Managed switch: Unifi Conroller & pfSense GUI & Switch GUI only interface?

  • I am trying to simplify and secure the administration of my Unifi AP Pro Controller, My Switch Admin access(Dlink DGS1100-05) and my pfSense GUI. Wish list would be this is via the same Ethernet connection only. I would not want any internet access on this admin interface.

    Is this possible? Is this a secure setup?

    Wan-> pfSense ->Managed Switch-> Unifi AP ->Client

    Port 1 - Eth1,2,4 Untagged
    66 VLAN - Eth1&2 Tagged
    44 VLAN - Eth1&2 Tagged
    55 VLAN - Eth1&2 Tagged
    Port 5 - Switch admin only

    pfSense with 4 Ethernet ports
    WAN, Switch trunk, random IOT device(Not VLAN capable nor wireless) and an admin interface for pfSense

    Unifi AP
    Currently 3 VLANs with SSID
    No Controller access :(

    I have my VLANs working thru my switch and Unifi AP but have 2 outstanding questions:

    1. How do I create/organize and manage my admins GUIs with out plugging in/out my ethernet or changing wireless networks?
    2. I have a wired device that has its own interface and would like to have it be a part of VLAN 66…is this possible with a managed switch now?

    I am working towards further securing my network with the Radius server package that comes with pfSense.

    Any help or pointers would be surely appreciated...

  • It's just a matter of placing the devices in the correct vlan and applying firewall rules to suit whats required on the pfsense interface.

    I have the following subnets / vlans :-

    LAN 2a02:xxxx:xxxx:1::1 Untagged used for LAN MGT devices ONLY
    USER 2a02:xxxx:xxxx:2::1 2
    GUEST 2a02:xxxx:xxxx:3::1 3
    IOT 2a02:xxxx:xxxx:4::1 4
    DMZ 2a02:xxxx:xxxx:5::1 5
    VOICE 2a02:xxxx:xxxx:6::1 6

    Attached a diagram of my home network and a screenshot of switch-1, UP = untagged T = tagged

    My Hue bridge doesn't support vlans, just change the vlan on the switch port and make it untagged if it currently isn't.

  • Thanks NogBadTheBad for sharing really appreciate the guide…I aspire to that setup.

    I have VLAN62, 72, 82,92 running thru my Unifi AP and working.

    Where I am struggling is trying to get a unified Adminx(My Admin interface for Unifi, Cwitch and pfSense GUI) setup...I have to change my networks to access each one...haven't even tried to get into my Unifi AP yet!

    Any suggestions? The answer lies with Tagging, Untagging and PVID I am sure...

    Truly appreciate any help.

    (Sorry for the super crappy image)

  • What port connects between the switch and the router, you need to trunk all the vlans on this port, I don't think you've set up a port with every vlan on.

    BTW I'm no Dlink expert.

    Check out how I've set my GE1, GE2 and GE3.

    The AP and Cloud Key need to be in the same untagged VLAN and the AP needs to be in a trunk with the additional vlans tagged.

    Post a screenshot from the router from Interfaces -> Interface Assignments

  • A couple of notes:

    1. I managed to be able to access my pfSense GUI and Switch GUI…so not going up and down stairs! However I have to switch my Ethernet Network connections on my PC. Not sure how to access the switch with out a manual entry into IPv4 settings/Gateway
    2. I don't have a Unifi Cloud Key...thought I could do this with a smart switch only

    To answer your question I am not sure either wether the trunk, tag, untag, PVID is set correctly...still trying all options. My trunk is on port #1, Unifi AP is on port 2 and my "admin-access-to-be"(maybe) is on port 5 of the switch.

    Open to suggestions...I can't believe this setup is that unique.

  • You can install the UniFi software on pc if your struggling.

    Once you’ve set up the dlink switch you shouldn’t need to touch it again.

    Maybe you should be posting on the ubiquity and dlink forums, your issues aren’t related to pfSense.

  • Thanks again NogBad…fair push back on keeping this pfSense related.

    Question on your set up: Your "VLAN 4093" that you do not tag on your switches, is this an actual VLAN in pfSense? Do you even use your LAN directly(not sure thats the right term) for anything other then "Carrying" your VLANs i.e. you simply have VLANs that you manage that run within your LAN interface. Can I ask why you do that? Is this related to the term "Untagged" VLANs that is sometimes used?

  • VLAN 4093 is the untagged vlan AKA native VLAN on my switches that im using for the management interfaces.

    It's the LAN interface on my router that is the parent interface for the other VLANs.

    It's not defined my router as packets from the LAN interface exit without being tagged from the LAN interface.

  • Hi!

    What you has solved i struggle to solve….

    Do you mind take a look at my post and maybe give me some feedback?


  • I am totally open to feedback from the community if this is setup correctly but here is what I did:

    I did manage to get my set up to work….my DLink switch configuration is as Follows:

    Ethernet 1 -> Trunk to pfSense/LAN Later Edit:  (eth 1 & 5 untagged and eth 2 & 3 tagged)

    Ethernet 2 -> Unifi AP
    VLAN10  (eth 1 & 2 tagged) - Nothing untagged
    VLAN20  (eth 1 & 2 tagged) - Nothing untagged
    VLAN30  (eth 1 & 2 tagged) - Nothing untagged

    Ethernet 3 -
    VLAN40/AppleTV(not Vlan capable) (eth1 tagged and eth 3 untagged)

    Ethernet 5 -> Management Computer
    VLAN 4093 (eth 2 untagged and 5 tagged Later edit: eth 1, 2, 4 &5 untagged, 3 not a member ) - I thought this would connect to a VLAN 4093 on my pfSense box I created but it doesn't, it gets an IP for the LAN interface on my pfSense box.

    I think this is OK as it allows me to be on the same L2 as my Unifi AP. I was able to have the Unifi AP adopt my computer with this setup.

    Does this look right?

    (Modesty…I'll comment on your post and do what I can to help!)

Log in to reply