pfSense, HP J9450, Ubiquiti AP's



  • Hi All,

    I've been playing around with my pfSense box for a while now, and I have my SOHO LAN set up and working as I would like.
    I have recently put a 4 port Intel NIC in, and have received my HP procurve switch.
    I don't have the Ubiquiti AP's yet, but I am getting things working one step at a time as all this is pretty new to me.
    I have attached schematics of what I have, and what I want to achieve.
    My setup:
    Wan on em0.
    My LAN is on em1 interface (10.10.10.0/24) - I would like to keep this as a kind of failover, to prevent complaints if I mess up the VLAN's whilst tinkering, I can just revert to my current setup.
    3 VLANs on em2:
    VLAN20 - (10.10.20.0/24) DMZ, to behave just like my LAN, and connect to everything on it without filtering. I think I have this set up correctly, as I can ping the 10.10.20.1 from my LAN interface within PFsense.
    VLAN30 - (10.10.30.0/24) Kids network. OpenDNS web filtering, and restricted accesses to VLAN20 / LAN devices.
    VLAN40 - (10.10.40.0/24) Guest / IOT network. NO access to any other VLAN's or LAN, unrestricted internet access. I'm pretty certain my firewall rules are all set for this.0_1536865518616_Current NW setup.png

    My problem:
    my Procurve has the 3 VLAN's set up, and its default (non-deletable) management VLAN1. Procurve IP set to DHCP, and I have static ARP entries on both LAN and VLAN20 for it (10.10.10.5 and 10.10.20.5 respectively).
    I currently have management access with it plugged into my dumb switch, on a port set to Untagged VLAN1, all others excluded.
    However, when I change the switch management VLAN to 20, and plug em2 into a port with Untagged (or tagged) VLAN20 access on the switch, I can no longer access the management interface on the switch from my LAN (where my AP's currently reside) nor can I ping 10.10.20.5 from the pfSense gui, either from the LAN network or the VLAN20 network.
    am I correct in thinking I cannot tag VLANs in pfSense, so I need to set the switch port to tagged on 20, 30, 40, and exclude on VLAN1 (as I don't want to set this up on pfSense).

    Hopefully this makes sense, I find it hard to explain what I'm trying to achieve!

    Thanks in advance,
    Tom.0_1536865541830_New NW setup.png


Log in to reply