Having trouble with DHCP and access point
-
From my limited experience with the ubiquitis they like to be managed on the untagged (primary) VLAN. So your management VLAN should reach the access points untagged. If that is in place you can create SSIDs on tagged VLANs to your heart's content.
Other than that, please be more specific.
-
hmm…the lack of experience i have with OPT on pfSense not sure what you did wrong but what i know it should work essentially is first install the software(has its own web server) to configure the unifi https://www.ubnt.com/download/unifi/ install it ( you need java ) after connect it to the the LAN of the pfSense. It should give an IP ex: (192.168.1.80) to find the IP check either in ARP or download a network scanner like netscan. enter the IP on the url and configure the AP. Now if you want to create more SSID with different pool its possible though VLANS but they have to be tagged. If you look at the pic before you can see the config of DDWRT. Tag means that the unifi gets the DHCP of (192.168.1.80) but can also handle another DHCP (192.168.3.80), and untagged it can only handle on DHCP Pool (192.168.1.80). The only thing now is to find how to tag the LAN on pfSense lets say VLAN 3 And VLAN 4 then you put VLAN 3 And 4 on the unifi as the picture before.
-
Ok couple things on your rules - the rule on our lan that allows you to opt1 net is pointless since the rule above that lets you go anywhere.
The rules on your opt 1 you don't need that rule that allows to opt1 net, devices on opt1 don't talk to pfsense to access opt1 network. Your allowing them access to lan net so what is the point of saying !rfc1918 and using ppoe gateway?? Where do you think they are going to go with that 53 rule, when you told them if they are going anything not rfc1918 go out your ppoe gateway?
What exactly do you want to accomplish for this wifi segment?
As mentioned management of the unifi is native vlan 1, no tagging. While you can have your controller on your lan and your AP on opt1 - its easier to put your controller and AP on the same network, atleast for setup - then you can move the AP to different segment if you want. L3 managment http://wiki.ubnt.com/UniFi_FAQ#L3_.28Layer_3.29_Management
But if you run both controller and ap on opt1 network is very simple to get going and you can play with changing that after you get some more experience with it. If you then want to put a ssid on vlan then create vlan on pfsense put it on your opt1 interface and trunk the ports on your switch and then trunk the port going to your AP and your good.
-
Yeah, like I said, some of those rules are farked up, but the one with RFC and PPPOE was something an article had siggested. but not even sure if I had entered it right anyway
-
And again what exactly do you want to happen, and what article did you read that suggested such rules?
-
Good question.. there is a few things I was trying to do, it may have been a attempt at bridging OPT1 to LAN or otherwise getting them to talk. The only link I can find now that I still have in my cache is http://www.cyberciti.biz/faq/how-to-pfsense-configure-network-interface-as-a-bridge-network-switch/
But it was not this link, however, it's going back to the firest day I started running pfsense.. so its' sorta fuzzy now. But I do know the RFC points to an alias which is 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16Anyways, what I want to do is get LAN and OPT1 to communicate.
My roadmap, so to speak is
Get communication between LAN and OPT1
Add VLANs and 2nd distinct wireless networks (SSID's)
(Maybe) Add radius on one VLAN (Not sure yet if it will be the best solution)
Add Security Network VLAN (Probably just a couple cameras, recorder. but it may expand over time)
Add NAS (Abt 16TB)
in the future, I intend to have a web server on a DMZ, and an internal sql server. But that is way off, currently. -
If you need a switch get a switch. Don't waste router ports. You'll just end up with a hub anyway. Not a switch.
-
Yeah bridge is not something you want to do.. And clearly it would not be a "switch" it would be as already stated HUB.. It is very RARE that you would actually want to do something like that.. I really don't understand the fascination with taking a highly valuable interface on your router/firewall and using it as switch port when you can get a 8 port get "SWITCH" for like 20$ if you need more ports. The only time I could see bridging interfaces would be if you want to do a transparent firewall sort of setup. And not a fan of that setup either ;)
The very nature of creating opt1 means it can talk to lan – and vice versa if you want devices to talk between these segments then create the rule on opt1 that allows that, by default lan is any any. Have you changed that?
Post up your rules for lan and opt1 and describe what you want to allow or not to allow devices on each segment or even other vlans to do to the other vlans..
What I would suggest you do any any rules get your stuff talking, have your ssid with its own vlan, etc.. And then lock down your rules to how you want them.. Example my wlan can not talk to my lan except for ntp to my ntp server on that segment, my ipad can do what it wants. My guest wireless on its own vlan can not talk to anything not even pfsense for dns - I hand out public dns for the guest. Only thing it can do is ping the wlanguest pfsense interface for connectivity testing, etc.
So example rules
-
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
Read and understand that first. You have all sorts of nonsense rules in there.
After that, if you move the AP to another interface, you will almost certainly lose the ability to auto-discover the AP from other networks and will need to specify it by IP address in the unifi "controller" software.
-
ok thanks I'll read that. but yeah, at that time, I didn't know bridging wasn't really a good thing, but found out later, so stopped trying, but at this point, I am looking at keeping it on this interface, and maybe have the security network on a different interface.
My original plan, was to have 3 interfaces (I have more network cards I can add if I want, they have no other real uses right now) one lan, one for wireless and one for home media devices like PS3, netflix boxes etc, and the Nas box would be able to stream on it, (Not sure yet if it will be able to without being physically attached to both interfaces?) then the security would get placed accordingly (Kinda assumed I'd add another nic) But, the more I look at it, the more it seems there isn't much value in having wireless on a separate interface, and it works better in terms of vlan + SSID vs seperate interface + VLAN + SSID… as wifi be needed on both, so might as well just use seperate SSID's and VLAN, and use the other interface for security, eliminating the need for an additional nic.