Unable to DHCP / access internet by unifi guest-wifi

johnpoz

vmx1

So this is running on esxi? So what vlan ID did you set on the vswitch? If you want to pass vlan tags to pfsense under esxi, the vswitch needs to be set to 4095 so it doesn't strip tags.

Teddy

@johnpoz said in Unable to DHCP / access internet by unifi guest-wifi:

vmx1

So this is running on esxi? So what vlan ID did you set on the vswitch? If you want to pass vlan tags to pfsense under esxi, the vswitch needs to be set to 4095 so it doesn't strip tags.

Exactly. It is running on ESXI, that also then just came in my mind...

But how does this exactly work?

I'm having three virtual switches. The Unifi is on the vswitch internetgroup, the PFSense internet access is from the vswitch LAN. Can i just set now both to 4095? Yet the vswitch is set to 0.

johnpoz

Depends on if your wanting tags to go over the vswitch..

You can do your vlans in esxi and psense doesn't even have to know about them, just create new vnics for pfsense to connect to each vswitch that is on your different vlans.

Teddy

@johnpoz

Uff, that's just making me weird.

1. Create vnic (Portgroup -> add portgroup -> give name -> 4095 VLAN ID)
2. Connect to where?

johnpoz

You would not set 4095 if your doing a port group with the vlan ID and letting esxi do it.. You would just create new vnics for pfsense..

So it would have say
vmx0 wan
vmx1 lan
vmx2 opt

You would handle the vlans on your switch and your vswitches... To pfsense nothing would be tagged, there would be no vlans setup on pfsense, just interfaces.

if your going to have
vmx0 wan
vlan 10 on vmx0 lan
vlan 20 on vmx0 opt

Then the port vswitch/portgroup pfsense vmx0 is connected to would be vlan ID 4095 so it will not strip tags.

Teddy

I don't get it to work.

Just did "Add Portgroup" -> VLAN22 -> set VLAN-ID 22 -> saved

Added this interface one time to PFSense and one time to Unifi Controller VM. Now edited in PFSense the interface, DHCP Server etc. to the new interface, but still no success. I don't get an IP address. That's weird, can't be so complicated, if the basic guest-wifi without VLAN was already working really properly.

johnpoz

@Teddy said in Unable to DHCP / access internet by unifi guest-wifi:

one time to Unifi Controller VM.

Not sure what your doing in the controller - but all you need to do is tag your ssid with the vlan id..

No its not complicated at all, but you do have to understand how esxi handles tags.. And you have the switches set to allow the tags..

You have your switch tagging vlan 22 on 3 ports? Do you have multiple AP?

Would be tagged where it goes to your esxi host, and pfsense interface for this vlan... And it would be tagged on your port connected to your AP.

If your port is only connected to 1 nic on your host that is only connected to the vlan vswitch - then you would just have it set to 0 as the ID, and your switch port would be untagged.. If this port is only going to carry traffic for that vlan.

You only have to tag traffic on ports that are going to carry more than 1 vlan.. If there is only one vlan on it, then its not tagged.

Why don't you actually draw up how you have everything connected and we can work through where you would tag and where you wouldn't

Teddy

Well, the guest-access to the Unifi is only possible by the Unifi Controller Software (which is running on a Ubuntu machine). So i thought, that this machine(s) interface needs to be tagged with VLAN 22.

My switch was tagged on three ports for following reason:

• 1 Tag for the Unifi hardware (it is just one AP and connected to the POE+ Switch by LAN cable)
• 1 Tag for the LAN group (that is, where the internet goes in and out in my network. Everything is tunneled through an external VPN service, so i can't go directly to the WAN interface
• 1 Tag is connected to the internetgroup (to which i also assigned the Unifi Controller VM)

My thought was, that the user is connected with the AP, asking for a website, the unifi controller (because it is just a guest wifi) will say "Ok, you have permission, due to right password" and is sending it through the internetgroup interface to the lan interface, where PFSense is getting the wanted information from the internet.
Shortly: Smartphone / Laptop -> AP -> Unifi Controller (only, if using guest-access, handled by the Unifi Controller and NOT PFsense) -> Controller -> LAN -> PFsense WWW

But i will try to make a paint about my infrastructure. Then we maybe get better on.

johnpoz

Guest wifi is different then a vlan..

Your going to have to explain what you want to happen.. You do understand pfsense can run a captive portal for you as well.

so i can't go directly to the WAN interface

WTF? What would that have to do with tagging on port on your switch?

1 Tag is connected to the internetgroup (to which i also assigned the Unifi Controller VM)

Why do you think this needs to be tagged to the controller? The controller just talks to the AP via the management network, which is normally no vlan and untagged traffic.

Yeah we need a drawing - to be honest seems like you have a real mess...

Teddy

@johnpoz

I got it working finally.

Now is the setup following:
PFSense has three interfaces.

• One incoming WAN (VMXNet3)
• One LAN Interface (VMXNet3)
• One VLAN Interface (tagged with 22, e1000)

First i also set the VLAN interface as VMXNet3, but then it didn't appear in "assignments" as new interface.
After i changed the VLAN "Hardwaretype" from VMXNet3 to e1000, it appeared as new interface in PFSense. Then i added the 22 VLAN as VLAN-ID, set on my Zyxel Switch the port of the AP to VLAN22, the LAN-port to VLAN22 and it all started to work.

So looks like the wrong interface was the problem in this case.

johnpoz

You can for sure do vlans on vmx3..

I still have no real idea how you have it setup.. So you have 2 vnics connected to the same vswitch your lan and your vlan e1000 interface in pfsense?

I would really suggest you draw this up, so we can discuss if optimal or not.

chpalmer

On the unifi controller.. Is it also providing a DHCP server?

Teddy

@chpalmer

No. As far as i know, the Unifi Controller doesn't offer a DHCP Server.
Either you use an external one (like PFSense, they offer option that it is used) or one of their devices (USG - Unifi Security Gate) or other devices.

@johnpoz I'll do the painting the next days and then we can check for it! :)

Teddy

@johnpoz

Here is a (bad) painting of my network. I now optimized it.

Now i am having the following combination:
VSwitch:
WAN
LAN

Portgroup:
PFSense
Windows10
Nextcloud
Ubuntu
UnifiServer
......

And i just have now three cables in use:

• One from the Modem in the ESXI Host (WAN Connection -> WAN Port VMX0)
• One from the ESXI Host to the POE+ Switch (VMX1, Port 1 of the switch)
• One from the Switch to the Unifi AP (Port 2 of the switch)

Just the problem, now the Guest Wifi on VLAN 22 is not working anymore again :(

I put following tags:
VLAN Tag 22 to Port 1 of the switch (LAN)
VLAN Tag 22 to Port 2 of the switch (Unifi AP)
VMX1 (LAN) Tag 22
VLAN Tag 22 to Guest-Wifi on AP

I assigned on "Interfaces" "VLAN22 on VMX1 LAN" and set it to 192.168.2.1 as GuestWifi
I configured the DHCP Server for this GuestWifi Interface for a range from 192.168.2.1-192.168.2.254

But i can't obtain an IP Adress anymore.

Sytems logs -> DHCP says:

Is that enough information to get it now stable running?

johnpoz

That Drawing is useless.. It looks Kind of pretty, but your pvfsense is a VM right.. You don't how how that is connected to anything physical.

vmx0 and vmx1 would be virtual interfaces.. How is that tied to your hosts physical interfaces? Lets see a screenshot of networking in esxi