Unifi Pro + negate sg2440 + VLANs: controller setup?

  • I have a unifi pro broadcasting 3 separate ssid vlan ips and a netgate sg2440 configured with land on a parent LAN.

    My controller is not connecting?

    Do I configure the ap via a LAN? Dedicated ssid for controller?

    Thanks in advance for sharing any similar configuration details…

  • The AP management interface and the controller need to be in an untagged VLAN or are you using a phone / tablet as the controller ?

  • Phone as a controller?  You mean managing the controller with the phone?

  • @kapara:

    Phone as a controller?  You mean managing the controller with the phone?


    You can manage an AP via the app according to the last post but I have a controller.

  • LAYER 8 Global Moderator

    So your saying your controller is not seeing your AP?  They need to be on the same Layer 2, or you need to setup L3 adoption if they are on different L2 networks.

    UniFi - Layer 3 methods for UAP adoption and management

    You can put the controller and the AP managment on any network you want..  But for the controller to find them it needs to be same layer 2, and no the AP management can not be tagged vlan..

    "with land on a parent LAN."

    I take it from this that your using a vlan?  Not sure what a land is ;)

    Which is fine but the vlan your AP and controller are on need to be untagged to the AP..  So if your using multiple vlans on your AP for your SSID, just make the network your managing your AP on that vlan needs to be untagged/native on your connection to the AP.  As long as your controller is on this same L2 you should find the AP no problems.

  • Thank you all…

    I am not using the phone(iPhone) to manage my network. I found it had little functionality for my initial setup, specifically I wasn't able to set up VLANs.

    If I want to change up my configuration, I log into my controller software on my computer, make my configuration changes(new VLANs) on my Unifi controller software, I reset the unifi(hold the reset button for 20+ seconds), the Unifi returns to factory and then I am able to "adopt" the AP using the default wifi signal from the AP. I do this because I can't adopt...

    I have also had success resetting my Unifi pro to default and connecting with default ip info via hardware network.

    The changes I made on my computer are then transferred to the Unifi AP...I then am never able to adopt to my Unifi again?

    (I use a Mac and need to turn off my mac firewall to adopt)

  • LAYER 8 Global Moderator


    You sure and the hell should not have to reset your AP more than once if it has been adopted by another controller, etc.

    Going to need way more details if you want some help..

    Where is your controller connected (what vlan) where are you AP(s) connected.. Switch in use?  Config of these vlans on your switch..  Again your AP and controller should be on the same Layer 2..  If they are not then you would need to use the layer 3 adoption methods I linked too.

  • I made some progress but still not ideal…

    *I have 4 VLANs(all unique IPs with pfsense interfaces, rules, ) all have the parent interface of my Opt 1(Not the preconfigured LAN that is configured with the sg2440)

    *The Unifi AP is connected to the Opt 1 LAN(separate ip) not a VLAN

    *I am currently using my default LAN for web GUI access only

    • no switch(I have a smart switch but the only thing connected was my Unifi AP)

    • I have an Apple TV that I have connected directly to my sg2440 on opt2

    I did manage to get access to the controller by allowing my administer computer(on default LAN) to access Opt 1, however I had to "turn off" one of my isolating rules(block rule to "Destination: LAN net" on my opt1 interface). Definitely not elegant...

    Not sure if the best(most secure) way to have the controller accessible is via a non VLAN ssid from AP or via rules allowing access from dedicated pfsense webgui LAN to the opt1 interface(wired only) for Unifi controller access only(don't want the opt1 to have any more access to LAN or firewall). I only access my webgui via wired connection only.

  • LAYER 8 Global Moderator

    What?  Dude what part do you not understand about the same layer 2 for your AP and controller?

    Where is your controller running - what network/vlan?  This OPT1 interface?

    "* no switch(I have a smart switch but the only thing connected was my Unifi AP)"

    Where is your controller?  If its on your LAN and your AP is on OPT1 then its not the same layer 2 - did you bridge lan and opt??  If not then no its not the same layer 2!!  If you have a smart switch then USE IT!!!

    Connect the switch to whatever port on the sg you want to run your wifi ssid/vlans on.  Trunk the port to the SG with native vlan you want to use to manage your AP and run your controller on.  Then tag the vlans your ssid are going to be.

    On the port you connect your controller - this will be your untagged opt1 network (what vlan on your switch?) On the port you connect your AP same thing your opt1 network will be untagged and your SSID/Vlans will be tagged.

    This is really 30 seconds to setup if you understand the basics of vlans tagging and untagged..

  • My Unifi AP is on opt1, the Unifi AP has a static lease to Opt interface(not a VLAN), just to clarify my "controller" is the software that I download from Ubiquity which I have on my computer(Mac), the mac is connected to LAN via network cable directly to sg2440 for web GUI access only on my sg2440.

