SG1000 direct to Ubiquiti Unifi VLAN guest network
-
Hello,
I'm setting up an SG1000 and connecting directly (no switch) to a Unifi AC lite.
The main LAN is untagged and I've setup a guest network on the unifi on a VLAN. VLAN ID is 50 on both the SG1000's LAN port and the Unifi's guest SSID.
However, i can't get a DHCP assignment on a lapotp nor can I ping the SG1000 if I manually assign an address to my laptop.
What am I missing?
-
Show us what you have actually done. The switch config both VLANs and Ports, the assigned VLAN pfSense interface, the DHCP server. Everything.
-
Show us what you have actually done. The switch config both VLANs and Ports, the assigned VLAN pfSense interface, the DHCP server. Everything.
Right.
In the SG1000
INTERFACES -> ASSIGNMENTS -> VLANs tab
Add
Parent interface cpsw1 - LAN
VLAN Tag - 50
Priority - 0
Description - GuestNETSAVE
INTERFACES -> INTERFACE ASSIGNMENTS tab
Add VLAN 50 on CPSW1 - LAN (GuestNET)
Renamed OPT1 interface to GUESTNETWORKSAVE
INTERFACES - GUESTNETWORK
Enable Interface - yes
IP4 config - static IPv4
IP4 address assigned - 192.168.50.1/24SAVE
SERVICES -> DHCP SERVER -> GUESTNETWORK tab
Enable DHCP server for GUESTNETWORK - check
Assigned range: 192.168.50.100 - 150SAVE
FIREWALL -> RULES
Added a PASS ANY ANY rule for GuestNET
Plug patch cable between SG100 and Ubiquiti AC Lite flying saucer.
–-------
Opened up the Unifi controller.
SETTINGS -> WIRELESS NETWORKS
Create New Wireless Network
Name/SSID - guest-net
Enable - yes
WPA security stuff set...Expand ADVANCED OPTIONS
VLAN - Use VLAN - check.
(2-4009) - space - 50SAVE
Check the individual AP, go to CONFIG -> WLANS
I see my GUEST-NET
Enabled on this AP - yes
Use VLAN with VLAN ID 50 - yesOn the laptop, I can connect to the untagged STAFF SSID, have full internet access. GUEST-NET however has no internet connection.
I tried to manually assign 192.168.50.11 to my laptop and couldn't ping 192.168.50.1 nor do anything.
-
I added a Cisco SLM2008 between pfsense and the ubiquiti.
On all ports, Acceptable Frame type set to all.
I guess I messed up somewhere.
I'll drag the laptop down to the network closet and see if i can wire in to VLAN 50.
-
"I guess I messed up somewhere."
Which is why when asked to show - you should actually show via screenshot.. Not some text.. Which ends up in couple of different ways
Either they try and copy paste the info from the gui which ends up very difficult to read. Or they type out stuff like what you did - which just means that is the the OP thinks they did, not what they actually might of done, etc..
Pfsense doesn't give 2 shits if you connect the AP or a switch or A PC or whatever - all it cares about is the packet tagged or untagged. If its untagged the lan interface will see it, if tagged and the ID matches one of its vlan interfaces connected to the that physical interface then the vlan will see it.
-
It looks like you have done everything you need to do to put VLAN 50 out the LAN port tagged.
In the Interfaces > Switches, VLANs tab you should see VLAN 50 listed and tagged on 0 and 2 (0t,2t).
You should get DHCP regardless of firewall rules (unless you are specifically blocking DHCP).
To ping you would need to be sure you are passing ICMP into GUESTNET (not just TCP/UDP).
You didn't already enable a captive portal or anything like that, right?
-
I walked away for a break and worked on other things. I came back and set the unifi up on an existing and working setup of pfsense on an APU, cisco sg200 that has a VLAN 1003 (hard coded ID apparently in the Apple units) working with Apple Airport Express boxes using for the guest network.
However, creating an SSID on the Unifi on VLAN 1003 didn't work. No DHCP assignment when I connect to the Unifi's SSID on VLAN 1003 while it works with the Apple airport express on guest with VLAN 1003.
I assume the problem is with the config in the Unifi device now.
Screen shots….. I'm not quite sure where to begin with that.
-
Yeah it sounds like there is something not clicking with the Unifi config.
Yes, Apple airport guest networks are hard-coded (dictated) to be tagged 1003.
-
NAT issue?
As well was firewall rule(s), you'll need NAT for your VLAN 50
Incidentally, running a DHCP server on the Unifi box for VLAN 50 doesn't work very well - make sure you're running DHCP server for the VLAN on the pfSense box
