Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unifi ap ac pro with Vlan PFsense DHCP, NAT, connected devices not getting out.

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kr0n1c
      last edited by

      Hello all,

      I am having some problems getting vlans working on my Pfsense box which is attached to a unifi ap pro.

      What is my set up:

      unifi ap pro  has 4 ssids, each having their own vlans.

      Each vlan has been set up on the same interface PO1 on pfsens box and all have DHCP servers configured for them.

      The interface that connects the unifi , switch and pfsense is active with all vlans and has its own dhcp server for the unifi and other native devices that are not within a vlan (vlan trunking/ adminstration interface?), im using it now and its working fine.

      The unifi and pfsense devcices are connected to a netgaer switch which has two ports with vlans assigned to them.

      Results from setup:

      all devices can connect to the unifi and authenticate

      all devices can get ip from dhcp from there respected vlan dhcp servers

      all dhcp server have gateways (static ip of the vlan interface)

      each vlan has its own firewall rules pointing to the gateway addresses of the wan with source from the respected vlan.

      nat has been configured with all ips in relation to each dhcp server.

      What have i done to test,

      i can ping from each vlan using pfsense diagnostics to the main wan

      i cannot ping the default gateway from each connected machine except the non vlan one which works and is able to get out.

      I think this may be a broadcast layer 2 issue since the router part of pfsense is supposed to remove tagging when getting out, and put it back when going in, so it should work.

      Am i doing something wrong?

      from my understanding the vlans for router on a stick function should be trunked from the switch, but "trunk" is a cisco term.

      Looking at the net gear switch (gss108e), i think the logic should be to have the vlans in its database (802.1Q) and have them all assigned to the interfaces from the unifi to the pfsense box.

      The fact that they can get DHCP addresses shows that the physical link works.

      i have been at this for days and  i am lost, please help!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "each vlan has its own firewall rules pointing to the gateway addresses of the wan with source from the respected vlan. "

        What??  Post up your rules for your vlans..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • K
          Kr0n1c
          last edited by

          Hello,

          Thank you for your reply.

          The fire wall rules are as follows:

          With specified gateway:

          Protocol: TCP/UDP, Source: vlan3098, Port: (meaning any from my understanding), Destination: * , Port: (of destination), Gateway WAN_PPOE, Que: none

          With none specified:

          Protocol: TCP/UDP, Source: vlan3098, Port: , Destination: * , Port: (of destination), Gateway *, Que: none

          i have tried it both ways since posting and it still does not work for vlans only,
          When setting up a normal interface it’s all working fine, hence why i am at a loss.

          Please help if you can.

          Thanks again.

          Kr01c

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.