• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Simple VLAN for PFSense + Unifi AP-AC-LR

General pfSense Questions
3
32
6.3k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    BBCModelB @NogBadTheBad
    last edited by Jul 2, 2018, 3:37 PM

    @nogbadthebad

    Ah, thats interesting, so I can actually view the tagged / untagged traffic - thanks for the info

    N J 2 Replies Last reply Jul 2, 2018, 3:51 PM Reply Quote 0
    • N
      NogBadTheBad @BBCModelB
      last edited by Jul 2, 2018, 3:51 PM

      @bbcmodelb

      Yes you need to find a packet with a vlan id in and add it as a column or create a new column and set it as follows:-

      login-to-view

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 0
      • J
        JKnott @BBCModelB
        last edited by JKnott Jul 2, 2018, 4:05 PM Jul 2, 2018, 4:02 PM

        @bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:

        @nogbadthebad

        Ah, thats interesting, so I can actually view the tagged / untagged traffic - thanks for the info

        Yep, Wireshark is a very useful tool for understanding network issues. For example, by looking at that capture, you can see it's an Ethernet II (also known as DIX) frame, which is 1 of 2 types, the other being IEEE 802.3. The only significant difference between them is the Ethertype/length field I mentioned. If it's 1500 or less, it's the size of the data carried by the frame. If 1536 or more, it's Ethertype, which describes the payload type. In this example, a VLAN frame. When you have Wireshark running, you can expand the fields to see the actual contents. If 802.3 length, then it imposes a hard limit of 1500 bytes, which many incorrectly assume to be the maximum IP MTU. However, IP uses Ethernet II, which has no length limit and, in fact, up to 65K MTU is supported, provided layer 2 supports it. Way back in the dark ages, the hardware limited the frame size to 1518 bytes, which meant there wasn't room for both a VLAN tag and full 1500 byte MTU. However, that limit was removed 20 years ago with frame expansion, so no modern hardware should have a problem with VLAN tags.

        BTW, pfSense includes "Packet Capture", which can be used to capture frames. However, it doesn't display as much as Wireshark, so you may want to capture with Packet Capture and then download the capture to view with Wireshark.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • B
          BBCModelB
          last edited by Jul 2, 2018, 5:12 PM

          Hmmm, I've implemented a solution using unmanaged switches, and connected my smartphone to the new GUEST wifi, where the pfsense box IS giving it the correct IP address 10.0.0.x, but when I try to access a website, nothings appearing almost as if its a firewall / nat issue?

          pfSense box config

          interfaces > interfaces assignments > vlans > add >
          tag, 2
          parent interface, em3 (lan)
          priority, 0

          interfaces > interfaces assignements > add >
          description, GUEST
          ipv4 config, static
          ipv4 addr, 10.0.0.1
          upstream gateway, none

          firewall > nat > outbound > add
          10.0.0.0 / 24
          src * dest *
          Nat address, Wan Address

          firewall > rules > add
          source, GUEST address
          dest *
          gateway WAN_DHCP
          pass

          services > DHCP server > GUEST
          scope 10.0.0.10 - 10.0.0.254

          Anything I've missed?

          B 1 Reply Last reply Jul 2, 2018, 5:14 PM Reply Quote 0
          • B
            BBCModelB @BBCModelB
            last edited by BBCModelB Jul 2, 2018, 5:15 PM Jul 2, 2018, 5:14 PM

            FOUND IT!!!

            firewall > rules > add
            source, GUEST address
            dest *
            gateway WAN_DHCP
            pass

            should be

            firewall > rules > add
            source, GUEST net
            dest *
            gateway WAN_DHCP
            pass

            1 Reply Last reply Reply Quote 0
            • B
              BBCModelB
              last edited by Jul 2, 2018, 5:19 PM

              Thanks for all your help guys, you were great!

              J 1 Reply Last reply Jul 2, 2018, 5:23 PM Reply Quote 0
              • J
                JKnott @BBCModelB
                last edited by Jul 2, 2018, 5:23 PM

                @bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:

                Thanks for all your help guys, you were great!

                You may want to fire up Wireshark or Packet capture, so that you can see all the things you learned in action. A couple of years ago, I bought a cheap managed switch, configured for port mirroring, so that I could watch any connection. I could, for example, insert it between the AP and switch or pfSense and switch.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                B 1 Reply Last reply Jul 2, 2018, 6:03 PM Reply Quote 0
                • N
                  NogBadTheBad
                  last edited by NogBadTheBad Jul 2, 2018, 5:43 PM Jul 2, 2018, 5:33 PM

                  You may also want to put a block above your pass rule to block the home network access from the guest network , something like :-

                  login-to-view

                  g_ip_local is an alias that contains IPv4 & IPv6 local subnets.

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  B 1 Reply Last reply Jul 2, 2018, 6:07 PM Reply Quote 0
                  • B
                    BBCModelB @JKnott
                    last edited by Jul 2, 2018, 6:03 PM

                    @jknott said in Simple VLAN for PFSense + Unifi AP-AC-LR:

                    @bbcmodelb said in Simple VLAN for PFSense + Unifi AP-AC-LR:

                    Thanks for all your help guys, you were great!

                    You may want to fire up Wireshark or Packet capture, so that you can see all the things you learned in action. A couple of years ago, I bought a cheap managed switch, configured for port mirroring, so that I could watch any connection. I could, for example, insert it between the AP and switch or pfSense and switch.

                    Yes, I'll do that

                    1 Reply Last reply Reply Quote 0
                    • B
                      BBCModelB @NogBadTheBad
                      last edited by Jul 2, 2018, 6:07 PM

                      @nogbadthebad said in Simple VLAN for PFSense + Unifi AP-AC-LR:

                      You may also want to put a block above your pass rule to block the home network access from the guest network , something like :-

                      login-to-view

                      g_ip_local is an alias that contains IPv4 & IPv6 local subnets.

                      Will do

                      1 Reply Last reply Reply Quote 0
                      32 out of 32
                      • First post
                        32/32
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.