pfsense with Unbiquiti 8-port Switch and VLANs



  • Hello!

    I am looking for some help configuring pfsense with VLANs and a Ubiquiti switch. I've been reading online for days for tutorials how to configure everything, but i'm still having issues.

    What i want to do is connect pfsense to my ubiquiti switch on port 1, and then on ports 3 and 4, have it tag the traffic as vlan50, and then keep that traffic separate from my network and only have it access the internet. Right now i'm having trouble having the 2 devices on port 3 and 4 to even get IP addresses and have network access

    I currently have the following configured:
    i have vlan 50 created on parent interface igb0

    assignments:
    WAN on igb3
    LAN on igb0
    Work on VLAN50 on igb0

    LAN network: 10.100.1.0/24
    VLAN50: 10.100.50.0.24

    added a firewall rule
    0_1536851014817_8cf9a111-7bb6-4c4a-944e-8c6cce3fda29-image.png

    NAT:
    0_1536851035879_0ba8e8c5-b95f-4e0c-a7e2-2051760390d7-image.png

    I enabled the DHCP Server and restarted the service:
    0_1536851136930_6d687993-beb5-4da3-944a-a22f29fdbbd4-image.png

    On my switch, i added a VLAN only network named work with vlan 50
    0_1536851421001_35c8493e-25a8-4fd5-80b6-7341d5d10366-image.png

    And then created 2 profiles with the following:

    Trunk with LAN untagged, and Work (50) as Tagged :
    0_1536851546499_8e4e6097-429c-4d4e-bef5-bb08070b5296-image.png

    and then Work (vlan50) with work(50) as untagged
    0_1536851844854_e9b9e1ac-1b4e-4027-9765-81a80725a1b5-image.png

    Once i configure port 1 as trunk, and then port 3 and 4 as Work (vlan50), the devices on those 2 ports never get an IP address.

    Am i missing a configuration piece somewhere? or did i screw up the configuration? I appreciate your help. Thank you!


  • LAYER 8 Global Moderator

    Why do you have select all for tagged on your trunk? Your lan network on pfsense is not tagged.. So on the trunk connection to your switch lan would not be tagged only vlan 50.

    Also did you change your outbound nat to manual.. With automatic or hybrid once you created a vlan it would auto be added to your outbound nat rules.



  • once i select vlan50 on the trunk, it automatically checks the select All box. I tried unchecking select all, but then it deselects vlan50.

    my outbound NAT is set to manual because i configured an openVPN server in the past, but i duplicated the rule that was set for LAN.



  • @bcman1984 Have you posted in the ubiquity forums?
    Also, I have used nguvu.org as a setup guide for vlans and pfsense. Helped me out significantly setting up wlan's on vlan's.
    Following as I do see a new switch in my future.


  • LAYER 8 Global Moderator

    Not sure what running an openvpn server has to do with manual.. You mean you ran an openvpn client on pfsense? And you used manual vs the much easier hybrid? Not sure what that has to do with this setup?

    I would suggest you get with unifi for configuration issues with their switches. Pfsense is drop dead easy. A native network on a physical interface is no tagged, its a native network. You create a vlan its tagged with your ID you pick.

    Connecting that to a switch the port connected to this physical interface the port would be native untagged with whatever vlan that is 1, or whatever you setup the switch vlan to be for that port untagged. The pvid would be set to this vlan.. Any untagged inbound traffic the switch sees to that port would be untagged on that vlan in the switch. And you would setup tagged for all vlans entering and leaving that port as their tags.

    Other ports on the switch you want on a specific vlan for a device would all be untagged in the vlan you want.



  • @mtarbox Thank you for the link, i'll go check it out!



  • @johnpoz said in pfsense with Unbiquiti 8-port Switch and VLANs:

    Not sure what running an openvpn server has to do with manual.. You mean you ran an openvpn client on pfsense? And you used manual vs the much easier hybrid? Not sure what that has to do with this setup?

    I would suggest you get with unifi for configuration issues with their switches. Pfsense is drop dead easy. A native network on a physical interface is no tagged, its a native network. You create a vlan its tagged with your ID you pick.

    Connecting that to a switch the port connected to this physical interface the port would be native untagged with whatever vlan that is 1, or whatever you setup the switch vlan to be for that port untagged. The pvid would be set to this vlan.. Any untagged inbound traffic the switch sees to that port would be untagged on that vlan in the switch. And you would setup tagged for all vlans entering and leaving that port as their tags.

    Other ports on the switch you want on a specific vlan for a device would all be untagged in the vlan you want.

    You are correct, it was an openvpn client on pfsense not a server, my bad. It was set up that way based on a tutorial i used. Am i still OK to switch it back to hybrid? If so, should i switch it to hybrid and recreate the vlan on pfsense?

    for my trunk, i was leaving the native LAN as untagged, and then tagging vlan50, and then on port 3/4 i was setting vlan50 as untagged so that it would get tagged when leaving the port.

    I'll submit a post on unifi's forums to see what i could be doing wrong with the switch config.

    Thanks!


  • LAYER 8 Global Moderator

    Are you still using vpn client on psfense? If so then just use hybrid so you can policy route/nat traffic out your vpn interface you created.

    There is almost never a reason to use manual... There are alot of CRAP guides out there that is for sure!!

    Your setup seems correct as worded.. While I don't use the unifi switches, I do use their AP and read their forums.. And to be honest there seem to be many a post with vlan setup on their switches being lets call it flakey.. What firmware are you running on them? What controller version are you using?



  • currently no, i didn't get very good speeds with it. haven't had much time to dig into it. I will set it back to hybrid, thank you for the tip

    I see a lot of guides out there for unifi and their AP's, which i do have one, just haven't set it up yet, i thought i would get the simpler single vlan set up and working on 2 ports before i went with the multiple vlans on an AP, lol.

    From what i read with the ports is that if the device does not have the ability to tag the traffic itself, then you need to set the port as untagged to the vlan you want it to be so that it tags it. with the AP's, they have the ability to tag the traffic, so you can just tag it on the port.

    for the firmware:
    controller: 5.8.28
    switch: 3.9.42.9152


  • LAYER 8 Global Moderator

    Yes on an AP your vlans would be tagged for your different SSIDS that are on different vlans.

    Your management IP of the AP would be on the native vlan, or untagged network. They have suppose to have added the ability for the AP IP and management to be on a vlan but have not had time to play with that, and currently no need in my network since I just run my controller on native untagged vlan.

    I would sniff on your pfsense vlan interface - do you see dhcp discover from yoru clients? Do you see anything in your dhcp logs for the clients dhcp discover?



  • i don't see anything on the pfsense dhcp server logs. restarted the dhcp service just to make sure, and i see the following:
    Sep 13 13:00:01 dhcpd Listening on BPF/igb0.50/90:e2:ba:36:e5:84/10.100.50.0/24
    Sep 13 13:00:01 dhcpd Sending on BPF/igb0.50/90:e2:ba:36:e5:84/10.100.50.0/24
    Sep 13 13:00:01 dhcpd Listening on BPF/igb0/90:e2:ba:36:e5:84/10.100.1.0/24
    Sep 13 13:00:01 dhcpd Sending on BPF/igb0/90:e2:ba:36:e5:84/10.100.1.0/24

    i'll have to get wireshark and see what i can find


  • LAYER 8 Global Moderator

    Well if your not seeing anything - then its impossible to hand out an IP... So looks like your switch setup is not right..



  • i wanted to close the loop on this. I ended up starting over and reset the switch and rebuilt the vlans on pfsense. It is working as expected now, so i must have messed something up previously. Thank you all for you help!


Log in to reply