XG-7100, Ubiquiti Unifi AP and VLAN configuration

t-pfsense

Hello

Recently purchased a XG-7100 to go with Ubiquiti Unifi AP and Ubiquiti POE switch, however, this is my first foray in to VLAN configuration and I don't seem able to route traffic based on VLANs from the AP to the XG-7100. Without VLANs, no problems.

Rather than worry about what I already have as I am prepared to scratch the installation on each, how would I go about configuring these items to provide:

• Wired LAN (VLAN 100), DMZ (VLAN 200)
• Two wifi, INTERNAL (WPA Enterprise with RADIUS) to LAN and GUEST (WPA Personal) to DMZ

Longer term my intention is to provide external VPN access direct to LAN.

At one point, I did consider switching the VLAN on the Unifi AP to 4091 (default for LAN on XG-7100) but Unifi AP range for VLAN is 2-4009, so couldn't do that.

Appreciate and and all help.

Regards

ccnet

I recently deploy a wifi network based on Ubiquiti AP and Ubiquiti switches. We have four 24 ports switches, 30 AP and 3 networks (2 SSID and the third network for managing devices. Have you setup your netwokrs with vlans in Ubiquiti configuration ? You need a Wlan and the lan networks associated for the wifi networks. For administration network you only need a Lan in Ubiquiti configuration.

You can (you must) use an another vlan if you create on your XG7100.

t-pfsense

On the Ubiquiti AP (AP from now on) I have added a new wireless network called 'M' on VLAN 200. I have create a network on the AP called 'DMZ', also on VLAN 200.

On the XG-7100, I have a VLAN 200 called 'DMZ' and the DHCP server is enabled.

Whilst I can see 'M' and can connect to it, at least the AP is showing a connection in the event log, I am not getting an IP address and can see no evidence in the logs that I have attempted a connection. Eventually it times out.

If I connect on another wireless network which does not have VLAN configured, all appears to work fine.

Derelict

Screen Captures:

Interfaces > Assignments

Interfaces > Switches, Ports

Interfaces > Switches, VLANs

t-pfsense

AP connected (via POE switch) to port 3.

Derelict

You need VLANs 100 and 200 both tagged on uplink ports 9 and 10 (Interfaces > Switches, VLANs). pfSense will not see the traffic unless you send up the uplink ports.

You have to decide how you want to talk to the APs. I hear that they have managed to finally add a management VLAN to the code so that is now an option.

Traditionally you would manage the APs on an untagged VLAN and use tagged VLANs for wireless networks. Nothing stopping you from putting a wireless network on the untagged VLAN either.

You have to decide what is tagged and what is untagged and where and make the switching layer (including the switch in the 7100) do that.

On my inter-switch link I would tag all traffic but I am a little "funny" that way.

t-pfsense

Thank you for that. I now have 9t and 10t on VLAN 100/200.

It is now possible that I am further confusing myself/the problem ;)

If I plug the AP in to port 8 (VLAN 200) and connect to 'M' (also VLAN 200), I connect and get an IP address. If I connect using a wireless network sans VLAN, they also connect to VLAN 200 and I get an IP address. However, another wireless network with VLAN doesn't connect/challenge for credentials. I have tried this tagged and untagged, same result.

If I plug the AP in to port 2 (tagged on default VLAN 4091), the wireless networks disappear. Odd!

Back in any of the untagged VLAN default 4091 ports (3 thru 6) and I can connect but only with wireless networks without VLAN.

There is likely something obvious that I am missing, just can't quite see it at the moment.

Derelict

Port 8 is shown there as both tagged and a PVID on VLAN 200. Honestly, I don't know what the switch would do with that but your description would be a distinct possibility (both tagged and untagged input traffic being on VLAN 200) and tagged 200 on the uplinks.

Allow me to state again:

You have to decide how you want to talk to the APs. I hear that they have finally added a management VLAN to the code so tagging that on the AP ports is now an option. I have not seen that personally yet.

Traditionally you would manage the APs on an untagged VLAN and use tagged VLANs for wireless networks. Nothing stopping you from putting a wireless network on that untagged VLAN either (Don't set a VLAN in the wireless network configuration).

Traditionally you would set the "management" VLAN to be both untagged and the PVID on ETH8, tagged on 9 and 10. Then you would set the SSID VLANS as tagged on ports 8, 9, and 10.

They would correspond to pfSense interfaces VLAN 100 on lagg0 and VLAN 200 on lagg0 for assignment, firewall rules, DHCP servers, etc.

t-pfsense

Don't get me wrong, I am very grateful for your help, but like I said at the beginning, this is my first foray in to the world of VLAN and I am still learning the language and know I have a way to go before I understand it.

I guess what I was trying to get was an example configuration that I could replicate. I have seen a number around and am still reading through those to better understand them and the terms used.

Being honest, I am not fully understanding your penultimate statement. First you mentioned '"management" VLAN to be both untagged and the PVID on ETH8, tagged on 9 and 10' and then 'SSID VLANS as tagged on ports 8, 9, and 10' which appears to read as port 8 being both untagged and tagged at the same time. Like I say, for now, I am trying to learn the language but at the same time establish a working setup.

Not wanting to repeat myself, but I want it to be clear, I am very grateful for your responses and help both you and the others have given thus far.

Derelict

Well, you cannot expect a complete course in the ISO model and network design on a forum.

People tend to think that they should be entitled to a complete education in the subject matter at-hand just because they purchased a product capable of such things.

That is not true.

If you do not know, you should hire someone who does. Just like you would if you bought a car and needed to change the transmission.

t-pfsense

Hmm, OK. Not sure I have expressed any level of entitlement. But if that is what you think, that is your prerogative.

Yes, I have purchased a Netgate product. No, I do not expect free courses on firewall configuration as a consequence of that purchase. I am not an expert nor do I do this for a living. Yes, I have configured firewalls for my needs over a number of years, both hardware and software ones. No I haven't used VLANs, so that is now on my list of things to know more about.

Thank you for your observation on the uplink ports, that helped. But it appears that being a hobbyist and wanting to learn is not sufficient.

I should add that in my youth, I worked on many cars (as a hobbyist with my Dad) and replaced many a part, including a gearbox on one occasion.

Derelict

I told you exactly what you need to do here:

Traditionally you would set the "management" VLAN to be both untagged and the PVID on ETH8, tagged on 9 and 10. Then you would set the SSID VLANS as tagged on ports 8, 9, and 10.

They would correspond to pfSense interfaces VLAN 100 on lagg0 and VLAN 200 on lagg0 for assignment, firewall rules, DHCP servers, etc.

t-pfsense

Yes you did :)

Over the weekend, I had a little more time to digest what you said and have now managed to get what I was after, so thank you for your help.

The only problem now is with getting RADIUS assigned VLANs on the AP. I found comments about enabling "Tunneled Reply" in EAP, which I have done and the response appears correct, but no joy so far. Job for another time.

Derelict

Using dynamic VLANs will require all of those VLANs to be tagged and configured to pfSense.

But if that is the case it is likely just a matter of getting the correct RADIUS Reply Attributes from the RADIUS server to the AP and/or Controller software. (not sure what is actually talking to the RADIUS server on the UBNT gear)