VLAN interface setup anomaly?
-
I am new to setting up VLANs, so I may have made a mistake or misunderstood…
I have had a working pfsense setup for about 8 months, and am in the process of upgrading to VLANs, using a couple of new Unifi APs & a Cisco managed switch. This is being completed partly as a live migration (LAN), and partly using a test/demo network (OPT1) for the more complex parts.
I have one Unifi AP already correctly working on my LAN (em1), providing 2 SSIDs. The other AP is connected to OPT1 (em2), where I am having some difficulty checking the VLAN setup. The Cisco is dormant at the moment, so all VLAN setup is via pfsense.
I read that the VLAN host interface (e.g. em2) should not be used/active, and only to use the VLAN interfaces. I tried this and got stuck.
With em2 disabled/inactive, and offering 2 VLANs em2_vlan110 & em2_vlan120, my Unifi AP does not acquire a DHCP address and I cannot reliably connect or setup the AP.
When em2 is enable (with DHCP) then everything appears to work fine.
Question: to have em2 disabled, do I need to make use of an intermediate (layer 3) switch?
Question: while it may be 'preferred' to have em2 inactive when using VLANs, is it strictly necessary? And what's the downside?With em2 disabled, I can neither setup, nor use an already configured Unifi AP attached directly to OPT1 - it seems that the SSIDs can be assigned to a VLAN ID, but not the device itself?
My eventual plan is to have:
pfsense: LAN & OPT1>
Cisco>
2x Unifi AP (& additional managed switch) & directly attached devicesIf I have to remove all existing devices off the current LAN to a new VLAN, this will take considerably longer, so I would prefer to keep the existing LAN network, and slowly migrate devices according to priority.
My existing OPT1 setup is Guest on em2 & VLAN on em2_vlan120.
The Unifi picks up DHCP lease on Guest, and clients can connect to the 'native' SSID.
Clients can also connect to the second VLAN SSID.I've only just added the FW rules, so nothing else is tested.
Before I go too far, just wanted to check my direction...
Many thanks.
-
I read that Unifi APs need the management network (and maybe the first SSID?) untagged. Traffic to additional SSIDs is VLAN tagged then.
But I never had a Unifi AP myself so I cannot confirm this, only remembered having read it here on the forum. -
Thanks Chris, that makes sense.
-
Yeah the management VLAN to unifi gear can be any VLAN but it has to be untagged (the PVID) to the APs/cloud key/"controller" app/etc. There doesn't have to be a wireless SSID on it at all.
When you set an SSID to have a VLAN traffic on that SSID will be tagged to and from the switch. If you do not set a VLAN it will be untagged along with the management traffic.
-
Thanks for the good advice.
-
Thanks Derelict,
Having followed the tutorials to setup the VLAN, I seem to have run in to another problem. I thought it was possibly firewall related but still no joy.
The Guest network is active on em2, with DHCP provided, and clients are able to browse the web - using the rules below from Jonpoz.
https://forum.pfsense.org/index.php?topic=134802.msg738958#msg738958I have applied the same rules to the VLAN interface (em2_vlan120), and although a DHCP address is supplied, I do not get any internet connection on devices connected.
Did I miss a step? I can't see any Blocks in the firewall log - the VLAN interface can ping externally from pfsense, but trace route fails.
-
Do you need to add outbound NAT?
If you can ping 8.8.8.8 but not www.google.com you likely have a DNS problem.
Put a pass any any any rule at the top temporarily and see if that corrects it. If so, it's your interface rules. If not it's something else.
https://doc.pfsense.org/index.php/Connectivity_Troubleshooting
-
Derelict,
Thank you - fixed!
It was Outbound NAT - this was set to manual, based on some earlier copy/paste instructions. (I had previously configured the guest network - so this working was just a coincidence).
The Connectivity Troubleshooting link you provided, lead me to check the pages I hadn't realised I needed to check.
Thank you again for your help.
-
Glad you got it working.
About the only time I recommend manual outbound NAT these days is on a CARP/HA setup where pretty much all outbound NAT has to be carefully considered and customized.
In almost all other use cases, Hybrid is a better choice.
Hybrid is relatively new though so a lot of older walkthroughs still show manual.
-
Thanks for the advice. I'll read some more about Hybrid.
I'm not sure why I set Manual - possibly (following a tutorial) to enable use of OpenVPN as a gateway?
Anyway, I'll leave it for the moment, until I'm sure I can configure correctly. If it ain't broke…
Thanks again.
-
Yeah the management VLAN to unifi gear can be any VLAN but it has to be untagged (the PVID) to the APs/cloud key/"controller" app/etc. There doesn't have to be a wireless SSID on it at all.
When you set an SSID to have a VLAN traffic on that SSID will be tagged to and from the switch. If you do not set a VLAN it will be untagged along with the management traffic.
Found the appropriate link to this - it makes sense now, but it didn't when I read it before setup:
https://help.ubnt.com/hc/en-us/articles/219654087-UniFi-Using-VLANs-with-UniFi-Wireless-Routing-Switching-HardwareInitially you need to adopt your UniFi access points or switches over the native untagged VLAN, and this will be the continued requirement. That being said, they do support L3 management, so your controller can be on a different L3 network (or remote, etc.).
I didn't realise that "adopt" was a Unifi "reserved" word.
Thanks again Derelict
