Unable to DHCP / access internet by unifi guest-wifi



  • Hey again,
    i just was setting up a guest wifi on my unifi-controller (on a ubuntu machine). The basic guest-setup worked properly and i got an DHCP IP adress from my normal subnet (192.168.1.1).

    But i want to separate guest-access to my home-network, so i tried to setup a VLAN with an DHCP server in the range of 192.168.2.1.
    But i am unable to connect with my settings to the guest-wifi network and don't get any IP adress for this interface. I just put here my screenshots of my settings and hope, that you have a solution!

    VLAN.JPG
    Settings interface.JPG
    Settings interface 2.JPG
    Firewall rules.JPG
    DHCP settings.JPG
    Network settings Unifi.JPG
    Wifi Settings Unifi.JPG
    VLAN tag setting.JPG
    tags switch.JPG

    Any ideas, what i did wrong?


  • LAYER 8 Global Moderator

    vmx1

    So this is running on esxi? So what vlan ID did you set on the vswitch? If you want to pass vlan tags to pfsense under esxi, the vswitch needs to be set to 4095 so it doesn't strip tags.



  • @johnpoz said in Unable to DHCP / access internet by unifi guest-wifi:

    vmx1

    So this is running on esxi? So what vlan ID did you set on the vswitch? If you want to pass vlan tags to pfsense under esxi, the vswitch needs to be set to 4095 so it doesn't strip tags.

    Exactly. It is running on ESXI, that also then just came in my mind...

    But how does this exactly work?

    bca311f6-810d-4592-bc04-1b4bdaab0608-image.png

    I'm having three virtual switches. The Unifi is on the vswitch internetgroup, the PFSense internet access is from the vswitch LAN. Can i just set now both to 4095? Yet the vswitch is set to 0.


  • LAYER 8 Global Moderator

    Depends on if your wanting tags to go over the vswitch..

    You can do your vlans in esxi and psense doesn't even have to know about them, just create new vnics for pfsense to connect to each vswitch that is on your different vlans.



  • @johnpoz

    Uff, that's just making me weird.

    1. Create vnic (Portgroup -> add portgroup -> give name -> 4095 VLAN ID)
    2. Connect to where?

  • LAYER 8 Global Moderator

    You would not set 4095 if your doing a port group with the vlan ID and letting esxi do it.. You would just create new vnics for pfsense..

    So it would have say
    vmx0 wan
    vmx1 lan
    vmx2 opt

    You would handle the vlans on your switch and your vswitches... To pfsense nothing would be tagged, there would be no vlans setup on pfsense, just interfaces.

    if your going to have
    vmx0 wan
    vlan 10 on vmx0 lan
    vlan 20 on vmx0 opt

    Then the port vswitch/portgroup pfsense vmx0 is connected to would be vlan ID 4095 so it will not strip tags.



  • I don't get it to work.

    Just did "Add Portgroup" -> VLAN22 -> set VLAN-ID 22 -> saved

    Added this interface one time to PFSense and one time to Unifi Controller VM. Now edited in PFSense the interface, DHCP Server etc. to the new interface, but still no success. I don't get an IP address. That's weird, can't be so complicated, if the basic guest-wifi without VLAN was already working really properly.


  • LAYER 8 Global Moderator

    @Teddy said in Unable to DHCP / access internet by unifi guest-wifi:

    one time to Unifi Controller VM.

    Not sure what your doing in the controller - but all you need to do is tag your ssid with the vlan id..

    No its not complicated at all, but you do have to understand how esxi handles tags.. And you have the switches set to allow the tags..

    You have your switch tagging vlan 22 on 3 ports? Do you have multiple AP?

    Would be tagged where it goes to your esxi host, and pfsense interface for this vlan... And it would be tagged on your port connected to your AP.

    If your port is only connected to 1 nic on your host that is only connected to the vlan vswitch - then you would just have it set to 0 as the ID, and your switch port would be untagged.. If this port is only going to carry traffic for that vlan.

    You only have to tag traffic on ports that are going to carry more than 1 vlan.. If there is only one vlan on it, then its not tagged.

    Why don't you actually draw up how you have everything connected and we can work through where you would tag and where you wouldn't



  • Well, the guest-access to the Unifi is only possible by the Unifi Controller Software (which is running on a Ubuntu machine). So i thought, that this machine(s) interface needs to be tagged with VLAN 22.

