Need help setting up VLANs (pfsense router, unifi switch, AP-AC-PRO WAP)

codybadger

Hi All,

I'm looking to get some support on setting up my first VLAN. I figured the easiest way to do this was to try and make a guest WIFI network on a VLAN. The problem I'm having is that when I connect a device to my VLAN, it will receive an IP address from the pfsense DHCP service, but it won't have any access to the internet. I can ping devices on the same VLAN, on my private LAN (that's on a different subnet), and ping from my private LAN to a device on the VLAN. I just can't load anything from the outside world.

I've followed these two tutorials:

• https://www.youtube.com/watch?v=hhPGN4UJHAM
• https://www.youtube.com/watch?v=b2w1Ywt081o

They're both pretty straightforward, and I'm pretty sure I've set everything up correctly. The VLAN I'm trying to setup is called "GUEST" and is on the 192.168.55.x subnet. My LAN interface passes me to the internet fine. I'm also running the pfBlocker ad blocking package and run an openVPN.

Here are a few screenshots of my setup. I figured there's a setting somewhere that I've got wrong, and hoping someone here can help me find it.

VLAN interface setup:

VLAN firewall rules:

VLAN DHCP service:

Outbound NAT Rules (I don't really know what this is - noticed there isn't anything here about the 192.168.55.x subnet, possibly the culprit?):

Unifi networks:

Unifi WIFI networks:

Anyway, would love some help/input if anyone has some time. Let me know what else you need to know.
Thank you!

JKnott

@codybadger

You'll need a route to get to the Internet and also a rule to allow it.

viragomann

@codybadger
You're missing an Outbound NAT rule on WAN for that VLAN.
Why do you have your Outbound NAT in manual mode?

codybadger

@JKnott and @viragomann thanks for the responses.

so would that be a duplicate of my fifth (from top) NAT rule, but for 192.168.55.x instead of 44? I did try that, but it didn't seem to work for me either.

johnpoz

@viragomann said in Need help setting up VLANs (pfsense router, unifi switch, AP-AC-PRO WAP):

Why do you have your Outbound NAT in manual mode?

Because most of the idiot vpn service guides say to do that - arrrgghhhh!!!

codybadger

@johnpoz yes, that's exactly what happened. I kind of set the NAT up without really knowing what it means.

johnpoz

@codybadger said in Need help setting up VLANs (pfsense router, unifi switch, AP-AC-PRO WAP):

without really knowing what it means.

Yup that is part of the problem for sure - also the fact that the idiots writing the guides don't have a clue either ;)

You can tell that from shit like this..

WTF!! No your not going to use your self signed web gui cert as your auth client cert - JFC!!! That should be the cert they give, you, or be set to none if just using username/password..

That anyone thinks these are companies that have any clue to security at all is just beyond me...

viragomann

@codybadger said in Need help setting up VLANs (pfsense router, unifi switch, AP-AC-PRO WAP):

so would that be a duplicate of my fifth (from top) NAT rule, but for 192.168.55.x instead of 44? I did try that, but it didn't seem to work for me either.

This is for outgoing over the WAN. If it should also work when the OpenVPN client is connected (assuming it's the default gateway then) you need an additional rule for OpenVPN like the sixth one.
However, it's recommended to assign an interface to the OpenVPN client instance first and add the outbound NAT rule to this specific interface, cause OpenVPN is an interface group which covers all OpenVPN instances you're running, i.e. all clients and all servers.