Netgate SG-3100 LAN Address Changes To A VLAN Address



  • My brand new just got yesterday Netgate SG-3100 is doing something strange, UniFi controller 5.10.20 keeps changing my Netgate SG-3100 static IP address (192.168.50.1) to one of my VLAN addresses (172.16.50.1) though being connected to port 1 with profile set to ALL not a VLAN. The only way for me to change the firewall's address back to 192.168.50.1 is to use the IOS UniFi controller app, I can't change it in the UniFi windows. Is this a UniFi controller fault an/or something with the Netgate SG-3100 Lan? My setup is this, Xfinity internet using my own Netgear CM500 cable modem - Netgate SG-3100 - UniFi Switch 8 60W PoE - UniFi Switch 8 - UniFi-CloudKey. My LAN port from Netgate SG-3100 connects to port 1 on the switch and is set to all. Something is going on, help.pic.jpgThis2.jpg


  • Rebel Alliance Netgate Administrator

    Unifi cannot change the IP of the SG-3100. This would be a display issue on the unifi controller, most likely there is a configuration issue in unifi that is causing this issue.


  • Netgate Administrator

    Mmm, those are different VLANs it shows it connected on right?
    That looks like you might have something connected incorrectly to both maybe.

    Steve



  • @chrismacmahon That is what I suspected, and for an update, I'm new to this whole enterprise firewall networking thing. When I got the Netgate SG-3100, I also got two other different firewalls from other companies. I tested the UniFi USG yesterday, I took my whole network down to do the test. And guess what, that strange issue with network changing IP switching in the UniFi controller went away with the complete UniFi setup-(UniFi USG - UniFi Switch 8 60W - UniFi Switch 8 - UniFi SHD). The issue seems to be only with other different firewall brands (Protectli and Netgate SG-3100 in my case) at the front end in my case, that I get the strange UniFi controller IP and network switching issues. I've already returned the Proectli, and now I have to make a decision on keeping the much more preferred and powerful and configurable Netgate SG-3100 or just settling with the lest powerful and hard to configure firewall settings and limited IDS/IPS. I like the USG and the UniFi setup but with the USG at the head it's not ready for prime time so to speak, low and slow memory and storage on both USG/USG Pro makes me want to keep the Netgate SG-3100 and hope there's just a configuration I'm just missing or messing up. Help still needed.;) I want to keep the Netgate at the head of my network.;)



  • @stephenw10 Those pics are from two separate time that I notice the issue, the switching can happen after laptop shut down or just closing the UniFi controller and opening it up again only to see it has switched to a different VLAN IP address.


  • Netgate Administrator

    Hmm, as Chris said above the actual IP addresses on the SG-3100 interfaces does not change. It seems that Unifi is chnaging the way it either detects it or how it displays it. As though Unifi, perhaps via the switch, can access both interfaces in the SG-3100.

    Steve



  • @stephenw10 Ok so is my particular case something that's unique or a known issue for the UniFi controller? My Tinfoil Hat does like it when I open up UniFi and notice that it's showing my pfsense IP address and network as being in a VLAN.;)



  • @stephenw10 Seeing a 192.168.50 IP address that I know is such, showing up in UniFi as a VLAN 172.16.50 IP address isn't comforting, it makes me want to unplug everything because I'm thing of hacking or something else bad. Lol.


  • Netgate Administrator

    I'm not sure what those columns show in Unifi or how it determines what the IPs are but I would assume it's from the ARP table somewhere. I think there's a good chance it really is seeing that traffic on the other VLAN which means something is not configured correctly if that's not what you intended.

    Steve



  • @stephenw10 I don't know what ARP table is or where to find them, ;) but, I have successfully built a complete UniFi network following the instruction of Tom Lawrence and Cross Talk on YouTube, and I have a perfectly running system VLAN's and all, though slow response and laggy. So, with pfsense as the head of my network, following the same two Youtubers direction, I get this strange UniFi controller dashboard anomaly. So, what is the configuration error I have or am making though I'm following good instruction off YouTube and Netgate's own hangouts?


  • Netgate Administrator

    Does the 3100 have interfaces in both those subnets? Are those IPs shown actually both on the firewall?

    If so it could just be a display anomaly. Whichever IP is detected first is shown there.

