Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simple VLAN for PFSense + Unifi AP-AC-LR

    Scheduled Pinned Locked Moved General pfSense Questions
    32 Posts 3 Posters 7.3k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ Offline
      JKnott @BBCModelB
      last edited by

      @bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:

      Ah, the PFSense is evaluating each packet and determining whether it has this tag or not. If it has the tag, it chooses the appropriate interface to pass the packets to. I’ll go and read that link, thanks.

      Not so much pfSense as the network adapter and operating system. VLANs work at layer 2 and pfSense at layer 3. PfSense simply sees another interface to work with.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      B 1 Reply Last reply Reply Quote 0
      • B Offline
        BBCModelB @JKnott
        last edited by BBCModelB

        @jknott

        Got it, so prior to creating the VLAN on the PFSense box, PFSense would discard any packets it received with a VLAN tag, in this case from the AP guest SSID?

        JKnottJ 1 Reply Last reply Reply Quote 0
        • NogBadTheBadN Offline
          NogBadTheBad
          last edited by NogBadTheBad

          What are the DHCP clients on your home LAN.

          Some devices support VLANs, my Mac I can create an untagged and tagged interface.

          Maybe have a play about.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott @BBCModelB
            last edited by

            @bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:

            @jknott

            Got it, so prior to creating the VLAN on the PFSense box, PFSense would discard any packets it received with a VLAN tag, in this case from the AP guest SSID?

            Not quite. When the computer running pfSense receives a VLAN frame, that frame is directed to the VLAN interface and the VLAN tag is stripped off. Going the other way, a frame sent out through the VLAN interface has the tag added, before being sent out the port. The VLAN tags are used to create virtual networks that logically appear to be separate, as though they were physically separate.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            B 1 Reply Last reply Reply Quote 0
            • JKnottJ Offline
              JKnott @NogBadTheBad
              last edited by

              @nogbadthebad said in Simple VLAN for PFSense + Unifi AP-AC-LR:

              Some devices support VLANs, my Mac I can create an untagged and tagged interface.

              My desktop system, running Linux, supports VLANs, but my notebook, running the same version of Linux, does not. I doubt devices such as tablets or smart phones support VLANs.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              B 1 Reply Last reply Reply Quote 0
              • B Offline
                BBCModelB @JKnott
                last edited by BBCModelB

                @jknott said in Simple VLAN for PFSense + Unifi AP-AC-LR:

                Not quite. When the computer running pfSense receives a VLAN frame, that frame is directed to the VLAN interface and the VLAN tag is stripped off.

                What if the computer running pfSense hasn't yet got the VLAN interface created? Will it ignore the packet?

                JKnottJ 1 Reply Last reply Reply Quote 0
                • B Offline
                  BBCModelB @JKnott
                  last edited by

                  @jknott That's interesting - I'm going to go take a look at my network adapter's available settings! Thanks!

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ Offline
                    JKnott @BBCModelB
                    last edited by JKnott

                    @bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:

                    What if the computer running pfSense hasn’t yet got the VLAN interface created? Will it ignore the packet?

                    Yes, it will ignore any VLAN frame that it's not configured for. For example, if you enable VLAN 10, frames for VLAN 11, 20, 3000 etc., will be ignored. Also, one feature of switches is they forward frames based on MAC addresses. If a device hasn't had traffic through a port, traffic for that device will not go through that. However, somethings, such as broadcasts will be sent to all ports or frames for a device that has yet to be learned about by the switch. Bottom line, devices are unlikely to see many VLAN frames that's they're not configured for.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • NogBadTheBadN Offline
                      NogBadTheBad
                      last edited by

                      In your case the AP will be doing the tagging of the packets coming from the guest Wi-Fi.

                      If you do a packet capture using tcdpump on eth0 you'll see tagged and untagged packets.

                      ssh admin@ap-1 'tcpdump -i eth0 src not 172.16.2.20 and dst not 172.16.2.20 -w -' > ~/capture.pcap

                      Where 172.16.2.20 is the device i'm sshing from.

                      0_1530541696360_Untitled.jpeg

                      Andy

                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                      B 1 Reply Last reply Reply Quote 0
                      • B Offline
                        BBCModelB @NogBadTheBad
                        last edited by

                        @nogbadthebad

                        Ah, thats interesting, so I can actually view the tagged / untagged traffic - thanks for the info

                        NogBadTheBadN JKnottJ 2 Replies Last reply Reply Quote 0
                        • NogBadTheBadN Offline
                          NogBadTheBad @BBCModelB
                          last edited by

                          @bbcmodelb

                          Yes you need to find a packet with a vlan id in and add it as a column or create a new column and set it as follows:-

                          0_1530546693844_Untitled.jpeg

                          Andy

                          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                          1 Reply Last reply Reply Quote 0
                          • JKnottJ Offline
                            JKnott @BBCModelB
                            last edited by JKnott

