Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP

chrisp87

Thanks for the replies.

There are two rules for the LAN interface by default, and I created these same rules for the OPT1 interface. However, I am unable to connect to the Guest wireless network.

![Screen Shot 2017-05-19 at 1.01.37 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-19 at 1.01.37 PM.png)
![Screen Shot 2017-05-19 at 1.01.37 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-19 at 1.01.37 PM.png_thumb)
![Screen Shot 2017-05-19 at 1.02.53 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-19 at 1.02.53 PM.png)
![Screen Shot 2017-05-19 at 1.02.53 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-19 at 1.02.53 PM.png_thumb)
![Screen Shot 2017-05-19 at 1.02.16 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-19 at 1.02.16 PM.png)
![Screen Shot 2017-05-19 at 1.02.16 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-19 at 1.02.16 PM.png_thumb)
![Screen Shot 2017-05-19 at 1.02.10 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-19 at 1.02.10 PM.png)
![Screen Shot 2017-05-19 at 1.02.10 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-19 at 1.02.10 PM.png_thumb)

NogBadTheBad

As your not seeing any packets that hit the allow rule I think it's an issue with the trunk port that the ap's connected to.

Try a packet capture and have a look in Wireshark

Do you get an IP address when connected to a switch via ethernet thats set to vlan 2 ?

Also rename the opt1 interface to Guest and block access to the local subnets when it's working :)

chrisp87

No, I'm not getting an IP address when I try to connect to the Guest wireless network. Computers are unable to connect to the wireless network (see the attached screenshot). This makes me think the issue lies in the VLAN configuration on the Ubiquiti equipment (either the switch, access point, or both).

Does anyone here have experience with VLANs and multiple SSIDs with pfSense and Ubiquiti equipment?

![Screen Shot 2017-05-19 at 2.05.27 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-19 at 2.05.27 PM.png)
![Screen Shot 2017-05-19 at 2.05.27 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-19 at 2.05.27 PM.png_thumb)

NogBadTheBad

Set up a port untagged ( access ) in vlan 2 and connect a pc via ethernet, if that doesn't work check out the port the router connects to.

Nope but here's how my Linksys switch is set up :-

VLAN ID VLAN
2 USER
3 GUEST
4 IOT
5 DMZ
6 VOICE
4093 Default

Unifi controller in GE3, ap in GE2 & router in GE1

GE1 Trunk 4093 Admit All Enabled 2T, 3T, 4T, 5T, 6T, 4093UP
GE2 Trunk 4093 Admit All Enabled 2T, 3T, 4T, 4093UP
GE3 Access 4093 Admit All Enabled 4093UP

T = Tagged
U = Untagged

https://www.youtube.com/watch?v=zoK8N7uB6ho

NogBadTheBad

You can also do a tcpdump from the ap, interface eth0.X X=vlan ID

mac-pro:~ andyk$ ssh admin@ap-1
admin@ap-1's password:

BusyBox v1.19.4 (2017-04-13 16:15:06 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

BZ.v3.7.55# ifconfig -a
ath0 Link encap:Ethernet HWaddr 80:2A:A8:97:9D:8C
inet6 addr: fe80::822a:a8ff:fe97:9d8c/64 Scope:Link
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:213887 errors:6 dropped:6 overruns:0 frame:0
TX packets:1348980 errors:0 dropped:3280934 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:41600604 (39.6 MiB) TX bytes:1234013163 (1.1 GiB)

ath1 Link encap:Ethernet HWaddr 82:2A:A8:97:9D:8C
inet6 addr: fe80::802a:a8ff:fe97:9d8c/64 Scope:Link
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:34585 errors:3 dropped:3 overruns:0 frame:0
TX packets:51198 errors:0 dropped:57986 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:38302015 (36.5 MiB) TX bytes:70419182 (67.1 MiB)