    My switch was tagged on three ports for following reason:

    • 1 Tag for the Unifi hardware (it is just one AP and connected to the POE+ Switch by LAN cable)
    • 1 Tag for the LAN group (that is, where the internet goes in and out in my network. Everything is tunneled through an external VPN service, so i can't go directly to the WAN interface
    • 1 Tag is connected to the internetgroup (to which i also assigned the Unifi Controller VM)

    My thought was, that the user is connected with the AP, asking for a website, the unifi controller (because it is just a guest wifi) will say "Ok, you have permission, due to right password" and is sending it through the internetgroup interface to the lan interface, where PFSense is getting the wanted information from the internet.
    Shortly: Smartphone / Laptop -> AP -> Unifi Controller (only, if using guest-access, handled by the Unifi Controller and NOT PFsense) -> Controller -> LAN -> PFsense WWW

    But i will try to make a paint about my infrastructure. Then we maybe get better on.


  • LAYER 8 Global Moderator

    Guest wifi is different then a vlan..

    Your going to have to explain what you want to happen.. You do understand pfsense can run a captive portal for you as well.

    so i can't go directly to the WAN interface

    WTF? What would that have to do with tagging on port on your switch?

    1 Tag is connected to the internetgroup (to which i also assigned the Unifi Controller VM)

    Why do you think this needs to be tagged to the controller? The controller just talks to the AP via the management network, which is normally no vlan and untagged traffic.

    Yeah we need a drawing - to be honest seems like you have a real mess...



  • @johnpoz

    I got it working finally.

    Now is the setup following:
    PFSense has three interfaces.

    • One incoming WAN (VMXNet3)
    • One LAN Interface (VMXNet3)
    • One VLAN Interface (tagged with 22, e1000)

    First i also set the VLAN interface as VMXNet3, but then it didn't appear in "assignments" as new interface.
    After i changed the VLAN "Hardwaretype" from VMXNet3 to e1000, it appeared as new interface in PFSense. Then i added the 22 VLAN as VLAN-ID, set on my Zyxel Switch the port of the AP to VLAN22, the LAN-port to VLAN22 and it all started to work.

    So looks like the wrong interface was the problem in this case.


  • LAYER 8 Global Moderator

    You can for sure do vlans on vmx3..

    I still have no real idea how you have it setup.. So you have 2 vnics connected to the same vswitch your lan and your vlan e1000 interface in pfsense?

    I would really suggest you draw this up, so we can discuss if optimal or not.



  • On the unifi controller.. Is it also providing a DHCP server?



  • @chpalmer

    No. As far as i know, the Unifi Controller doesn't offer a DHCP Server.
    Either you use an external one (like PFSense, they offer option that it is used) or one of their devices (USG - Unifi Security Gate) or other devices.

    @johnpoz I'll do the painting the next days and then we can check for it! :)



  • @johnpoz
    Network.JPG

    Here is a (bad) painting of my network. I now optimized it.

    Now i am having the following combination:
    VSwitch:
    WAN
    LAN

    Portgroup:
    PFSense
    Windows10
    Nextcloud
    Ubuntu
    UnifiServer
    ......

    And i just have now three cables in use:

    • One from the Modem in the ESXI Host (WAN Connection -> WAN Port VMX0)
    • One from the ESXI Host to the POE+ Switch (VMX1, Port 1 of the switch)
    • One from the Switch to the Unifi AP (Port 2 of the switch)

    Just the problem, now the Guest Wifi on VLAN 22 is not working anymore again :(

    I put following tags:
    VLAN Tag 22 to Port 1 of the switch (LAN)
    VLAN Tag 22 to Port 2 of the switch (Unifi AP)
    VMX1 (LAN) Tag 22
    VLAN Tag 22 to Guest-Wifi on AP

    I assigned on "Interfaces" "VLAN22 on VMX1 LAN" and set it to 192.168.2.1 as GuestWifi
    I configured the DHCP Server for this GuestWifi Interface for a range from 192.168.2.1-192.168.2.254

    But i can't obtain an IP Adress anymore.

    Sytems logs -> DHCP says:
    83649c05-7f06-4ad5-beca-c0220409cab5-grafik.png

    Is that enough information to get it now stable running?


  • LAYER 8 Global Moderator

    That Drawing is useless.. It looks Kind of pretty, but your pvfsense is a VM right.. You don't how how that is connected to anything physical.

    vmx0 and vmx1 would be virtual interfaces.. How is that tied to your hosts physical interfaces? Lets see a screenshot of networking in esxi


Log in to reply