ESXi server using separate Freeradius and pfSense, trying to get VLANs working

  • I've set up a new home server to replace my old dedicated pfSense box. It's running ESXi with a Ubuntu server and pfSense communicating. I also have a Ubiquiti switch and AP for wireless.

    I've set up dedicated freeradius backed by mysql on Ubuntu. I've set it to dynamically tag connections through the AP with a VLAN tag. Running freeradius -X shows this is working. I can also connect fine to the internet through pfSense. However, all my traffic goes through the LAN on pfSense, where it did before I started messing with VLANs. I kind of hoped I could set up a dedicated interface on pfSense (which I did) with the same VLAN tag as my freeradius connections are getting and traffic would automagically be routed through the VLAN interface instead of the LAN interface. Alas, no.

    What I want is to manage clients through freeradius, assign them to disparate VLANs, have freeradius do the tagging and user/NAS management and have pfSense be in charge of routing rules. And the Ubiquiti switch and AP just be kind of dumb and unmanaged.

    Am I completely on the wrong track here? Is there a bunch more work I need to do to enable what I want? I'm doing no tagging or VLAN assignment on the switch or AP, it's purely from freeradius. I'm doing no VLAN port assignment or anything from pfSense itself. Just hoping that tagged traffic will automagically come through the correct interface.

    Just to confirm, freeradius is using EAP-PEAP-mschapv2 and decorating the response with Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 and Tunnel-Private-Group-ID = my_vlan_tag, same tag as used in the pfSense VLAN interface.

    Lots of off-topic stuff but if anyone besides the freeradius guys know it'll be the pfSense community.

  • If your access point is working properly to assign the clients to the correct vlan, then you shouldn't even have a connection to the internet if pfSense doesn't have any interfaces (vlan or physical) connected to these vlans.

    It looks to me as if your AP is actually untagging (or re-assigning) the vlans on exiting the ethernet interface.

    IIRC, the dynamic VLAN assignment setting for Unifi APs are still in the beta stage. They might not work properly and there's the known issue where you cannot dynamically assign any VLAN IDs that are statically tagged on any other SSIDs used on the AP.

  • Derp.

    Yeah, it's been around for a while but I'm a major version behind the firmware that has it. I'll update and try again. Thanks, you pointed me in exactly the direction I needed. Given I'm setting up several brand new to me things at once I'd read that stuff about the newness of the feature and subsequently instantly forgotten about it.

  • OK I followed the original instructions and got the stable branch of the Unifi controller, which was fixed to major version 4. You have to explicitly set the repo to version 5 to get the latest. The latest controller has the ability to "Enable RADIUS assigned VLAN", which is what I wanted, so all good.

    However, it still isn't passing through the tagged VLAN attribute.

    I guess before I figure that out I should figure out another problem - I have assigned a test client device a static IP in Freeradius/Mysql. The Framed-IP-Address attribute contains the value I want and this is correctly returned in the Access-Accept message from the Freeradius server (along with the VLAN tag). However, pfSense is overwriting the IP with a DHCP-assigned IP from within the pfSense LAN's range.

    The Unifi AP has "Using DHCP" set on it. I think that means it's acting as a client, not as a DHCP server. I can also force it to have a static IP from within pfSense's range, but I haven't tried that. It's actually getting a statically set IP from pfSense, which I specified in pfSense's DHCP server page.

    I have no explicit setting in pfSense's LAN DHCP server for the client device I'm testing with (the one being authorized by Freeradius). In Freeradius (as I mentioned) it's getting a static IP but in pfSense's DHCP leases it gets a totally different dynamic IP and all traffic is to/from the dynamic IP.

    Is it possible that pfSense ignores the Framed-IP-Address attribute? Should I be looking at pfSense, Freeradius or the AP to fix this?

Log in to reply