Mysterious fleeting internet (VLANs, APs)
-
Hi folks,
Having some issues with getting VLANs set up (I think?). My end goal is to have internet routed through my PFSense box and wired and wireless clients with some isolation.
Entities:
- FiOS ONT
- PFSense on Proxmox VM (PF hereafter)
- Unifi 6 Lite AP (Unifi hereafter)
- FiOS Quantum Gateway (Quantum hereafter)
- Travel router
- TL-SG108E managed switch
- TL-SG108 unmanaged switch
- PiHole for DNS (Hole hereafter)
Currently [working] setup
WAN -> PF -> Unmanaged switch -> wired clients
WAN -> PF -> LAN port of Quantum (AP for "trusted" clients)
WAN -> PF -> WAN of travel router (AP for guest / untrusted clients)Everything works okish, but the travel router doesn't provide true isolation -- anything with the IP address of a trusted device can access it. It's also double NAT-ted, which is not great. Furthermore, overall, it's just a dinky looking and feeling setup - I don't like having 2 "ghetto" APs plugged in, taking up space, looking unsightly, etc.
New [not working] setup
WAN -> PF -> Unmanaged switch -> wired clients
WAN -> PF -> Unmanaged switch -> Link port of managed switch
Managed switch -> Unifi w/3 VLAN-tagged networks & SSIDs (1 trusted SSID, 1 untrusted smart home ssid, 1 untrusted guest SSID)This almost works. I first set up 3 VLANs in PF, enabled them, turned DHCP on for all of them, and created some firewall rules to prevent access from the 2 untrusted networks.
LAN: default network (192.168.10.0/24)
VLAN 10: trusted (192.168.20.0/24)
VLAN 30: untrusted smart home network (192.168.100.0/24)
VLAN 35: untrusted guest network (192.168.200.0/24)In the Unifi, I have the SSIDs set to DHCP none, which is correctly getting IPs from PF, e.g. when I connect to the trusted network I'll get something like 192.168.20.5. I can also ping Hole from all wireless clients (though nslookups to it do not work). I also of course have no internet connectivity on the clients. I'm not sure what I'm missing here, I know the AP is communicating with PF at least somewhat correctly because DHCP per-network is working properly, but then something after that is not working. I'm not seeing any blocked firewall entries that would provide any clues either.
Troubleshooting new setup
To diagnose, and because I'm still setting all this up, I have unmanaged switch -> Quantum which makes all wireless clients on the old trusted wifi go on the LAN network and get a 192.168.10.x address and be able to connect to the internet. As I suspected a misconfigured setting on the AP though, I connected managed switch -> Quantum and set the managed switch port to VLAN 20 (so all wireless clients on the old trusted wifi would get a 192.168.20.x). This surprisingly also does not work in the same way -- I can ping Hole, I can somehow supposedly ping internet addresses (e.g. 1.1.1.1) but I do not have internet connectivity.I'm not sure what else I can try here. Any help would be greatly, greatly appreciated!
-
@tkyead bump. Also, can't edit post, but re-written to shorten and for clarity:
Hi folks,
Having some issues getting VLANs set up. My end goal is to have internet routed through my PFSense box and a Unifi AP and 3 SSIDs connected to different VLANs.
Setup
- WAN -> PF -> Unmanaged switch -> to: - Wired clients - PiHole on the default LAN, for local DNS - WAN -> PF -> Unmanaged switch -> Link port of managed switch - Unmanaged switch -> Unifi AP w/3 SSIDs: - SSID 1 - VLAN 10: trusted (192.168.20.0/24) - SSID 2 - VLAN 30: untrusted smart home network (192.168.100.0/24) - SSID 3 - VLAN 35: untrusted guest network (192.168.200.0/24) - PFSense LAN default network - 192.168.10.0/24
In PFSense, I have all 3 VLANs defined & enabled with DHCP turned on. DHCP is working as when I connect to SSID 1 (trusted network) I'll get e.g. 192.168.20.5. I can also ping the PiHole from all wireless clients. Here's where it gets interesting - nslookups from wireless clients to the PiHole do not work (trusted & untrusted both), nor do I have internet connectivity. I do have port 53 allowed from any internal networks -> PiHole, and I'm not currently seeing any blocked firewall entries that would provide any clues either.
Troubleshooting steps taken
I thought the Unifi AP might be messing things up so I connected managed switch -> an old wireless router's LAN port and set all managed switch ports to VLAN 10 (so all wireless clients on the old router's network would get a 192.168.20.x). This surprisingly also does not work in the same way as above -- I can ping PiHole, I can somehow supposedly ping internet addresses (e.g. 1.1.1.1) but I do not have internet connectivity via e.g. web browser.
I'm not sure what else I can try here. Any help would be greatly, greatly appreciated!
Edited to shorten length & for clarity