- Hide menu

Blog

Setup IPv6 vlans on unifi with a /56 prefix on Unifi and NBN

I haven’t found any examples of how to setup ipv6 vlans on Unifi Network with a /56 prefix.

I have a service with Superloop in Australia. Superloop provides customers with a /56 IPv6 address. This means that with the appropriate router, you can setup 256 subnets. However, with Ubiquiti Unifi routers, it’s not clear how to assign a subnet to a VLAN. This is what works for me:

Assume I have 4 VLANs. Default, IoT, Servers, and Security. And I have this IPv6 prefix from my ISP 2401:8888:1234:a000::/56

You can see from using a subnet calculator that this gives the subnets :a000:: to :a0ff::

2401:8888:1234:a000::/64
2401:8888:1234:a001::/64
2401:8888:1234:a002::/64

2401:8888:1234:a0ff::/64

The Unifi Network app will automatically assign your VLANs with a subnet starting from “a000” once you choose either the SLAAC or DHCPv6 option for client address assignment – see screenshot below. And each VLAN you enable with either IPv6 SLAAC or DHCPv6 will get the next subnet. “…a000::”, then “…a001::”, “…a002::” and so on. You can’t choose which subnet prefix, it does this automatically. The configuration page (Settings/Networks/<Network name>) does say that the ability to select the subnet will be something that may be provided in the future, but not being able to choose doesn’t affect much for me.

I’ve tested this with both SLAAC and DHCPv6 and either works fine with my ISP. Note if you have Android devices on your network, SLAAC is recommended.

Unifi setup for SLACC

Time Machine on macOS can chew up disk space for photographers

Public service announcement for photographers and anyone that add and delete lots of files on their Apple Mac computers.

If you’re using a Mac, and your disk seems to be filling up even though you’re deleting files, check if you’re using Time Machine (TM) for backups. If you are, Time Machine’s Snapshots is 99% going to be chewing up your disk. Here’s why…

Snapshots is macOS approach to create a restore point so you get your Mac to a known state. It does this by combining the last TM backup with a snapshot. The backup has all the files just before the snapshot and the snapshot has all the files that you have deleted since the backup.

So, let’s say you’ve just copied from your camera 1000 photos for editing and have now decided to move those 1000 photos to an external disk, NAS or just delete them. Even though you’ve deleted the 1000 photos, macOS has kept them in the Snapshot, and will keep them in Snapshots until a TM backup has been done. It will still keep those on your disk until at least 24 hours after the TM backup, because that’s what it does. So your 256GB or 512GB SSD is going to fill up pretty quickly and deleting files isn’t going to get you back your disk space until you’ve done a TM backup, and then 24 hours later.

But, luckily there’s a simple solution. Go into the Disk Utility App and choose Show APFS Snapshots in the View menu. Select your disk and you’ll see probably several Snapshots. Click on the – sign and you can delete the snapshots, start with the most recent going back to the earliest. And Voila. Disk space reclaimed. Of course, if you do that, you won’t be able to recover the files in the snapshot. But since you deleted them anyway, you probably don’t want them.

And, the way to avoid this and keep using Time Machine is to create a separate disk Volume that is excluded in Time Machine backups. You need to create a separate volume because excluding a Folder in TM won’t stop TM keeping the deleted files in the snapshot, it just stops TM from backing up that folder.

More technical details about snapshots here https://eclecticlight.co/2024/04/08/apfs-snapshots/

Swapping a UDM Base for a UCG-Max

I’ve had a Ubiquiti Unifi Dream Machine for almost five years powering an NBN Fibre Gigabit service. Knowing that the probability of electronics that run 24/7 tend to go bang goes up every year it was time to swap it out for something more current and keep the UDM as a backup router/gateway.

Ubiquiti has released a lot of new equipment this year and one that is ticking a lot of boxes and have received good reviews is the Unifi Cloud Gateway Max, aka UCG-Max. This is essentially an upgraded UDM without a built in wifi access point. The UCG has not only the Network app that delivers the routing, VLAN and firewall, but several other applications in the Ubiquiti universe like Protect which is used to manage cameras. The other main feature is that it features 2.5Gbps ports and can route traffic at 1.5Gbps with a packet inspection firewall turned on.

Migrating from the UDM to the UCG is incredibly straightforward. Backup the system, and restore it to the new device. Unplug the UDM and replace it with the UCG. The following video shows how it’s done.

The book that inspired me to love design

When Apple created the Macintosh, Steve Jobs also created the Laserwriter. It was Steve’s interest in “typography, graphic layout, and font design” that led to the Apple Laserwriter and the birth of what was then known as desktop publishing. Consumers had for the first time access to beautiful proportionally spaced type and fonts without having to go to a specialist offset printer. Apple made a little booklet called The Basic Elements of Design and it’s a wonderful introduction to typography, page layout and text-based graphic design. To this day, it’s the book that inspired me to love text based design. While the booklet is out of print, you can download a PDF of it here.

Use Cloudflare to Block Brute Force Login Attacks


The excellent Limit Login Attempts wordpress plugin will detect failed logins and put up its armoury of defences. Nothing showed its usefulness than seeing the number of attempts it detected. However, the plugin still requires WordPress to handle the failed attempt and only login attempts via http and https are handled. XML-RPC attacks and Bot-related attacks need another solution.

For my setup, I only need admin login to WordPress from one IP address. This is where Cloudflare’s content distribution network and it’s Web Application Firewall can provide excellent protection.

The WAF is extremely easy to setup and all you need to do is add the IP addresses that you want to allow into a rule that will block access except for the addresses you have specified (see screenshot).

This will block not only brute force login attempts but also XML-RPC and related attacks from even reaching the wordpress server.