Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN interface setup anomaly?

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    11 Posts 4 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      awair
      last edited by

      I am new to setting up VLANs, so I may have made a mistake or misunderstood…

      I have had a working pfsense setup for about 8 months, and am in the process of upgrading to VLANs, using a couple of new Unifi APs & a Cisco managed switch. This is being completed partly as a live migration (LAN), and partly using a test/demo network (OPT1) for the more complex parts.

      I have one Unifi AP already correctly working on my LAN (em1), providing 2 SSIDs. The other AP is connected to OPT1 (em2), where I am having some difficulty checking the VLAN setup. The Cisco is dormant at the moment, so all VLAN setup is via pfsense.

      I read that the VLAN host interface (e.g. em2) should not be used/active, and only to use the VLAN interfaces. I tried this and got stuck.

      With em2 disabled/inactive, and offering 2 VLANs em2_vlan110 & em2_vlan120, my Unifi AP does not acquire a DHCP address and I cannot reliably connect or setup the AP.

      When em2 is enable (with DHCP) then everything appears to work fine.

      Question: to have em2 disabled, do I need to make use of an intermediate (layer 3) switch?
      Question: while it may be 'preferred' to have em2 inactive when using VLANs, is it strictly necessary? And what's the downside?

      With em2 disabled, I can neither setup, nor use an already configured Unifi AP attached directly to OPT1 - it seems that the SSIDs can be assigned to a VLAN ID, but not the device itself?

      My eventual plan is to have:

      pfsense: LAN & OPT1>
      Cisco>
      2x Unifi AP (& additional managed switch) & directly attached devices

      If I have to remove all existing devices off the current LAN to a new VLAN, this will take considerably longer, so I would prefer to keep the existing LAN network, and slowly migrate devices according to priority.

      My existing OPT1 setup is Guest on em2 & VLAN on em2_vlan120.
      The Unifi picks up DHCP lease on Guest, and clients can connect to the 'native' SSID.
      Clients can also connect to the second VLAN SSID.

      I've only just added the FW rules, so nothing else is tested.

      Before I go too far, just wanted to check my direction...

      Many thanks.

      2.4.3 (amd64)
      and given up on the SG-1000

      1 Reply Last reply Reply Quote 0
      • jahonixJ
        jahonix
        last edited by

        I read that Unifi APs need the management network (and maybe the first SSID?) untagged. Traffic to additional SSIDs is VLAN tagged then.
        But I never had a Unifi AP myself so I cannot confirm this, only remembered having read it here on the forum.

        1 Reply Last reply Reply Quote 0
        • A
          awair
          last edited by

          Thanks Chris, that makes sense.

          2.4.3 (amd64)
          and given up on the SG-1000

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Yeah the management VLAN to unifi gear can be any VLAN but it has to be untagged (the PVID) to the APs/cloud key/"controller" app/etc. There doesn't have to be a wireless SSID on it at all.

            When you set an SSID to have a VLAN traffic on that SSID will be tagged to and from the switch. If you do not set a VLAN it will be untagged along with the management traffic.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • H
              Harley99
              last edited by

              Thanks for the good advice.

              เสื้อฮาเลย์

              1 Reply Last reply Reply Quote 0
              • A
                awair
                last edited by

                Thanks Derelict,

                Having followed the tutorials to setup the VLAN, I seem to have run in to another problem. I thought it was possibly firewall related but still no joy.

                The Guest network is active on em2, with DHCP provided, and clients are able to browse the web - using the rules below from Jonpoz.
                https://forum.pfsense.org/index.php?topic=134802.msg738958#msg738958

                I have applied the same rules to the VLAN interface (em2_vlan120), and although a DHCP address is supplied, I do not get any internet connection on devices connected.

                Did I miss a step? I can't see any Blocks in the firewall log - the VLAN interface can ping externally from pfsense, but trace route fails.

                examplerules.png
                examplerules.png_thumb

                2.4.3 (amd64)
                and given up on the SG-1000

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Do you need to add outbound NAT?

                  If you can ping 8.8.8.8 but not www.google.com you likely have a DNS problem.

                  Put a pass any any any rule at the top temporarily and see if that corrects it. If so, it's your interface rules. If not it's something else.

                  https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • A
                    awair
                    last edited by

                    Derelict,

                    Thank you - fixed!

                    It was Outbound NAT - this was set to manual, based on some earlier copy/paste instructions. (I had previously configured the guest network - so this working was just a coincidence).

                    The Connectivity Troubleshooting link you provided, lead me to check the pages I hadn't realised I needed to check.

                    Thank you again for your help.

                    2.4.3 (amd64)
                    and given up on the SG-1000

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Glad you got it working.

                      About the only time I recommend manual outbound NAT these days is on a CARP/HA setup where pretty much all outbound NAT has to be carefully considered and customized.

                      In almost all other use cases, Hybrid is a better choice.

                      Hybrid is relatively new though so a lot of older walkthroughs still show manual.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • A
                        awair
                        last edited by

                        Thanks for the advice. I'll read some more about Hybrid.

                        I'm not sure why I set Manual - possibly (following a tutorial) to enable use of OpenVPN as a gateway?

                        Anyway, I'll leave it for the moment, until I'm sure I can configure correctly. If it ain't broke…

                        Thanks again.

                        2.4.3 (amd64)
                        and given up on the SG-1000

                        1 Reply Last reply Reply Quote 0
                        • A
                          awair
                          last edited by

                          @Derelict:

                          Yeah the management VLAN to unifi gear can be any VLAN but it has to be untagged (the PVID) to the APs/cloud key/"controller" app/etc. There doesn't have to be a wireless SSID on it at all.

                          When you set an SSID to have a VLAN traffic on that SSID will be tagged to and from the switch. If you do not set a VLAN it will be untagged along with the management traffic.

                          Found the appropriate link to this - it makes sense now, but it didn't when I read it before setup:
                          https://help.ubnt.com/hc/en-us/articles/219654087-UniFi-Using-VLANs-with-UniFi-Wireless-Routing-Switching-Hardware

                          Initially you need to adopt your UniFi access points or switches over the native untagged VLAN, and this will be the continued requirement. That being said, they do support L3 management, so your controller can be on a different L3 network (or remote, etc.).

                          I didn't realise that "adopt" was a Unifi "reserved" word.

                          Thanks again Derelict

                          2.4.3 (amd64)
                          and given up on the SG-1000

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.