    Steve



  • @stephenw10 "Does the 3100 have interfaces in both those subnets?" Yes, 192.168. is my static LAN, 172.16. is my VLAN.
    "Are those IPs shown actually both on the firewall?" Again Yes,
    "If so it could just be a display anomaly." So, this anomaly is within the UniFi controller then, and nothing to do with the 3100, correct?
    So, UniFi isn't so Unifying with other firewall at the head, correct or fare to say?


  • Netgate Administrator

    If the Unifi controller also has direct access to both those subnets then it would not surprise me to see the 3100 in that list twice. It will have an ARP record for both interfaces.
    Since I don't have a Unifi switch I can only guess at what that should be showing though.

    Steve



  • @stephenw10 I think you're mistaking the pics I have as being one in the same, they're not. The pics are of two separate times, your forum put them together like it's one picture. I uploaded two separate pics from two separate events of seeing the anomaly.



  • @stephenw10 I'm desperately trying to get a clear straight answer from Netgate here. Is the anomaly a UniFi controller issue alone, or is it a Netgate pfsense SG-3100 issue?


  • Banned

    @hpspar05 said in Netgate SG-3100 LAN Address Changes To A VLAN Address:

    @stephenw10 I'm desperately trying to get a clear straight answer from Netgate here. Is the anomaly a UniFi controller issue alone, or is it a Netgate pfsense SG-3100 issue?

    @chrismacmahon said in Netgate SG-3100 LAN Address Changes To A VLAN Address:

    Unifi cannot change the IP of the SG-3100. This would be a display issue on the unifi controller, most likely there is a configuration issue in unifi that is causing this issue.

    Isn't that clear enough for you?



  • @Grimson I don't know who you are dude but you getting ready to help me return the SG-3100 to Netgate. I'm use to yes and no for simple questions. I'm slow to this stuff but learning, so remarks like yours isn't helpful to or for me. You have a nice day. Thanks.


  • Netgate Administrator

    It's not an issue with the SG-3100.

    It's either just how Unifi displays that or you actually have a layer 2 issue on your network so that both interfaces are visible to the controller and should not be.

    I realise that is two photos. What I'm saying is that if you came back to me and said that now it's showing up twice that would not really surprise me. It exists on both subnets connected to both VLANs and it looks like two different switches so both those switch ports would see it connected.

    Steve



  • @stephenw10 OK thanks for the clarity, now what’s layer 2? Where should I look for this?


  • Netgate Administrator

    That would be two network segments that should be separated connected together. So perhaps a switch port that is untagging a VLAN but shouldn't be. You might see traffic leaking in one direction only and hence see IPs from one VLAN appearing where they should not.

    https://en.wikipedia.org/wiki/OSI_model#Layer_2:_Data_Link_Layer

    Steve



  • @stephenw10 192.168. isn’t a VLAN only the 172.16. Is. The specific instructions I followed is the Tom Lawrence YouTube titled: UniFi & pfsense Deployment, Setup and Planning with WIFI, VLAN & Guest Network. Do you think using the UniFi CloudKey controller instead of the Windows installed UniFi controller might be at issue, whereas 3100 is head verses the USG?



  • @stephenw10 Ok that’s clear for me;)


  • Netgate Administrator

    I think it's more likely to be just how Unifi displays that data.

    The Unifi controller pulls data from the switches and they obviously see data on all the attached segments. I don't know how it decides what to display there or why it changes. It could just be whatever it 'sees' first. It would also seem completely reasonable to me if it showed both interfaces since the switches can see both.

    However if it was a config issue that's exactly where I might expect it. Something in the network incorrectly stripping the VLAN tags off leaving traffic that should be in a VLAN in the untagged segment. I actually have a crappy switch that does exactly that with broadcast packets. I stopped using that for VLANs! 😉

    Steve



  • @stephenw10 I hear and understand you better now. Well I’m going to take out the USG and put back the 3100 as the head. I’m going to tear down the whole network again and start from scratch. I’m also going to throw this anomaly display issue to UniFi customer service, maybe they got two cents on this issue. Thanks Stephen for your time and patience with a real noob, did I spell that right? ;) Lol.



  • @chrismacmahon I got an update from UniFi just now, I know I'm slow to understanding this stuff but it seems that they are saying that there's a configuration issue/errors with the UniFi controller when using other firewalls with their stuff. But I see many people/companies using the same combination of netgate and uniFi, so what's going on with my situation/configuration? UniFi is seemingly saying use their products and you won't have the problem you're having.