ath2 Link encap:Ethernet HWaddr 92:2A:A8:97:9D:8C
inet6 addr: fe80::902a:a8ff:fe97:9d8c/64 Scope:Link
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:135587 errors:0 dropped:0 overruns:0 frame:0
TX packets:4722276 errors:0 dropped:103 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:25571266 (24.3 MiB) TX bytes:3736547134 (3.4 GiB)

ath3 Link encap:Ethernet HWaddr 80:2A:A8:98:9D:8C
BROADCAST PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ath3.2 Link encap:Ethernet HWaddr 80:2A:A8:98:9D:8C
BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ath3.3 Link encap:Ethernet HWaddr 80:2A:A8:98:9D:8C
BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ath3.4 Link encap:Ethernet HWaddr 80:2A:A8:98:9D:8C
BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ath4 Link encap:Ethernet HWaddr 82:2A:A8:98:9D:8C
inet6 addr: fe80::802a:a8ff:fe98:9d8c/64 Scope:Link
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:3884367 errors:3059 dropped:3059 overruns:0 frame:0
TX packets:8445514 errors:20775 dropped:1311 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1141510972 (1.0 GiB) TX bytes:2623914446 (2.4 GiB)

ath5 Link encap:Ethernet HWaddr 92:2A:A8:98:9D:8C
inet6 addr: fe80::902a:a8ff:fe98:9d8c/64 Scope:Link
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:150 errors:0 dropped:0 overruns:0 frame:0
TX packets:109 errors:5 dropped:58062 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:26326 (25.7 KiB) TX bytes:55143 (53.8 KiB)

ath6 Link encap:Ethernet HWaddr A2:2A:A8:98:9D:8C
inet6 addr: fe80::a02a:a8ff:fe98:9d8c/64 Scope:Link
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:1369623 errors:17 dropped:17 overruns:0 frame:0
TX packets:2075569 errors:9959 dropped:815 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:192941660 (184.0 MiB) TX bytes:3002466372 (2.7 GiB)

br0 Link encap:Ethernet HWaddr 80:2A:A8:96:9D:8C
inet addr:172.16.1.11 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::822a:a8ff:fe96:9d8c/64 Scope:Link
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:992831 errors:0 dropped:544 overruns:0 frame:0
TX packets:505813 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:93349951 (89.0 MiB) TX bytes:280369726 (267.3 MiB)

br0.2 Link encap:Ethernet HWaddr 80:2A:A8:96:9D:8C
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:4249931 errors:0 dropped:1108 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2957666172 (2.7 GiB) TX bytes:0 (0.0 B)

br0.3 Link encap:Ethernet HWaddr 80:2A:A8:96:9D:8C
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:58082 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10662123 (10.1 MiB) TX bytes:0 (0.0 B)

br0.4 Link encap:Ethernet HWaddr 80:2A:A8:96:9D:8C
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:4439648 errors:0 dropped:8 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3255456016 (3.0 GiB) TX bytes:0 (0.0 B)

eth0 Link encap:Ethernet HWaddr 80:2A:A8:96:9D:8C
inet6 addr: fe80::822a:a8ff:fe96:9d8c/64 Scope:Link
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:20503846 errors:0 dropped:24098 overruns:0 frame:0
TX packets:6143133 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4182787280 (3.8 GiB) TX bytes:1734278600 (1.6 GiB)
Interrupt:4

eth0.2 Link encap:Ethernet HWaddr 80:2A:A8:96:9D:8C
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:12819546 errors:0 dropped:0 overruns:0 frame:0
TX packets:4097401 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14406471951 (13.4 GiB) TX bytes:1178268853 (1.0 GiB)

eth0.3 Link encap:Ethernet HWaddr 80:2A:A8:96:9D:8C
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:118131 errors:0 dropped:0 overruns:0 frame:0
TX packets:34732 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:78603267 (74.9 MiB) TX bytes:37566793 (35.8 MiB)

