Multiple VLANs with ubiquity Unifi AP

Atreides · Dec 26, 2017, 2:50 AM

I'm trying to setup multiple vlans and ssids with my Ubiquiti access points. I'm not sure if I'm doing something wrong in pfsense, in my access point controller, or in my switch. I'm seeing the networks broadcasted, but I am able to connect to them. They ask me for the password but never connect.

I also noticed pfSense has a wireless setting page. I assuming that is for when a wireless interface is added directly to the pfSense, and that I shouldn't be using it. Is this assumption correct?

I should note that i'm able to connect to a wireless network that is not using a vlan with identical settings except for the vlan.

Controller

The controller is managed on vlan1

I have created a few Wi-Fi networks in my Unifi controller.

house -> vlan10
john -> vlan20
iot -> vlan70

Switch

In my switch I have connected the two access points to ports I have set to GENERAL, and set to VLANs 1,10,20,70. The switch is then trunked to my pfSense. I'm not sure if this is the right way to connect the access points to the switch. Should they be connected over a trunk? I was unsure about this. When I tried to trunk from the access points to the switch, I was unable to manage them in my controller.

I'm wondering if it's a problem with my switch since someone already mentioned that tp-link's can have a problem with vlans In a separate thread. I'm considering buying a Ubiquiti switch.

pfSense

In pfSense I've created three interfaces HOUSE (vlan10), JOHN (vlan20), IOT (vlan70) which are on the interface the switch connects to.

strangegopher · Dec 26, 2017, 3:15 AM

is your controller on trunk port too? it should be.
Also Switch -> AP port, pfSense -> switch port need to be on trunk ports.
Do you have a management wireless ssid with no vlan?
Do that and you can connect to no vlan ssid and manage AP wirelessly.

johnpoz · Dec 26, 2017, 4:59 AM

I use unifi AP and they have no problems with vlans..

Yes their IP that you talk to them would be untagged… But any vlans that they advertise could either be on the untagged vlan or some other tagged vlans..

It would work work like this

pfsense -- untagged, and tagged --- switch --- untagged, tagged AP ---- client SSID -- client...

Atreides · Dec 26, 2017, 5:38 PM

@johnpoz:

I use unifi AP and they have no problems with vlans..

Yes their IP that you talk to them would be untagged… But any vlans that they advertise could either be on the untagged vlan or some other tagged vlans..

It would work work like this

pfsense -- untagged, and tagged --- switch --- untagged, tagged AP ---- client SSID -- client...

That's basically what I've done. Maybe it's an issue with my tp link switch? Would you say it would be a good idea to get the ubiquity fully managed 8 port switch I linked?

Just to clarify, should the input port from the access points be trunked? Or should it be set to general, with all the different vlans I have set.

Derelict · Dec 26, 2017, 6:36 PM

Ubiquiti APs like to be managed on the untagged VLAN.

SSIDs with a VLAN set are tagged to/from the AP.

dotdash · Dec 26, 2017, 6:40 PM

Not sure what terminology the TP Link switches use, but assuming the default wireless is on the house vlan, you want the port connected to the UniFi AP to be native/untagged on 10, and tagged on the guest net (70?). You might also need to set the PVID to 10.

Atreides · Dec 26, 2017, 10:59 PM

I'm seriously thinking about buying the Ubiquiti switch. I'm hoping it'll make things easier so that there won't be any integration problems between the switch and my access point. People have mentioned problems with tp-links and vlans so I'm worried that might be causing the problem. Does anyone think this is a good or bad idea? Or if there is a better alternative?

I'm still not sure if I should be trunking between the access point and my switch. Should the port that the access points come in on be set to trunk? Or should it be set to GENERAL, which is the setting I use usually when vlans are coming in from various clients?

Derelict · Dec 27, 2017, 1:39 AM

The management VLAN has to arrive at the AP untagged.

The SSID VLANs have to arrive at the AP tagged.

On a cisco switch I am pretty sure you use general mode for that.

You might also be able to use a trunk port with a pvid set.

Every switch does it differently. For instance on brocade you would do something like this:

vlan 100
tagged ethernet 1/1/1

vlan 101
tagged ethernet 1/1/1

vlan 102
tagged ethernet 1/1/1

interface ethernet 1/1/1
dual-mode 100

That would make 100 untagged (the PVID) and 101 and 102 tagged.

johnpoz · Dec 27, 2017, 3:19 AM

Trunk would be used to your AP with the management vlan being the native or untagged traffic.. General would allow for more than 1 untagged vlan, while a trunk really has an enforced filter and only allows the 1 single untagged vlan, etc.

General gives you a bit more flexibility for doing odd stuff.. But to unifi AP if all your SSIDs are on vlans with only 1 of them untagged and the same as your management network your using to talk to the AP on then trunk would be correct cisco setting..

Either general or trunk would work as long as you setup the correct tagging for your vlans.