Unifi ap ac pro with Vlan PFsense DHCP, NAT, connected devices not getting out.

  • Hello all,

    I am having some problems getting vlans working on my Pfsense box which is attached to a unifi ap pro.

    What is my set up:

    unifi ap pro  has 4 ssids, each having their own vlans.

    Each vlan has been set up on the same interface PO1 on pfsens box and all have DHCP servers configured for them.

    The interface that connects the unifi , switch and pfsense is active with all vlans and has its own dhcp server for the unifi and other native devices that are not within a vlan (vlan trunking/ adminstration interface?), im using it now and its working fine.

    The unifi and pfsense devcices are connected to a netgaer switch which has two ports with vlans assigned to them.

    Results from setup:

    all devices can connect to the unifi and authenticate

    all devices can get ip from dhcp from there respected vlan dhcp servers

    all dhcp server have gateways (static ip of the vlan interface)

    each vlan has its own firewall rules pointing to the gateway addresses of the wan with source from the respected vlan.

    nat has been configured with all ips in relation to each dhcp server.

    What have i done to test,

    i can ping from each vlan using pfsense diagnostics to the main wan

    i cannot ping the default gateway from each connected machine except the non vlan one which works and is able to get out.

    I think this may be a broadcast layer 2 issue since the router part of pfsense is supposed to remove tagging when getting out, and put it back when going in, so it should work.

    Am i doing something wrong?

    from my understanding the vlans for router on a stick function should be trunked from the switch, but "trunk" is a cisco term.

    Looking at the net gear switch (gss108e), i think the logic should be to have the vlans in its database (802.1Q) and have them all assigned to the interfaces from the unifi to the pfsense box.

    The fact that they can get DHCP addresses shows that the physical link works.

    i have been at this for days and  i am lost, please help!

  • LAYER 8 Global Moderator

    "each vlan has its own firewall rules pointing to the gateway addresses of the wan with source from the respected vlan. "

    What??  Post up your rules for your vlans..

  • Hello,

    Thank you for your reply.

    The fire wall rules are as follows:

    With specified gateway:

    Protocol: TCP/UDP, Source: vlan3098, Port: (meaning any from my understanding), Destination: * , Port: (of destination), Gateway WAN_PPOE, Que: none

    With none specified:

    Protocol: TCP/UDP, Source: vlan3098, Port: , Destination: * , Port: (of destination), Gateway *, Que: none

    i have tried it both ways since posting and it still does not work for vlans only,
    When setting up a normal interface it’s all working fine, hence why i am at a loss.

    Please help if you can.

    Thanks again.


Log in to reply