Simple VLAN for PFSense + Unifi AP-AC-LR
-
Hi Guys
I have simple home setup, which utilises a Unifi Access Point for WIFI. It looks like this:
I want add a guest SSID to the access point. This is so I can effectively separate the home wifi from the guest wifi. I believe this can be achieved on the access point using a VLAN.
My question is, can I configure the PFSense box to achieve this? To elaborate, I've never used VLANs before and I don't know if this type of set up is compatible especially without a managed switch?
The proposed set up would look like this
Any help would be appreciated, thanks
-
It's easy to do, you'll need a switch that does VLANS.
Create vlan 20 and the parent interface will be the interface that your LAN sits on.
I use the untagged VLAN for management.
Here is how my LAN looks:-
The associated pfSense settings:-
-
Wow, thanks for the info! Looking through your Interface Assignments, I'm blown away you can do so much with the one physical LAN socket (igb0)
Question - can this be acheived WITHOUT a managed switch, as I don't currently own one?
-
You can't but they're cheap as chips.
I'm a network engineer by trade, I may have gone a bit OTT :)
-
OK, so unlike my simplified diagram, I've actually got 2x switches between the pfsense and the Unfi AP - do they BOTH need to be managed in this scenario?
-
All you have to do is configure a VLAN on pfSense and the same VLAN on the AP for the 2nd SSID. While some will say you need a managed switch, you don't for something as simple as this. Unmanaged switches will pass VLAN tagged frames without problem and most of the VLAN tagged frames will not appear at other devices. Even if they did, the other devices would have to be configured to access that VLAN to see them. So, those tagged frames appearing at other devices are nothing more than a minor waste of bandwidth.
-
If the AP connects to the first switch ( switch-1 in my example ) this only needs to support VLANS.
If your second switch only hosts 192.168.0.0/24 devices you can connect any dumb switch to the switch that supports VLANs, the port on switch-1 to switch-2 would just need to be an untagged port and you could only carry the single subnet to the second switch.
-
@bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:
OK, so unlike my simplified diagram, I've actually got 2x switches between the pfsense and the Unfi AP - do they BOTH need to be managed in this scenario?
Should you use managed switches, they'd have to be configured with trunk ports facing both pfSense and the AP, with all other ports configured as access ports. If you have more than one switch, you have to do the same for every switch that's between pfSense and the AP. Also, if you have multiple switches, you want to avoid loops, unless you're sure the switches support spanning tree or equivalent. All managed switches should, but some unmanaged switches don't.
-
Ah, that's at least worth a try.
Newbie alert - so, a non VLAN device, say a wired PC on the LAN requests an IP address from the PFSense box - what governs whether the PFSense gives it a LAN based IP (192.168.0.x) or VLAN based IP (10.0.0.x) ?
-
Got it
-
@bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:
Ah, that's at least worth a try.
Newbie alert - so, a non VLAN device, say a wired PC on the LAN requests an IP address from the PFSense box - what governs whether the PFSense gives it a LAN based IP (192.168.0.x) or VLAN based IP (10.0.0.x) ?
You probably want to read up on VLANs. However, the difference between VLAN frames and regular frames is the VLAN tag. This tag is a 4 byte value that's inserted into the Ethernet frame where the Ethertype/length field normally is, with the original Ethertype/length frame immediately following. So, the only difference between VLAN and regular frames is the content of the 2 bytes following the source MAC address and the additional 4 bytes in length. It's also possible to have 2 levels of VLAN, but you wouldn't see that outside of carrier networks. The network adapter in the device is configured for whatever VLANs are desired.
-
BTW you can have up to 8 SSIDs on the AP, not that I'd advise having that many.
-
@jknott said in Simple VLAN for PFSense + Unifi AP-AC-LR:
@bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:
Ah, that's at least worth a try.
Newbie alert - so, a non VLAN device, say a wired PC on the LAN requests an IP address from the PFSense box - what governs whether the PFSense gives it a LAN based IP (192.168.0.x) or VLAN based IP (10.0.0.x) ?
You probably want to read up on VLANs. However, the difference between VLAN frames and regular frames is the VLAN tag. This tag is a 4 byte value that's inserted into the Ethernet frame where the Ethertype/length field normally is, with the original Ethertype/length frame immediately following. So, the only difference between VLAN and regular frames is the content of the 2 bytes following the source MAC address and the additional 4 bytes in length. It's also possible to have 2 levels of VLAN, but you wouldn't see that outside of carrier networks.
Ah, the PFSense is evaluating each packet and determining whether it has this tag or not. If it has the tag, it chooses the appropriate interface to pass the packets to. I'll go and read that link, thanks.
-
@bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:
Ah, the PFSense is evaluating each packet and determining whether it has this tag or not. If it has the tag, it chooses the appropriate interface to pass the packets to. I’ll go and read that link, thanks.
Not so much pfSense as the network adapter and operating system. VLANs work at layer 2 and pfSense at layer 3. PfSense simply sees another interface to work with.
-
Got it, so prior to creating the VLAN on the PFSense box, PFSense would discard any packets it received with a VLAN tag, in this case from the AP guest SSID?
-
What are the DHCP clients on your home LAN.
Some devices support VLANs, my Mac I can create an untagged and tagged interface.
Maybe have a play about.
-
@bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:
Got it, so prior to creating the VLAN on the PFSense box, PFSense would discard any packets it received with a VLAN tag, in this case from the AP guest SSID?
Not quite. When the computer running pfSense receives a VLAN frame, that frame is directed to the VLAN interface and the VLAN tag is stripped off. Going the other way, a frame sent out through the VLAN interface has the tag added, before being sent out the port. The VLAN tags are used to create virtual networks that logically appear to be separate, as though they were physically separate.
-
@nogbadthebad said in Simple VLAN for PFSense + Unifi AP-AC-LR:
Some devices support VLANs, my Mac I can create an untagged and tagged interface.
My desktop system, running Linux, supports VLANs, but my notebook, running the same version of Linux, does not. I doubt devices such as tablets or smart phones support VLANs.
-
@jknott said in Simple VLAN for PFSense + Unifi AP-AC-LR:
Not quite. When the computer running pfSense receives a VLAN frame, that frame is directed to the VLAN interface and the VLAN tag is stripped off.
What if the computer running pfSense hasn't yet got the VLAN interface created? Will it ignore the packet?
-
@jknott That's interesting - I'm going to go take a look at my network adapter's available settings! Thanks!