Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configuring UniFi APs on VLAN with pfSense router, Cisco switch and Allied Teles

    Scheduled Pinned Locked Moved
    Wireless
    2
    2
    828
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      m0lecule
      last edited by

      We are trying to deploy 10 UniFi AP-AC-LRs in our network and need some assistance. Below I will try to give a precise overview of both our setup and our goal. Please ask questions if anything is unclear.

      GOAL:
      We’re trying to set up three SSIDs that will be separate from our physical network and also separated from eachother.

      What we’ve tried:
      We’ve set up VLANs on our pfSense router/firewall. (Note: We closely followed the suggestions of this great Youtube instruction : https://www.youtube.com/watch?v=b2w1Ywt081o ). We also tried to setup trunks on our Cisco switch to our other Allied Telesis switches. All Allied Telesis switches have VLANs setup (see photos below for more details about the setup).

      **    NOTE:**
          All Aps are connected to the Allied Telesis switches. We currently have two in place for testing. They are set up on the 48 port Allied Telesis on ports 26 and 27.

      DETAILED OVERVIEW OF TOPOLOGY:

      SSIDs:
      Organization-Guest (VLAN 310) Organization-Student (VLAN 320) Organization-Staff (VLAN 330)
      UniFi Controller:
      Our controller for the UniFi APs is set up on an Ubuntu Server VM in Hyper-V

      NETWORK SETUP:

      pfSense (router/firewall)
      ISP to “WAN” –> pfSense --> Internet flows to network via “LAN” port
      |
      Cisco Catalyst 3650 (24-port Switch)
      pfSense LAN –> Port 22 of Cisco 3650 --> Port 24 of Cisco goes out to next switch
      |
      Allied Telesis AT-GS950/48 (48-port switch)
      Port 24 of Cisco –> AT-GS950/48 on port 48 --> Port 47 of AT-GS950/48 goes out to next switch
      |
      Allied Telesis AT-GS950/24 (24-port switch #1)
      Port 47 of AT-GS950/48 –> AT-GS950/24 (#1) on port 24 --> Port 22 of AT-GS950/24 (#1) goes to next switch
      |
      Allied Telesis AT-GS950/24 (24-port switch #2)
      Port 22 of AT-GS950/48 –> AT-GS950/24 (#2) on port 22

      NOTE 1: We’re not experts with VLANs and there are quite a few moving parts in this setup. Any assistance/suggestions regarding configuration would be highly valued.
      NOTE 2: Also, DHCP for these VLANS is being handled by pfSense.

      ![Cisco Port 22.jpg](/public/imported_attachments/1/Cisco Port 22.jpg)
      ![Cisco Port 22.jpg_thumb](/public/imported_attachments/1/Cisco Port 22.jpg_thumb)
      ![Cisco Port 24.jpg](/public/imported_attachments/1/Cisco Port 24.jpg)
      ![Cisco Port 24.jpg_thumb](/public/imported_attachments/1/Cisco Port 24.jpg_thumb)
      ![pfSense VLAN setup.jpg](/public/imported_attachments/1/pfSense VLAN setup.jpg)
      ![pfSense VLAN setup.jpg_thumb](/public/imported_attachments/1/pfSense VLAN setup.jpg_thumb)
      ![UniFi Controller Guest SSID Config.jpg](/public/imported_attachments/1/UniFi Controller Guest SSID Config.jpg)
      ![UniFi Controller Guest SSID Config.jpg_thumb](/public/imported_attachments/1/UniFi Controller Guest SSID Config.jpg_thumb)
      ![UniFi Controller Network Config.jpg](/public/imported_attachments/1/UniFi Controller Network Config.jpg)
      ![UniFi Controller Network Config.jpg_thumb](/public/imported_attachments/1/UniFi Controller Network Config.jpg_thumb)
      ![UniFi Controller SSIDs.jpg](/public/imported_attachments/1/UniFi Controller SSIDs.jpg)
      ![UniFi Controller SSIDs.jpg_thumb](/public/imported_attachments/1/UniFi Controller SSIDs.jpg_thumb)

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        The controller needs to be on an untagged port

        The AP's need to to be in a trunk with the native vlan the same as the controller, the vlans for the SSIDS 310, 320 & 330 need to be tagged.

        Here is what my Linksys switch looks like, my untagged vlan is 4093.

        GE1 Trunk 4093 Admit All Enabled 2T, 3T, 4T, 5T, 6T, 7T, 4093UP
        GE2 Trunk 4093 Admit All Enabled 2T, 3T, 4T, 7T, 4093UP
        GE3 Access 4093 Admit All Enabled 4093UP
        GE8 Trunk 4093 Admit All Enabled 2T, 3T, 4T, 5T, 6T, 7T, 4093UP

        GE1 >> pfSense
        GE2 >> AP
        GE3 >> Controller
        GE8 >> interlink to other switch

        You need to carry the vlans across all the interlinks if you want them on an edge port.

        I'd be tempted to set up an edge port in vlan 310, 320 & 330 as a normal port and check the vlans are being carried correctly, working your way back to the Cisco to check.

        You could also check the ports are configured correctly by connecting up a laptop to the trunks and filtering on vlan.id that should display ports that are vlan tagged.

        1.jpg
        1.jpg_thumb
        2.jpg
        2.jpg_thumb
        3.jpg
        3.jpg_thumb
        4.jpg
        4.jpg_thumb

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • First post
          Last post