for Internet-only etc.), then the port connecting the AP must be a trunk port, too. Assign this port as a tagged member of all the VLANs you need for the AP's SSIDs. In this case the PVID does matter only if you use no management VLAN: then the AP itself must be reachable over the trunk port, but now untagged.
If you define a management VLAN, too (say, VLAN 1), then the AP tags its mgmt traffic with VLAN ID 1 and the port can be a tagged member of VLAN 1. Or in other words: if your network you use for mgmt is connected also to a SSID assigned to a VLAN, you need to set the mgmt VLAN ID in the AP to this VLAN.
Hope this helps. See also my HowTo on creating a guest network, start at the section »2. You have a VLAN-aware router ...« and just replace the router I used as an example with your USG, so you can continue on the VLAN setup of the switch and the AP.
There is no such thing as stupid questions.
Right, the port going to the USG must be a tagged port, meaning it must not remove the VLAN tag on egress.
Multi-Tenant Unit (MTU) VLAN is not able to do this. MTU VLAN is kind of a »one-click setup« where one uplink port will create several VLANs. Each VLAN will have two ports as members – the uplink port and another port –, so all »tenant« ports are connected to the uplink port while communication between devices on the »tenant« ports is prohibited. Traffic will always be untagged in this scenario.
What you need is 802.1Q VLAN which gives you finer control over VLAN setups including marking a port as a tagged (»trunk«) port. Just choose a port you want to use as uplink and assigned it as a tagged member of VLAN 2. This is your Internet-only VLAN going to the USG.
If your AP has only one WLAN (SSID), then assign the port to the AP as an untagged member of VLAN 2, too. Its Primary VLAN ID (PVID) must be 2. That's all what is required.
If your AP has Multi-SSIDs and you have bound those SSIDs to different VLANs (say, 1 for LAN, 2 for Internet-only etc.), then the port connecting the AP must be a trunk port, too. Assign this port as a tagged member of all the VLANs you need for the AP's SSIDs. In this case the PVID does matter only if you use no management VLAN: then the AP itself must be reachable over the trunk port, but now untagged.
If you define a management VLAN, too (say, VLAN 1), then the AP tags its mgmt traffic with VLAN ID 1 and the port can be a tagged member of VLAN 1. Or in other words: if your network you use for mgmt is connected also to a SSID assigned to a VLAN, you need to set the mgmt VLAN ID in the AP to this VLAN.
Hope this helps. See also my HowTo on creating a guest network, start at the section »2. You have a VLAN-aware router ...« and just replace the router I used as an example with your USG, so you can continue on the VLAN setup of the switch and the AP.