pfSense VLAN Issues
-
Hello. I'm currently running pfSense 23.01-Release on a Netgate 1100 box. I have a Ubiquity Switch Lite 16 PoE, a Ubiquity Access Point, and a UniFi Cloud Controller. My current configuration is pfSense, the AP, the cloud controller, a PC, as well as several other devices, connected to the switch. I've been trying to create a guest WiFi network on a different subnet via VLAN with UniFi for days now and I'm going crazy. When the Guest Network SSID is created in UniFi, I can’t connect to the network. The IP address assigned is a 169.254 address. Over the past week I’ve read pages of documentation, and I've watched numerous YouTube videos, to no avail. I've matched exactly what I see in the YouTube videos for configuring VLANs with pfSense and Ubiquity; nothing works. Here is what I've done and I'll attach screenshots:
pfSense:
- Interface -> Assignments: Created GuestVLAN20 interface. Set to Static IPv4 config. IPv4 address 192.168.2.1/24 (shown in screenshots).
- Created Guest VLAN with VLAN tag 20 (parent interface is shown in screenshots, interface shown is the only parent interface available).
- Interface -> Assignments: Associated GuestVLAN20 interface with GuestVLAN (shown in screenshots).
- DHCP Server: In GuestVLAN20, enabled VLAN, configured range 192.168.2.10 - 192.168.2.50 (shown in screenshots).
- Firewall -> Rules -> GuestVLAN20: Created one firewall rule just to enable Internet access (I understand more will be required). Action=Pass, Interface=GuestVLAN20, Address Family=IPv4, Protocol=Any, Source=GuestVLAN20 Net, Dest=Any.
UniFi:
- I've spent a few days changing numerous settings; I feel like I'm an expert with the interface, obviously I'm not.
- I created a new network called "Guest Network. I've tried VLAN-ONLY network as well as deselecting the VLAN-ONLY network option. The gateway is 192.168.2.1, IP range and subnet are correct. The VLAN ID is set to 20.
- I created a new WiFi network and associated it with the "Guest Network.” I created did this under the "Network" option. I've tried Guest hotspot as well as Standard with the same results.
I then wanted to verify I would obtain the Guest VLAN subnet if I connected my PC to a port with the UniFi switch. I deleted the Guest WiFi network (just the WiFi network, not the actual Guest network) just to be safe, and accessed the switch via the cloud key. I accessed “ports” and then “port manager.” I selected the port my PC is hardwired to and changed the profile to the “Guest” VLAN network. I rebooted the switch as well as pfSense for safe measure and I didn’t obtain a 192.168.2 VLAN IP; I once again obtained a 169.254 address. This confirmed there is an issue with my VLAN settings with pfSense (I think). As far as pfSense, I have Snort installed and configured, actively monitoring the WAN. I also have pfBlockerng installed.
I’ve spent so much time on this I’m tempted to give up. Any help is appreciated.
-
There is a Switch inside, you have to configure, see the Manual:
Netgate Docs 1100You have to create the VLAN there to and set up the Port 0 and the Port 2 as tagged if you use the LAN Port to your UI Switch.
-
@nocling Thanks for the reply. I haven’t heard/read of this. So I believe the VLAN for the LAN under “interfaces - switches - vlans” is configured as port 0 tagged, Port 2 untagged. So I should tag Port 2 as well? Do I need to do anything under the “interfaces - switches - ports” tab? I will attach screenshots for clarification. Thanks!
-
Create VLAn ID 20, Tagged Port 0 and 2.
Do not untagged Port 2 to a other VLAN or you lose the pfSense Web GUI!
If you do this, use the UsB console to load a older config, bevor you shoot down your LAN on the internal Switch Port 2!
-
Yup, assuming the Unifi switch is connected to LAN do:
-
@nocling I can't thank you enough. This worked! I've read so much documentation, posted in numerous forums, etc. No one brought up the switch aspect. Thanks!!!
