pfSense + Unifi network, LAN works not WIFI

swemattias

I did install pfSense, pfs, today to replace my Edgerouter. That was easy enough, almost instantly I had the LAN up and running getting the correct DHCP package. But that was as far as I got.
pfSense has two NICs, WAN and LAN, all I want to do is to make Unifi pick up the vlan.10 and spread that through the house.

I did create an vlan-network on the pfs, 10 that I was hoping to get my APs to pickup and activate the WIFI. Not so much.

First on the Unifi side, I crated an VLAN only network with the same number as the pfs clan. Created an WIFI network using that network I just created.

On the pfs side I created an vlan with LAN as parent.
I created an DHCP server for the lan and the vlan.
I thought that would be enough with the default firewall rules.

But no... no wifi, that net is getting the DHCP package.
Help! I am lost here, I must have missed something.

johnpoz

@swemattias and how exactly do you have the AP connected. What switch? Did you setup the vlan 10 on your switch and tag that to the port the AP is connected too?

in nutshell would like this

pfs - (lan vlan 1 U, hedmanet vlan 10 Tagged) --- switch (1U,10T) -- AP

where vlan 1 is just the default vlan an untagged.

stephenw10

I note you have vtnet NICs so I assume you are running pfSense as a VM. How do you have the hypervisor configured?

Steve

swemattias

@stephenw10 This is how I set the VM up: https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

I have given it 8 GB RAM, 4 CPUs, dual NICs.

swemattias

@johnpoz It was like that I set it up.
Just to kick start the network I removed all the vlans (kids...).
That works just fine. But to explain my Unifi setup:
pfSense running inside a VM on Proxmox, it has 2 physical NICs all for it self.
I created one vlan, using tag 10, 10.10.10.0/24.
Assigned it to the lan network, as seen in the image. I setup two DHCP servers one for the base-lan and one for vlan.10.

From lan to Unifi Switch 8 port, ports untagged, to Switch 8p POE.
From the Switch 8p POE to a Unifi Flex Switch which has 2 more APs connected to it. All ports are still untagged.

In the controller I had (yes had) three networks setup, one base-lan, one for wifi, hedmanvlan, tag 10, and one guestnet, tag 111.
In the setup of the wifi-network I tell the wifi network to use hedmanetvlan.

swemattias

So I did remove all the vlans and assigments.
Remade the vlan, assigned it, created the dhcp server.

Started a VM with Ubuntu to connect to vlan 10, the VM can not connect to the network.

This is my issue, the clients cannot connect to vlan network. On the dashboard Traffic graph there no activity on the vlan.

What is missing? Firewall rules? Gateway? Please help. :)

Patch

@swemattias said in pfSense + Unifi network, LAN works not WIFI:

pfSense running inside a VM on Proxmox, it has 2 physical NICs all for it self.

Given you have two NIC just for pfsense have you tried passing them through to the VM running pfsense. It is actually easy to do

1. Enable pass through in Proxmox
2. Create a VM without any NIC
3. For that VM goto hardware -> add pci device to add each NIC
4. Install pfsense on that VM
5. Restore pfsense configuration from backup
6. Goto VM console to reassign the NIC

swemattias

@patch No I have not, but that I will try. Did you have to do that to get VLANs to work over LAN?

Patch

@swemattias
No but it simplifies the network interface.

Currently the Vlan must be passed through

• hardware NIC
• Proxmox
• pfsense

A configuration error in which could stop it working.
With pass through the only components are

• hardware NIC
• pfsense

swemattias

@patch I agree, but my setup atm:
hardware NIC: dedicated to pfSense VM, LAN is vlan aware.
Proxmox: Set up the VM as of what Netgate recommends for Proxmox.
pfSense - here the issue lies. I think.

stephenw10

Run a packet capture on LAN for UDP port 67 with promiscuous mode enabled.

Try to connect client on the VLAN and pull a DHCP lease.

You will see the incoming tagged dhcp requests in that capture. If you do not then the VLAN traffic is not being passed to the VM either in the switches or in Proxmox.
Our guide for installing in Proxmox does not include any VLAN config. Since you have set the bridge as VLAN aware it will probably be filtering VLAN tagged traffic unless it's configured to pass VLAN 10.
https://pve.proxmox.com/wiki/Network_Configuration#_vlan_802_1q

Steve

swemattias

@stephenw10 Thank you for your anwser.
I did do a package capture as you said, and the result was a blank box of nothing.

So then it is a Proxmox problem, good to know, at least a fall forward instead of nothing. So I will head over to their forums to seek for a solution.

While writing those questions I added the proxmox guide from Netgates forums and this is when I discovered that I had misread the Hardware Checksum Offloading box and I had unchecked the box, not checked it.
That is now taken care of.
Also the guide sais VirtIO Block as hard drive, I missed that and created a SCSI one. Do I need to change that?

swemattias

So the solution...
I got it from Reddit (where else...)
A user there told me that he to all the tagging inside Proxmox and run everything inside pfSense untagged.
Like this: https://imgur.com/a/YbZpaxb

So in short this has nothing to do with pfSense or Netgate, I just thought it would be a good idea to post the solution if someone else searches and finds this thread.

stephenw10

Ah OK so you just added an extra virtual NIC that's tagged as VLAN10 in Proxmox. Nice.

Patch

@swemattias nic pass though to pfsense is simpler imo. Hardware off loading can also then still be used