Setting up simple vlan with pfsense ubiquiti switch



  • Hi community!

    Been banging my head trying to get vlan working with pfsense. My goal is to have a router on a stick, having both pfsense interfaces and my lsp connected directly into the switch.
    I have the following setup:

    Port 1: isp untagged vlan 99
    Port 2: Pfsense wan untagged vlan 99
    Port 3: pfsense lan untagged vlan 100
    Port 4 - 20: untagged vlan 100

    In pfsense I've added wan vlan 99 and lan vlan 100.

    If I connect a computer to port 4 it can access internet but cannot make dns resolutions. I don't have any specific fw rules that does not allow dns/udp etc.

    Is there anything apparent that is wrong? Or should this work?

    If I run with everything untagged and plug the isp cabel into pfsense wan port and pfsense lan into the switch, it works, so I doubt the firewall is blocking.

    Hopefully someone has a similar setup or some insights.

    Thanks in advance,
    D


  • LAYER 8 Global Moderator

    Router on a stick?  Whre is pfsense connected here… Looks like 2 different interface to me.. Wan would be port2 and lan would be port 3.. Traffic is untagged so pfsense would have NO vlans setup.

    Router on a stick means traffic goes in and out the same interface.. I do not see that from what you have shown. with your 4 ports on your switch.

    "In pfsense I've added wan vlan 99 and lan vlan 100."

    Makes no sense with your untagged port config and 2 of them going to pfsense..  How does pfsense connect to your switch if only has 1 port but your switch has 2 ports labeled going to pfsense.

    port 1 internet untagged 99
    port 2 untagged 99, tagged 100 --- pfsense (wan untagged, lan vlan 100) em0
    port 3 untagged 100 - client on lan

    Only vlan you would need to create in that scenario is vlan 100 for pfsense lan.. The wan would be untagged and pfsense would have no clue to what the vlan id is on the switch.

    Or you could do it like this

    port 1 internet untagged 99
    port 2 tagged 99, tagged 100 --- pfsense (wan vlan 99, lan vlan 100) em0
    port 3 untagged 100 - client on lan

    And pfsense would have NO network setup on em0 only the 2 vlans on em0 both of which are tagged coming into pfsense interface.



  • Hi!

    Thank you for helping me out.

    Yes I guess I got a bit confused about the terminology. It's not a router on a stick as you pointed out.
    I have two NICs on my pfsense box and I labeled them WAN and LAN.

    I tried removing my VLAN rules in pfsense but did no difference.
    At least I know that my setup is somewhat sound then?

    To be a bit more specifik:

    Port 1: isp untagged vlan 99
    Port 2: Pfsense NIC1 wan untagged vlan 99 (pfsense outside)
    Port 3: pfsense NIC2 lan untagged vlan 100 (pfsense inside / Internal net)
    Port 4 - 20: untagged vlan 100 (clients which should go to the internal net)

    Like I said I do get internet access doing this, but DNS does not work. I will try and allow everything to see if it works and then add back the fw rules one by one.

    Regards, D


  • LAYER 8 Global Moderator

    If you have 2 nics on pfsense.. Why are you running your isp (wan) connection through the switch anyway eating up 2 ports?  Why not just connect the modem direct to pfsense wan nic?

    What part of dns does not work?  Allow everything where?  The default pfsense lan rule is any any already.  Did you dick with that?  What are your clients pointing to for dns?  Are they static or dhcp from pfsense?

    Out of the box pfsense resolves via unbound - it does not forward to some dns, etc.  So if your isp blocks dns to outside that could be a problem, if they intercept that could be a problem.  If you have something in front of pfsense blocking dns that could be a problem, etc. etc..



  • @johnpoz:

    If you have 2 nics on pfsense.. Why are you running your isp (wan) connection through the switch anyway eating up 2 ports?  Why not just connect the modem direct to pfsense wan nic?

    What part of dns does not work?  Allow everything where?  The default pfsense lan rule is any any already.  Did you dick with that?  What are your clients pointing to for dns?  Are they static or dhcp from pfsense?

    Out of the box pfsense resolves via unbound - it does not forward to some dns, etc.  So if your isp blocks dns to outside that could be a problem, if they intercept that could be a problem.  If you have something in front of pfsense blocking dns that could be a problem, etc. etc..

    I'm doing this because I want to remove my ISP broadbandmodem / Fiber converter provided by the ISP. Since I have SFP ports in my switch I aim to plug it directly into the switch to reduce the number of boxes I have but then still route everything through pfsense.

    I have changed FW rules somewhat in pfsense but it works when i plug my ISP connection directly into the pfsense box. For DNS my clients use dhcp and pfsense is resolving using DNS forwarding mode and static mappings for the clients. Not sure what part of DNS is not working, more than addresses are not resolved correctly, but accessing by ip works.

    I have this for my WAN interface (PASS):
      Protocol Source    Port  Destination Port Gateway Queue Schedule Description Actions
    IPv4 *     WAN address *   *                         *         *              none

    And LAN (PASS):

    Protocol     Source Port Destination  Port Gateway Queue Schedule Description Actions
    IPv4 TCP/UDP *         * * * * none  
            IPv4 *             LAN net * * * * none

    I guess that source address of WAN could be somewhat different depending on if I plug it in directly to Pfsense or via the switch and vlans will try and change that.

    Regards, D



  • Got this working now. Dns was not.set by pfsense without a static mapping. Once that was sorted it worked.

    @johnpoz thanks for pointing me in the right direction and confirming the basic vlan config was somewhat.ok.

    /d


Log in to reply