PfSense no DHCP on VLANs for UniFi WiFi controller

Happydog · Aug 2, 2023, 7:06 PM

It's something... When I tag a port on the downstream switch with that VLAN (11) and connect a PC, it doesn't get an address. (169. etc.) There's not much to screw up in the controller WRT setting up networks.

rcoleman-netgate · Aug 2, 2023, 7:08 PM

@Happydog You can't tag a port and have a system see the network -- if you are plugging into a switch port you need that VLAN untagged.

Happydog · Aug 2, 2023, 8:13 PM

right. In any case, made it a simple test setup. Just a switch and an AP and a PC on the LAN1 port. Looks like setups I have on 1100s except the WAN interface is separate (mvneta0) on the 2100 and they work fine. On the 6100s The VLANs are just assigned to a physical port. Setting a port profile to a VLAN in Unifi gives that VLAN IP address to the connected device. Can't see much else to screw it up.

stephenw10 · Aug 2, 2023, 10:35 PM

So how exactly are you testing?

I assume untagged clients work on the LAN directly?

Happydog · Aug 2, 2023, 11:46 PM

Testing on a WiFi network (shows the client connected but no IP address) and a PC connected to a port with a VLAN profile. Same thing. Has to be something simple. The LAN works properly on both.

rcoleman-netgate · Aug 3, 2023, 12:02 AM

@Happydog It doesn't appear to be a pfSense issue.

SteveITS · Aug 3, 2023, 12:13 AM

@Happydog is there a UniFi router in their config? I’ve seen it where the network there is set to use a UniFi router which wasn’t connected yet as the old router was still in place.

Happydog · Aug 3, 2023, 12:37 AM

No. Netgate 2100, UniFi PoE8 switch, UniFi AP and a PC (used to access the 2100; I bundle one with each Netgate). The problem must be somewhere in the Netgate setup. But there isn't much there in this basic config. DHCP Server is OK.

Happydog · Aug 3, 2023, 1:30 AM

rcoleman-netgate · Aug 3, 2023, 1:30 AM

@Happydog Again - I don't see anything wrong with your 2100's configuration. It has to be on the Unifi.

Happydog · Aug 3, 2023, 2:27 AM

Feel the same. Pretty simple setup and I've done a few. What are the settings in Pfsense to configure one of the LAN ports as a particular VLAN only? Just so I get it right.

SteveITS · Aug 3, 2023, 2:33 AM

@Happydog to isolate a port: https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html

bingo600 · Aug 3, 2023, 4:03 AM

Just a thought ....

Did you try to disable DHCP snooping on the unifi.
I can't really decide if the below is for a switch or if it's also in the AP.
Maybe try it .....

From:
https://evanmccann.net/blog/2021/11/unifi-advanced-wi-fi-settings

Happydog · Aug 3, 2023, 5:46 AM

Testing by connecting to a WiFi network on a VLAN network. That shows the client connecting but no IP address. Also connected a PC to a tagged port. Again no IP address.

Happydog · Aug 3, 2023, 5:51 AM

Set up a couple VLANs on another system. Same thing. This is such basic stuff that there must be some easy solution. Disabled DHCP snooping and one wifi network came back to life. Another didn't. Same settings everywhere. And on a different system (1100). Need to go over this with a UniFi expert. I doubt this is a Pfsense or Netgate issue because all the other VALNs and associated networks are fine.

nimrod · Aug 3, 2023, 8:55 AM

Go through this manual again

https://www.youtube.com/watch?v=WMyz7SVlrgc

I know this is basic stuff we are talking about here, but sometimes things get overlooked. It happened to me many times.

stephenw10 · Aug 3, 2023, 12:34 PM

@Happydog said in PfSense no DHCP on VLANs for UniFi WiFi controller:

Also connected a PC to a tagged port. Again no IP address.

This could be read several ways. To test with a PC directly it has to be on an untagged port that's a member of the VLAN. Presumably on the unifi switch.

johnpoz · Aug 3, 2023, 1:04 PM

@Happydog said in PfSense no DHCP on VLANs for UniFi WiFi controller:

Also connected a PC to a tagged port. Again no IP address.

As @stephenw10 stated.. If your just going to connect a pc to a tagged port - the PC would have to be set to send and understand tags that it gets. this can be done in the driver in windows, and linux can be set to understand the tag as well.

But almost always these ports should be in the vlan untagged, with the pvid set to the vlan ID.

Single devices are normally in 1 vlan, so should be untagged. The only time you need to have tags is when your going to carry more than 1 vlan over the same wire.

rcoleman-netgate · Aug 4, 2023, 2:37 AM

@Happydog I'm thinking you haven't tagged the WiFi VLAN on the uplink port to the pfSense yet.

pfrickroll · Aug 7, 2023, 7:07 PM

@Happydog I'm thinking you haven't tagged the WiFi VLAN on the uplink port to the pfSense yet.

I second that.