Different pfSense interfaces for Wifi subnets (Unifi AP AC Lite)
I have a Unifi AC Lite access point connected to my pfsense box via interface "LAN" and static IP 192.168.0.100. My goal is to have 2 wifi networks, one for trusted devices (my laptop, phone, etc), and another for untrusted devices (guests, work laptop, etc). In pfsense they need to be assigned to different interfaces for security and traffic control reasons (snort, pfblocker, FW rules, etc).
This is more or less what I envision:
Trusted devices -> TrustedWifi (SSID) -> pfSense's OPT1 (192.168.1.1/24)
Untrusted devices -> Untrusted Wifi (SSID) -> pfSense's OPT2 (192.168.2.1/24)
In the Unifi controller I created 2 networks using the same names for clarity (OPT1 & OPT2) and assigned the same subnets as for the pfsense's interfaces (192.168.1.1/24 & 192.168.2.1/24). Finally, I setup 2 different Wifi SSID's with each their own names and passphrases. Finally, I tagged the "untrusted" network OPT2 with VLAN200 and configured the untrusted SSID to use VLAN200 so they get "matched" and traffic gets sent to OPT2. (Side note, Unifi wont let me tag the OPT1 network with VLAN probably because it is the primary/default network)...
Seems to work well, my phone connects to the trusted SSID, gets an IP from pfsense under 192.168.1.0/24 and all is well. Work laptop connects to the "untrusted" SSID but doesnt get an IP. pfSense seems not to see any DHCP requests at all, indicating that the request doesnt get past the Unifi AP for some reasons.
Do I need to do some tagging in pfsense to get this working? Anybody has configured something similar???
I do something extremely similar to this. Are both of your wifi interfaces set up as physical interfaces? That might cause what you're describing.
Make sure your OPT2 interface is set up as a VLAN interface on another interface. If the Unifi AP is attached directly to a port on the pfsense box, then OPT1 can be the trusted devices network and then untrusted devices are a VLAN on the trusted devices network. You still have the 2nd subnet for untrusted devices as you've already defined, and you are able to apply firewall rules, etc. to the VLAN interface.
I have a normal LAN subnet, and trusted devices are just a part of this. The untrusted devices (guest network) are a VLAN interface on the LAN interface, and have different rules. DHCP for the guest network is handled by pfSense.
The other possibility is that the problem's not in pfSense, but in your Unifi configuration. If you're using guest control in Unifi, then set up exceptions to allow traffic through to pfSense before authorization occurs so that DHCP can be handled. If you're using guest control in pfSense, make sure guest control in Unifi is disabled.
you are correct, creating a VLAN for Untrusted devices and attaching it to the parent interface LAN allowed WiFi devices to get an IP without problems from pfsense under the proper subnet. Now I have:
Trusted devices -> Unifi's Trusted SSID -> Unifi's OPT1 network with sub 192.168.1.1/24 -> pfSense's VLAN100 (parent=LAN) (Subnet 192.168.1.1/24)
Untrusted devices -> Unifi's Untrusted SSID -> Unifi's OPT2 network with sub 192.168.2.1/24 -> pfSense's VLAN200 (parent=LAN) (Subnet 192.168.2.1/24)
However, clients connected to the "untrusted" Wifi are getting an IP, can ping the gateway but cannot reach the internet. I am not sure why. FW rules in pfsense are in place but according to the FW logs, the rules are not blocking any traffic (as I would expect)... Clients connected to the trusted Wifi can get to the web.
I am not sure why. OPT2's config is pretty much the same as OPT1... If you have any idea, please share!
OK Fixed it. All workiing perfectly now! I had forgot to include OPT2 in DNS resolver's LAN interfaces.. Thats why clients on OPT2 couldnt reach the web, they couldnt resolve sites.