                            @bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:

                            @nogbadthebad

                            Ah, thats interesting, so I can actually view the tagged / untagged traffic - thanks for the info

                            Yep, Wireshark is a very useful tool for understanding network issues. For example, by looking at that capture, you can see it's an Ethernet II (also known as DIX) frame, which is 1 of 2 types, the other being IEEE 802.3. The only significant difference between them is the Ethertype/length field I mentioned. If it's 1500 or less, it's the size of the data carried by the frame. If 1536 or more, it's Ethertype, which describes the payload type. In this example, a VLAN frame. When you have Wireshark running, you can expand the fields to see the actual contents. If 802.3 length, then it imposes a hard limit of 1500 bytes, which many incorrectly assume to be the maximum IP MTU. However, IP uses Ethernet II, which has no length limit and, in fact, up to 65K MTU is supported, provided layer 2 supports it. Way back in the dark ages, the hardware limited the frame size to 1518 bytes, which meant there wasn't room for both a VLAN tag and full 1500 byte MTU. However, that limit was removed 20 years ago with frame expansion, so no modern hardware should have a problem with VLAN tags.

                            BTW, pfSense includes "Packet Capture", which can be used to capture frames. However, it doesn't display as much as Wireshark, so you may want to capture with Packet Capture and then download the capture to view with Wireshark.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • B Offline
                              BBCModelB
                              last edited by

                              Hmmm, I've implemented a solution using unmanaged switches, and connected my smartphone to the new GUEST wifi, where the pfsense box IS giving it the correct IP address 10.0.0.x, but when I try to access a website, nothings appearing almost as if its a firewall / nat issue?

                              pfSense box config

                              interfaces > interfaces assignments > vlans > add >
                              tag, 2
                              parent interface, em3 (lan)
                              priority, 0

                              interfaces > interfaces assignements > add >
                              description, GUEST
                              ipv4 config, static
                              ipv4 addr, 10.0.0.1
                              upstream gateway, none

                              firewall > nat > outbound > add
                              10.0.0.0 / 24
                              src * dest *
                              Nat address, Wan Address

                              firewall > rules > add
                              source, GUEST address
                              dest *
                              gateway WAN_DHCP
                              pass

                              services > DHCP server > GUEST
                              scope 10.0.0.10 - 10.0.0.254

                              Anything I've missed?

                              B 1 Reply Last reply Reply Quote 0
                              • B Offline
                                BBCModelB @BBCModelB
                                last edited by BBCModelB

                                FOUND IT!!!

                                firewall > rules > add
                                source, GUEST address
                                dest *
                                gateway WAN_DHCP
                                pass

                                should be

                                firewall > rules > add
                                source, GUEST net
                                dest *
                                gateway WAN_DHCP
                                pass

                                1 Reply Last reply Reply Quote 0
                                • B Offline
                                  BBCModelB
                                  last edited by

                                  Thanks for all your help guys, you were great!

                                  JKnottJ 1 Reply Last reply Reply Quote 0
                                  • JKnottJ Offline
                                    JKnott @BBCModelB
                                    last edited by

                                    @bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:

                                    Thanks for all your help guys, you were great!

                                    You may want to fire up Wireshark or Packet capture, so that you can see all the things you learned in action. A couple of years ago, I bought a cheap managed switch, configured for port mirroring, so that I could watch any connection. I could, for example, insert it between the AP and switch or pfSense and switch.

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    B 1 Reply Last reply Reply Quote 0
                                    • NogBadTheBadN Offline
                                      NogBadTheBad
                                      last edited by NogBadTheBad

                                      You may also want to put a block above your pass rule to block the home network access from the guest network , something like :-

                                      0_1530552748613_Untitled.jpeg

                                      g_ip_local is an alias that contains IPv4 & IPv6 local subnets.

                                      Andy

                                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                      B 1 Reply Last reply Reply Quote 0
                                      • B Offline
                                        BBCModelB @JKnott
                                        last edited by

                                        @jknott said in Simple VLAN for PFSense + Unifi AP-AC-LR:

                                        @bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:

                                        Thanks for all your help guys, you were great!

                                        You may want to fire up Wireshark or Packet capture, so that you can see all the things you learned in action. A couple of years ago, I bought a cheap managed switch, configured for port mirroring, so that I could watch any connection. I could, for example, insert it between the AP and switch or pfSense and switch.

                                        Yes, I'll do that

                                        1 Reply Last reply Reply Quote 0
                                        • B Offline
                                          BBCModelB @NogBadTheBad
                                          last edited by

                                          @nogbadthebad said in Simple VLAN for PFSense + Unifi AP-AC-LR:

                                          You may also want to put a block above your pass rule to block the home network access from the guest network , something like :-

                                          0_1530552748613_Untitled.jpeg

                                          g_ip_local is an alias that contains IPv4 & IPv6 local subnets.

                                          Will do

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.