Trying to assign devices to VLAN but they default to LAN (screenshots included)



  • Greetings

    I was wondering if someone could take a look at my settings below as I must have done something wrong somewhere…

    My problem:
    When signing in with a specific device and FreeRadius account (which I assigned to VLAN 10) into my wireless network, the device still gets an IP address from my default PfSense LAN. It should receive a 192.168.10.X address (VLAN10) but still gets a 192.168.100.X address (LAN).

    My hardware setup:

    • PfSense appliance (2.4.1)
    • Unifi controller
    • Unifi switches
    • Unifi access points

    PfSense parts I configured (showing configuration for ONE user on a VLAN named INT-HOME-10 (VLAN 10)):
    1/ On PfSense: FreeRadius, Interfaces, VLANs, DHCP
    2/ On Unifi Controller: SSID, VLAN

    Details and screenshots of all settings below:

    1/ In PfSense, I installed FreeRadius to serve credentials to my wifi access points.
    a/ [In FreeRadius/Users] I created a user/password. I want to assign this user to VLAN 10, so I added VLAN 10 in the 'Network Configuration' section
    b/ [In FreeRadius/NAS-Clients] I added all my UNIFI devices (controller, switches, access points) with a shared secret
    c/ [In FreeRadius/Interfaces] I set up both a 1812 (authentication) and 1813 (accounting) port. They listen to all interfaces.

    2/ In my UNIFI controller, I made the following setup:
    a/ [In Settings/Wireless Networks] I created a Wireless Network called 'Test-AP'. I chose WPA Enterprise and selected my Radius profile
    b/ [In Settings/Networks] I created a VLAN only network with the ID 10
    c/ [In Settings/Profiles] I entered the parameters to access the Radius Authentication/Accounting server on my PfSense box

    The signing part (username/password) works fine and I can connect to the network (expect for getting the wrong IP address)

    3/ In PfSense again, I also have the following configuration:

    a/ [In Interface/…] I create the Interface INT10HOME with a static IPv4 of 192.168.10.1
    b/ [In Interface/VLANs] My INT10HOME interface is a child of my LAN interface
    c/ [In Interface/Assignments] My INT10HOME interface is a child of my LAN interface
    d/ [In Services/DHCP Server/INT10HOME] I enabled the DHCP server for my INT10HOME interface. I also added the static IPv4 192.168.10.1 as the Gateway.

    I also configured Firewall rules, but not sure I need to detail those here, since these are already a step further in the process.

    Can anyone point me to the reason why my device does not get an IP from the VLAN but still the LAN?

    Any help greatly appreciated  :)























  • Bumping up the question…
    Would really appreciate any pointers as I feel quite stuck at the moment
    Thanks :)



  • hi there

    unfoutuantly i have the same issue as you and have been trying this lately but also am having no luck

    on the upside (if you can call it that) i can have the vlans working ssid assigned, so not radius assigned but one ssid per vlan and this all works here as i have it now

    basially the differences between our setup and yours is such i have a dedicated interface on the pfsense for vlan trunk seperate to my lan interface to main switch (also handles the vlans) so pfsense to switch two cables one lan one all vlans as a tunk port (i did this as the pfsense is routing to and from lan to vlan and wanted some more bandwidth

    the in the unifi i have the ssid set to vlan as you do and on the switch config the vlans are set on the ports bettween aps and pfsense as tagged vlans

    one las this reading around it looks like you do not set the vlan id for radius assigned vlans i noticed that in you config you have an ssid with a vlan

    hope somehow this helps or someone comes along to put us both right ill keep tinkering in the meantime
    one thing i did find on the subject though is this :- https://community.ubnt.com/t5/UniFi-Wireless/I-need-help-setting-up-dynamic-vlan-assignment/td-p/1661658