eth0.4 Link encap:Ethernet HWaddr 80:2A:A8:96:9D:8C
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:6549050 errors:0 dropped:0 overruns:0 frame:0
TX packets:1505181 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6415384228 (5.9 GiB) TX bytes:215523504 (205.5 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:268 errors:0 dropped:0 overruns:0 frame:0
TX packets:268 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10568 (10.3 KiB) TX bytes:10568 (10.3 KiB)

wifi0 Link encap:UNSPEC HWaddr 80-2A-A8-97-9D-8C-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26921498 errors:1294525 dropped:0 overruns:0 frame:1294525
TX packets:54708715 errors:203086 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:4095
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:47 Memory:b8100000-b8120000

wifi1 Link encap:UNSPEC HWaddr 80-2A-A8-98-9D-8C-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:4095
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:40 Memory:b2000000-b2200000

BZ.v3.7.55# tcpdump -i eth0.3
tcpdump: WARNING: eth0.3: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.3, link-type EN10MB (Ethernet), capture size 65535 bytes
19:39:43.408947 IP6 fe80::208:a2ff:fe0a:9dcb > ff02::1: ICMP6, router advertisement, length 144
19:39:48.960463 IP6 fe80::208:a2ff:fe0a:9dcb > ff02::1: ICMP6, router advertisement, length 144
19:40:00.968894 IP6 fe80::208:a2ff:fe0a:9dcb > ff02::1: ICMP6, router advertisement, length 144

chrisp87

Thank you for the details.

I added a "Network/VLAN" to port 1 (UniFi access point) and port 10 (pfSense router) in the UniFi controller. I only took screenshots of the port 1 configuration since port 10 has the same configuration. The Guest Network/VLAN now appears to be tagged on these ports. However, there is no trunk mode option in the configuration, and I am still unable to connect to the Guest wireless network. I understand that the VLAN configuration may be slightly different for Ubiquiti equipment, but does this configuration appear correct?

![Screen Shot 2017-05-19 at 5.09.26 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-19 at 5.09.26 PM.png)
![Screen Shot 2017-05-19 at 5.09.26 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-19 at 5.09.26 PM.png_thumb)
![Screen Shot 2017-05-19 at 5.09.16 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-19 at 5.09.16 PM.png)
![Screen Shot 2017-05-19 at 5.09.16 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-19 at 5.09.16 PM.png_thumb)
![Screen Shot 2017-05-19 at 5.10.01 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-19 at 5.10.01 PM.png)
![Screen Shot 2017-05-19 at 5.10.01 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-19 at 5.10.01 PM.png_thumb)

Derelict

This is not ubnt support, right?

chrisp87

I understand that this is not Ubiquiti support. I initially posted the question on https://community.ubnt.com, but it has been a week and nobody has replied to my post. VLANs, and networking in general, is similar regardless of the equipment manufacturer, and since I'm running pfSense as my router, I figured I would ask here. I've already learned a lot more and received more support on this forum than the Ubiquiti community.

NogBadTheBad

Think it looks right but I'm viewing this from my phone.

NogBadTheBad

Try on the ap :-

tcpdump -n -i eth0 -e | grep vlan

You'll see lines scrolling past with vlan numbers if the switch is tagging packets.

Guest

Does anyone here have experience with VLANs and multiple SSIDs with pfSense and Ubiquiti equipment?

For setting pup VLAN here you might be setting up two SSIDs and two VLANs and put each SSID in one VLAN! They must
be then both tagged ones!

Derelict

Ubiquiti APs need to be managed via the untagged VLAN. For SSIDs you can tag the VLAN. It's pretty much that simple.

johnpoz

^yup!! The management has to be untagged - this has been a big complaint from many people.. So you can run a SSID with no tag if you want that on the same layer 2 as your management network. Or all of your ssids can be on different vlans, either static or you can set them dynamic as well.

So my controller and AP are on my wlan 20 vlan, so on the trunk port connected to my AP vlan 20 is the pvid and is untagged. This is the same network as my eap-tls authed ssid. Then the other 3 ssids are for iot devices, guests and stuff that can not do eap-tls.. these 3 vlans are tagged.