    Layer 2 = same network(IP)…I think I now get it(thanks!). I also think that I did create a temporary bridge to manage it via rules I.e. I added "allow" on my opt1 to LAN(which Seemed wrong but worked...I subsequently deleted those rules to keep opt1 isolated).

    I already have VLAN tags setup on the AP and the interfaces created in pfsense and I believe opt1 is acting as a trunk(it's also the parent to all the VLANs in pfsense). I am also getting individual snort alerts on each VLAN which makes me think the traffic is separated(I also getting snort alerts on opt1 however I think that is because of snorts "promiscuous" inspection.).

    Is the only solution to add a switch that I would need to manually plug in/out to be on the same layer 2? Could I not have a ssid broadcast from the AP that is not a VLAN?

  • LAYER 8 Global Moderator

    "controller" is the software that I download from Ubiquity which I have on my computer(Mac), the mac is connected to LAN"

    Yes - if this in on your lan, and your AP is on your opt then no they are not the same layer 2.  And no layer 2 doesn't have to mean the same IP network (which would be layer 3).. Yes this normally always the case since you should not run more than 1 layer 3 (IP) on the same layer 2..

    Layer 2 is the data link layer - it is made up of the LLC and MAC layers..

    Lets look at it this way if your lan is and your OPT is then yes they are different Layer 3 - if so then you need to use the layer 3 adoption info I linked too.  But I am really going to point this out from the article from unifi

    "Please make sure you're familiar with how UniFi works (e.g. where AP and Controller is in the same L2) before you attempting L3 Management. L3 management adds many moving parts in the mix (i.e. added complexity)."

    I would really suggest you modify your network a bit allow your controller software and AP to be on the same network.  Once you have a handle on how it works, etc. then if you want to break it out to different layer 3 then have at it.

    If you don't have hardware or VM you can run the controller on - think about getting their little cloud key as they call it.  To run your controller on if you want to leave your mac on the lan.

    "I did create a temporary bridge"

    I would not suggest that ever - you have a smart switch that does vlans there would be no reason to create a bridge on pfsense..

    I you have a smart switch why do you not leverage it??

  • Thanks Johnpoz…I saw the article you sent and did not feel comfortable doing a "layer 3 adoption" because I wasn't comfortable nor did adding complexity seem safer/more secure.

    I had a switch in my network, VLANs tagged, trunk configured, it was working but I only was using 2 of the 4 interfaces on the switch (Opt 1 and AP). I had the same problem with adopting the controller(I now see why)

    I never utilized the other 2 ports on the switch, however at one point I had my Apple TV connected to one of the other switch ports(configured not as a VLAN but as a separate interface). I configured my current network by utilizing an available sg2440 interface.

    I saw their cloud key but feel more comfortable with adjusting my network design.

    It seems my best option are:

    To add back the switch and dedicate a switch port for Unifi AP management. Plug my computer into the switch port to make a change to my AP configuration.


    This is more of a question but could I not just create another non VLAN ssid on the Opt 1 interface via the Unifi AP for controller access(so as to be on the same layer 2...and 3)? I.e. Don't broadcast the ssid(for what ever benefit that gives me if any) and connect to that ssid from my computer with the controller software only when I need to make changes to my AP configuration?

    I saw your earlier posts discouraging bridges and have avoided them. It's since been undone...

    Thank you again Johnpoz...

  • LAYER 8 Global Moderator

    "connect to that ssid from my computer with the controller software only when I need to make changes to my AP configuration?"

    So you want to admin your AP via wireless network that they run?  You don't see any issues with that? ;)  Wow!

    If your LAN is your "management" why is your AP not on this network?

    Sounds like you want to run the software only when you want to make changes - it is much better to leave the controller software running.  Then you get all the fancy/pretty statistics!

  • So you want to admin your AP via wireless network that they run?  You don't see any issues with that? ;)  Wow!

    Why is that bad…the ssid for AP admin would be on "my" opt1? I get wireless is less secure then hardware but isn't ssid same as connecting via switch in this case?

    Regarding not having AP on the LAN, I was trying to 1) separate my VLAN trunk(opt1) from pfsense management(LAN). 2) Having internet access on my LAN/management seemed less secure. I am not sure if my thought process is flawed but that was the thinking.

    I do like the fancy statistics :). I enjoy the Unifi AP, I find a rarely access it other then to change a password or reconfigure my network.

  • LAYER 8 Global Moderator

    Why you provision the AP since your via wifi - you would loose access to it..

    If all your going to do is change a password or etc..  Just use the phone APP!  you have zero need for the controller software.

    "Having internet access on my LAN/management seemed less secure"

    So your workstation your using doesn't have internet access?

    "I am not sure if my thought process is flawed but that was the thinking."

    Borked would be more like it ;)

  • No internet access for my LAN/pfSense management computer. I update the software periodically.

    Thanks again Johnpoz…I think just using the phone AP after setup seems the most sense.

Log in to reply