Why are WAPs leased on their own Guest Network?

  • Hello,

    I have noticed that both of my Unifi PRO WAPS keep appearing in the DHCP lease list as leased to their own Guest network. They are statically assigned to 192.168.1.x, but as you can see in the pics they keep appearing as leased to 192.168.40.x which is the Guest vlan. I have the Unifi controller running a guest network (vlan 40) with the Unifi captive Portal, and a vlan ( in pfSense to control routing/access.

    Any ideas as to why this is happening?

    -New screenshots below-

  • LAYER 8 Global Moderator

    sounds like you have your vlans configured wrong..

    Not sure what we are to gain from you posts when you hide the macs which would allow us to see what specific interface is doing a request, etc.

    The management IP of your AP will be untagged.

  • I will repost the pics with no obfuscation, and post pics of the AP Controller settings as well when I get home tonight..

    If you think of a specific pic you need to see before then let me know.

    Thanks in advance..

  • A topology description: pfSense is connected through igb2 (lan) to a Cisco-SG300 to a trunk port which is a member of all vlans. The two WAPs are connected direct to the sg-300 via trunk ports which are a member of all vlans. Both the Unifi controller and the sg-300 switch have WifiGuest vlan ID as 40. I see no entries in the Unifi Controller Events log relating to the WAPs at all.

    Here are the new screencaps, let me know if you need anything else. The two DHCP log entries are a search for, which also shows as

  • LAYER 8 Global Moderator

    So you set this vlan 40 as guest network in unifi with the captive portal running then..

  • @johnpoz:

    So you set this vlan 40 as guest network in unifi with the captive portal running then..

    Yes (the captive portal is in Unifi, not in pfSense to be clear). The Guest Wireless Network in Unifi is set as a Guest Network with Guest Policies activated and is assigned the vlan ID of 40. The Guest Portal only displays the TOS, no authentication happens. Then I created a vlan in pfsense with same ID. Devices that connect to the Guest Wifi ssid get assigned the correct 192.168.40.x IPs, and are properly displayed the Portal TOS before being allowed to continue to browse. They are also properly segregated from any other network (LAN, IOT, etc).

    Is that what you were getting at?

  • LAYER 8 Global Moderator

    Yes that is going to be required when you do that..

    Here I just enabled guest portal and tos of one of my vlans - bam dhcp request from the AP for an IP on that guest network

  • Ah, so the request for an IP on the guest vlan in pfsense is expected behavior when setting up Unifi like it is then, correct?

    Is this behavior proper? Is it a risk in anyway? Or just something to ignore?

  • LAYER 8 Global Moderator

    It is expected - what sort of risk is there?  Its not a management IP of the AP..

    Your best to ask such a question on the unifi forums.

  • Roger, thanks for your help…

Log in to reply