VLAN interface setup anomaly?
-
I read that Unifi APs need the management network (and maybe the first SSID?) untagged. Traffic to additional SSIDs is VLAN tagged then.
But I never had a Unifi AP myself so I cannot confirm this, only remembered having read it here on the forum. -
Thanks Chris, that makes sense.
-
Yeah the management VLAN to unifi gear can be any VLAN but it has to be untagged (the PVID) to the APs/cloud key/"controller" app/etc. There doesn't have to be a wireless SSID on it at all.
When you set an SSID to have a VLAN traffic on that SSID will be tagged to and from the switch. If you do not set a VLAN it will be untagged along with the management traffic.
-
Thanks for the good advice.
-
Thanks Derelict,
Having followed the tutorials to setup the VLAN, I seem to have run in to another problem. I thought it was possibly firewall related but still no joy.
The Guest network is active on em2, with DHCP provided, and clients are able to browse the web - using the rules below from Jonpoz.
https://forum.pfsense.org/index.php?topic=134802.msg738958#msg738958I have applied the same rules to the VLAN interface (em2_vlan120), and although a DHCP address is supplied, I do not get any internet connection on devices connected.
Did I miss a step? I can't see any Blocks in the firewall log - the VLAN interface can ping externally from pfsense, but trace route fails.
-
Do you need to add outbound NAT?
If you can ping 8.8.8.8 but not www.google.com you likely have a DNS problem.
Put a pass any any any rule at the top temporarily and see if that corrects it. If so, it's your interface rules. If not it's something else.
https://doc.pfsense.org/index.php/Connectivity_Troubleshooting
-
Derelict,
Thank you - fixed!
It was Outbound NAT - this was set to manual, based on some earlier copy/paste instructions. (I had previously configured the guest network - so this working was just a coincidence).
The Connectivity Troubleshooting link you provided, lead me to check the pages I hadn't realised I needed to check.
Thank you again for your help.
-
Glad you got it working.
About the only time I recommend manual outbound NAT these days is on a CARP/HA setup where pretty much all outbound NAT has to be carefully considered and customized.
In almost all other use cases, Hybrid is a better choice.
Hybrid is relatively new though so a lot of older walkthroughs still show manual.
-
Thanks for the advice. I'll read some more about Hybrid.
I'm not sure why I set Manual - possibly (following a tutorial) to enable use of OpenVPN as a gateway?
Anyway, I'll leave it for the moment, until I'm sure I can configure correctly. If it ain't broke…
Thanks again.
-
Yeah the management VLAN to unifi gear can be any VLAN but it has to be untagged (the PVID) to the APs/cloud key/"controller" app/etc. There doesn't have to be a wireless SSID on it at all.
When you set an SSID to have a VLAN traffic on that SSID will be tagged to and from the switch. If you do not set a VLAN it will be untagged along with the management traffic.
Found the appropriate link to this - it makes sense now, but it didn't when I read it before setup:
https://help.ubnt.com/hc/en-us/articles/219654087-UniFi-Using-VLANs-with-UniFi-Wireless-Routing-Switching-HardwareInitially you need to adopt your UniFi access points or switches over the native untagged VLAN, and this will be the continued requirement. That being said, they do support L3 management, so your controller can be on a different L3 network (or remote, etc.).
I didn't realise that "adopt" was a Unifi "reserved" word.
Thanks again Derelict