    "Nikita B (Ubiquiti Networks Help Center)
    Apr 10, 12:55 PDT
    Hi,

    Unifi Switch and the UAP's are Layer 2 devices. They cannot be used for assigning the ip address to the clients. It needs to have a DHCP server/router for transferring the IP.

    The cloud key controller will only host the controller and is not capable of assigning DHCP IP.

    You can only assign static IP to client devices if you have USG connected in your network.
    More info on USG : https://www.ubnt.com/unifi-switching-routing/usg/

    Thanks!
    Nikita B
    Ubiquiti Networks


  • Netgate Administrator

    That makes no sense at all, they are not addressing the issue you are seeing there.
    What question did you send to them to generate that response?

    Steve



  • @stephenw10 They asked me for this stuff from the switch first, then after a few day I got that reply I sent earlier.

    Stanley S (Ubiquiti Networks Help Center)
    Apr 7, 02:18 PDT
    Hi Levidholman,

    Please share the system config file and support file.

    You can get them from below path,

    Settings >> Maintenance >> Download support info

    Settings >> Maintenance >> Show system config, take the screenshot of it and share it here.

    Thanks!
    Stanley S
    Ubiquiti Networks



  • @stephenw10 And these,

    Nikita B (Ubiquiti Networks Help Center)
    Apr 10, 13:14 PDT
    Hi,

    The uniFi Devices that you have are not capable of assigning the IP address (USW 8 60W and UAP SHD).
    You'll need to check Netgate firewall if that provides DHCP IP to the end users.

    Thanks!
    Nikita B
    Ubiquiti Networks

    Levidholman
    Apr 10, 13:08 PDT
    I not an advanced user, I’m a complete novice, I don’t know what you are trying to tell me the problem is or what I need to do to fix the issue I’m having. Can you layout for me what I need to do or change in my net work that’s causing the problem? My network is this Netgate SG-3100 pfsense firewall – UniFi switch 8 60W - UniFi switch 8 – UniFi SHD AP, I take it that the issue is within the configuration in the UniFi controller and Netgate firewall? What do I need to do? Thanks


  • Rebel Alliance Netgate Administrator

    What device is assigning the address 172.16.80.10 address?



  • @chrismacmahon The 3100, I setup all four of the VLAN addtresses in the 3100 first then I went to UniFi controller and put the VLAN tags there like Tom Lawrence did in his YouTube tutorial.


  • Rebel Alliance Netgate Administrator

    Is 172.16.80.10 a static address or part of a DHCP pool



  • @chrismacmahon A static address.


  • Rebel Alliance Netgate Administrator

    pfSense is setup the way you have asked for it to happen.

    The display in Unifi is most likely correct for how you have it setup as well.

    We don't know enough about unifi to provide you additional troubleshooting steps.

    The display in the Unifi Software might just be a display issue; that should have 0 impact on the SG-3100 functions.

    There is not much more we can do from our end here.



  • @chrismacmahon it’s the start of the DHCP VLAN pool, sorry.


  • Rebel Alliance Netgate Administrator

    Then you have a wire configured wrong in your network.

    If you go diagnostics - interfaces what interface has the IP of 172.16.80.10



  • @chrismacmahon it’s early lol, that address 172.16.80.10/24 is the static address I came up with.



  • @chrismacmahon I made 4 VLAN addresses in the 3100, 172.16.50.10; 172.16.60.10; 172.16.70.10; and 172.16.80.10 all are /24. The VLAN tags are 50; 60; 70; and 80. Those tags are what I put into UniFi to point back to.


  • Rebel Alliance Netgate Administrator

    @chrismacmahon said in Netgate SG-3100 LAN Address Changes To A VLAN Address:

    pfSense is setup the way you have asked for it to happen.
    The display in Unifi is most likely correct for how you have it setup as well.
    We don't know enough about unifi to provide you additional troubleshooting steps.
    The display in the Unifi Software might just be a display issue; that should have 0 impact on the SG-3100 functions.
    There is not much more we can do from our end here.



  • @chrismacmahon sorry, I get your point now, y’all are done, thanks for your help anyway.



  • @chrismacmahon I know you are done with my issue, just some screenshots of my pfsense and UniFi Screenshot_2019-04-11 pfSense localdomain - Interfaces LAN (mvneta1).png Screenshot_2019-04-11 pfSense localdomain - Services DHCP Server LAN.png Screenshot_2019-04-11 pfSense localdomain - Interfaces Interface Assignments.png Screenshot_2019-04-11 pfSense localdomain - Interfaces VLANs.png


Log in to reply