Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up LAN Bridge and VLANs

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    26 Posts 4 Posters 6.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      Again there is ZERO reason to creating any bridges in pfsense..

      I ran pfsense for years on esxi, and run unifi AP...

      All that is required here is tag correctly the vlans on your switch..

      If you want tags to to be passed to pfsense then your vswitch in esxi vlan id needs to be set to 4095. If you don't want pfsense to handle the tags then do them on your port groups on your vswitches. And just connect new vnics on you pfsense to these different portgroups.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • AstraeaA
        Astraea
        last edited by

        I tried removing the bridge between the WIFI interface and the LAN interface and it resulted in no internet to my tablet that is connected to the TESTWIFIPrivate.

        Ideally, I want to plug in 3 NanoHD APs and have them use the addresses of 17.2.39.21 - 23. Their controller would be on 17.2.39.101. Then I want to create 4 types of networks in Unifi, 1 for my use that would be identical to a wired LAN connection but over WIFI. The second for my Roommate who would have access to things like printers and media server. Another for my significant other who would have the same access as the Roommate network plus things like shared storage and the NVR. The final network would be for guests that would only have access to the internet.

        I have tried before to use VLANs in pfSense that is connected to a managed switch where I also configured (or thought I did) the appropriate VLANs and the APs are connected to that switch. I was not able to get things working so I simplified the setup.

        I connected one AP to pfSense and setup the VLAN under Unifi for the Wireless SSID and then made the VLAN in pfSense and i was able to not only control the AP though Unifi though when connecting to the Guest WIFI I get an appropriate IP.

        I am only aware of 2 ways with Unifi APs to control guest access and that is either through VLANs or the Captive Portal. but because I want to have multiple SSIDs applied to various networks VLANs seemed to be the best option.

        1 Reply Last reply Reply Quote 0
        • AstraeaA
          Astraea
          last edited by

          I was able to get internet access on the guest wifi now, I needed to add the appropriate outbound routing information for the 17.2.37.1 network. I also had to change from 17.2.38.1 to 17.2.37.1 as the 38 network was in use by VPN service. I also have to create the needed rules under guest wifi in the correct order to allow only traffic on the internet and not anything else unless specified.

          So I do have VLANs working and I did not create any additional networks in Unifi I simply told the Guest SSID to use a VLAN which keeps things a little simpler, now to figure out my D-Link switch issue. Though I may just plug in a dummy switch to see if that works and go that route, that would, however, limit me to only placing the APs in the office vs anywhere in the house.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            @Astraea said in Setting up LAN Bridge and VLANs:

            I was not able to get things working so I simplified the setup.

            Not sure how you came up with that.. And have no idea what your doing in the controller for vlans... I run multiple vlans on my AP, and have zero setup in the controller about vlans.. Your not running a USG..

            The onlything required for vlans on your AP is setting the vlan ID.

            As to your outbound routing??? Do you mean policy routing out some gateway? That has ZERO to do with vlans - ZERO!!!

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • AstraeaA
              Astraea
              last edited by

              Under Firewall -> Outbound -> NAT I am using Manual Outbound NAT as I have a VPN client setup on pfSense to tunnel all my traffic other than a few server machines through the VPN tunnel. I also run 2 external IP addresses, 1 is static for said servers and the other is dynamic and is used by the VPN client to crated the tunnel.

              So I needed to create an ANY map and a ISAKMP map for both the static and dynamic IP as well as the VPN tunnel. Once I did that I was able to browse the web from the guest WIFI.

              I have noticed one final configuration issue and that is if I use a URL to access a local resource say mail.local.domain I can access that but if I type the IP of that same machine in that gets blocked. How do I filter DNS searches so that they can only access approved internal resources by name or IP?

              As for the Unifi Controller, the only changes I have made are the added SSIDs and one of them contains settings for the VLAN. I am only running the Unifi Controller and the 3 APs, no other Unifi equipment.

              1 Reply Last reply Reply Quote 0
              • AstraeaA
                Astraea
                last edited by

                I contacted D-Link customer support and they walked me through the configuration on the DGS-1100-24 switch, for others it is a B2 hardware revision. I now have the AP connected to the switch with the switch connected to the LAN interface of pfSense, no more bridge or additional outbound NAT settings required now. Here is how it is configured now.

                pfSense LAN interface to switch and from the switch to AP. the AP SSID for the guest wireless has been set to use VLAN 20 and a VLAN was created on pfSense of 20 and assigned to the LAN interface. I made an allow all rule for the VLAN network and have DHCP configured and I am able to access the internet and local resources.

                I will create a thread under firewall rules for the next part of this configuration.

                Thanks to both Derelict and Johnpoz for your help, guidance and patience as I am new to VLANs.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.