3 WANs 1 LAN and 1 VLAN with UniFi USG

  • Hey y'all. I built this pfSense box a few weeks ago and it's been providing Internet access just fine out of the box. Now I need to make some changes and I can't for the life of me figure this out.

    Behind my pfSense box, I have a UniFi network setup with a USG, a UniFi switch and 2 UniFi APs. Those all work fine. Until… I try to add a VLAN.

    Right now I have 2 DSL connections on 2 separate NICs on my pfSense. I also have a 4G connection on a 3rd NIC. What I would like to do is add a VLAN for Wi-Fi and have that traffic routed to the 4G gateway.

    I know how to add the VLANs in UniFi and assign that VLAN to a SSID or to a network port on the UniFi switch in a UniFi-only network and it works fine. I just can't figure out how to get that to translate into what I need.

    Any pointers? I've watched tons of YouTube videos, but they haven't really helped me. I've read through this forum until my eyes are crossing. Basically, I'm frustrated and need help.

    I do appreciate any advice!

  • LAYER 8 Global Moderator

    I suggest you ask on the unifi forums how to add vlans to their gear..

    How exactly does a vlan on a downstream router have anything to do with pfsense?

    Vlans are at layer 2 - you route at layer 3.. Vlans no longer come into play.. If you want some help how to setup your network at a general level please draw it out how you have things connected and what your trying to accomplish.  Picture is always worth 1000+ words.

  • Thanks for the reply, johnpoz. I already know how to add VLANs to UniFi gear. That isn't my problem.

    Why does it always happen this way? As soon as a different brand is mentioned, someone always points them to the other brand. If I go ask at UniFi, they'll end up telling me the same thing - go ask pfSense.

    That's enough for me. I'll just stop right there and I'll either add another switch and separate my network or I'll just strictly use UniFi. I'm new to pfSense and I'm always willing to learn what I don't know. If I knew how to do this, I wouldn't be asking.

    Thanks for the turnoff, sir.

  • LAYER 8 Global Moderator

    Dude I am a fan of unifi - and use their AP in my network with pfsense.  I even had a usg for a bit, as a stop gap to handle my internet speed until I got my new sg4860.  Then it went on the shelf.

    I would be more than happy to help you do whatever it is your trying to do.  But your going to have to lay out what you want since vlans on some downstream router (usg) connected to an upstream router pfsense don't come into play.

    Vlans are at layer 2, routers route at layer 3.. So how would you routing stuff from usg to pfsense have anything to do with a vlan?

    Please draw what you to setup, and we can discuss how to do it correctly.

    If your trying to move off your AP from behind your USG to be directly connected to pfsense via a vlan?  Please draw - break out a napkin and some crayons if you must to show how you want to physically connect stuff and we can discuss how you isolate it with vlans, etc.

  • Maybe I just read your post the wrong way. My apologies. I do appreciate the help.

    This is what I want my network to look like. I can do without the USG if need be. I can even do without VLANs if there is another way to reach the end result. I just want to be able to send specific devices (both wired and wireless) out specific gateways.

    Currently my UniFi equipment is managed by a controller at one of my offices. I was new to pfSense, so I just added it to my network to be able to handle more ISPs than what the USG can.

  • LAYER 8 Global Moderator

    Yeah you have no need for the usg..

    Unless there is some specific ??  Maybe their DPI stuff that your using?  Just take it out and connect directly into pfsense.. How many interfaces does your pfsense box have..  you just have that 2 networks the 192.168.20 and the 192.168.200 (vlan)

    Bit confused on why you have what looks like your native network at 192.168.20 but your listing the USG and unfi on 192.168.5 I take it that is just just management network but how does that connect in?

    Unless you can call out some feature that is a must have for you on the USG… I would just rip it out.  Just another device to config and or that could fail when pfsense can handle everything.

    If you have another interface on pfsense you could leverage for this 200 network you could just bring it in off your switch as untagged.  Or if you need to leverage 1 physical interface on pfsense then sure just tag it on your switch and setup the vlan on pfsense with the same tag. Attach that vlan to the physical interface on your pfsense box.

    If you need/want some screenshots of how to do vlans on pfsense..

    But from your drawing could you explain how your actually using usg, are you routing from this 192.168.5 network to pfsense 192.168.20?  Is there a typo?

  • To begin with, I was using the USG for site-to-site VPN with the other USGs at the other office locations. When I set it up, the other locations had the 192.168.3.X and 192.168.4.X, so I took 5.X for my home office. I don't really use the VPN part anymore because it never worked very well.

    In the USG, I just set a static IP for the Internet connection as my pfSense box.

    I did try pulling out the USG and connecting my UniFi switch directly to the pfSense, but that didn't work. It wouldn't get an IP and resetting the switch didn't help. So, for now I put it back the way it was so I could at least have Internet.

    I have 4 ports on my pfSense. I use 3 for the WAN connections and 1 for the LAN.

    The USG is doing DHCP. Anything that connects to my network gets a 192.168.5.X address . The USG has the .20.X address just because…I had to pick something that was in a different scope than my USG.

    I'll see what I have to do to get rid of my USG and still use my UniFi switch and APs.

  • LAYER 8 Global Moderator

    I have 3 unifi AP in my house that run multiple vlan SSIDs..

    If you only have 1 physical nic to use in pfsense.  Just add whatever vlans you need in pfsense.

    From your switch to pfsense those vlans would be tagged.

    It really is that simple.  Pfsense will be your new dhcp server, so you will need to set that up for whatever vlans your wanting to run vs the usg.

    Do you want some example pictures of setting up vlans in pfsense.. As to how to tag a vlan in your unifi switch.. Which one do you have?  Do you config it from controller?  Your going to want to check with the unifi doc on how to tag a vlan on a port.

  • Yes, please. I think at this point some sample pictures would be very helpful.

    I've reset my UniFi gear and adopted it all to my controller without the USG. My internet is up again.

    I've got the SSID I want tagged in the AP and I finally have the pfSense handing out IP addresses. BUT there's no internet, so I'm assuming I have something wrong in routing or some other place.

  • LAYER 8 Global Moderator

    So your vlan 200 is getting a vlan 200 IP from pfsense, but no internet.  Did you mess without outbound nat?  And change it from automatic?

    Did you create rules on the vlan 200 interface?  Out of the box lan will have an any rule, but new interfaces say a vlan will not have any rules - you have to create.

  • Don't ask me how because I have NO idea, but I finally got it working last night. I added and removed rules til I was blue in the face (or fingers). After you add the VLAN and assign the interface, I was confused about the gateway and how it was routing. I just didn't click in my brain the way it usually does when I have to mess with networking. I've never had to do any routing like this, but it was fun. I'm definitely going to keep learning.

    Thank you for all your help and time. It really is appreciated!!

  • LAYER 8 Global Moderator

    Routing???  There is ZERO routing you would be doing.. If you were adding routes in pfsense you were doing it WRONG!!!

    Pfsense automatically like any router if it has a directly attached knows how to get there..

    As to firewall rules. Your first rule on your vlan should of been any any until you understand what your doing..

    The gateway on a device in a vlan would be pfsense IP address in that vlan - this is auto handed out by the dhcp server.. When you setup a new network in pfsense there would be NO gateway added to pfsense or you just turned it into a wan interface.