pfSense keeps disconnecting/reconnecting in UniFi Controller

slbailey617 · Aug 18, 2021, 6:04 PM

So I'm running a UniFi controller to manage my APs (all UniFi APs)... My pfSense is acting as gateway to my lan and wifi segments... I am seeing a constant "pfsense disconnected from LAN" and "pfsense connected to wifiSSID" and then "pfsense disconnected from wifiSSID" and "pfsense connected to LAN."

Could this be because I'm sending the wifiSSID and LAN down the same physical cable? The LAN isn't qtagged but the wifiSSID is qtagged with VLAN 10.

Trying to figure out what's going on.

JKnott · Aug 18, 2021, 6:32 PM

@slbailey617

No, it has nothing to do with VLANs. I assume pfsense is connected to the Internet via Ethernet. Maybe you could provide a bit more info on what is connected to what.

All VLANs do is logically separate networks, so they appear as though they are on separate networks. Unless you've misconfigured something, they shouldn't interfere.

slbailey617 · Aug 18, 2021, 6:45 PM

@jknott I have my cable modem going into a 2 port protecli... The second interface is going to an unmanaged 48 port switch. One port of the unmanaged switch is going to a US-8-60W (UniFi managed 8 port POE switch) and the APs are connected to that.

DHCP is disabled in the UniFi controller and pfSense is handling DHCP for the LAN (Ethernet hardwired devices) and the WIFI SSID (WiFi connected devices).

Should also note that pfSense is the .1 address of the LAN and WIFISSID networks.

JKnott · Aug 18, 2021, 7:09 PM

@slbailey617

Is pfsense running on that protecli? Is the cable modem in bridge or gateway mode? Why is pfsense complaining about wifiSSID? That makes it sound as though it's connected via WiFi.

johnpoz · Aug 18, 2021, 7:27 PM

@slbailey617 said in pfSense keeps disconnecting/reconnecting in UniFi Controller:

The second interface is going to an unmanaged 48 port switch. One port of the unmanaged switch is going to a US-8-60W (UniFi managed 8 port POE switch) and the APs are connected to that.

That is really opposite of how you should have it.. Dumb switch, ie switches that do not understand vlans (unmanaged) should be downstream of smart/managed switches that do understand vlans.

pfsense - smart switch -- dumb switch..

In your setup your running the tags over the switch that doesn't understand them.. So any broadcast traffic, arp, multicast etc.. will go over all of those 48 ports be its untagged or vlan 10..

You place dumb switches downstream of a vlan capable switch so that all traffic from to and from that dumb switch will only see 1 specific vlan that you assign via the upstream vlan capable switch.

He is seeing that error in his controller software - for whatever reason its seeing the mac switch places.. most likely if its seeing it on both his wired network and his vlan wifisssid.. Most likely because the dumb switch is placing arp info on all ports, etc.

slbailey617 · Aug 18, 2021, 7:26 PM

@jknott PFsense isn't complaining about anything... The UniFi controller is complaining that pfsense keeps disconnecting from one network and connecting to the other. That's what I'm trying to deterine... Maybe this is a question better for the unifi forums.

slbailey617 · Aug 18, 2021, 7:29 PM

@johnpoz I agree but that's how it's wired now. I'm working on rewiring things but that requires new switches and new cable runs...

To your point, those VLAN tags should be going everywhere but doesn't explain why the unifi controller thinks pfsense is disconnecting from one network and reconnecting to another. It has 192.168.1.1 and 192.168.10.1 IP addresses on it's ethernet interface at all times.

johnpoz · Aug 18, 2021, 7:34 PM

Because its prob seeing arps in both of its networks.. Since the vlan mac and the physical mac are the same..

When you actually physically isolate the traffic that can not happen... But since you have vlans being carried over a dumb switch that doesn't understand them.. Your not actually isolating anything.

This is why you do not run vlan tags over a dumb switch, even if doesn't strip them - it doesn't handle them or isolate traffic..

Notice my igb2 and the 2 vlans that run on it

igb2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WLAN
        options=e120bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:08:a2:0c:e6:20

igb2.4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: W_PSK
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:08:a2:0c:e6:20

igb2.6: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: W_Guest
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:08:a2:0c:e6:20

The mac is the same.

slbailey617 · Aug 18, 2021, 7:36 PM

@johnpoz OK that makes sense. I'm gonna stick a US-8-60W smart switch off the pfsense box and run the APs off that and then chain the dumb switch to a separate port of that switch.

Thanks.

johnpoz · Aug 18, 2021, 7:43 PM

@slbailey617 Exactly!!! Since all the devices on your 48 port switch are going to be in the same vlan doesn't matter - it would only ever see traffic in 1 vlan..

Can you not just move your current poe switch to be in front of your 48 port switch? Or you going to have to buy another one.. What you going to do with current one..

pfsense - smart - dumb -- smart.

Where you try and run vlans on that 2nd smart can also lead to issues. If you just going to have in same vlan as you dumb is in, then doesn't matter.

Me and jknott have been going back and forth about this forever - doesn't matter if the dumb switch doesn't strip the tags, it doesn't understand them - so its going to be problematic at best.. You can use dumb switches in your vlan network when they hang off a smart switch and only ever see 1 vlan for traffic... But when you try and run multiple vlans over them - they don't know any better and just send any broadcast, multicast, arp etc over all its ports - which can lead to odd stuff happening, and is not secure to be sure..

dragonfire1119 · Aug 26, 2021, 9:47 PM

I'm seeing the same thing on my Unifi Controller. I have all managed switches though. Netgate > 48 port managed switch.

Did you find out if this is an Unifi or Netgate problem?

Thanks.

slbailey617 · Aug 26, 2021, 9:48 PM

@dragonfire1119 My issue was due to using VLAN tags in pfSense but routing that data to an unmanaged switch first... Once I plugged pfSense into a managed switch, my problem cleared up.

Wasn't a UniFi or a Netgate problem... Was me not using vlan tagging properly.

dragonfire1119 · Aug 26, 2021, 10:33 PM

@slbailey617 Thank you for the update! Not sure why this is happening then since every one of my switches are managed? It's disconnecting the Vlan's randomly every so many minutes.

stephenw10 · Aug 28, 2021, 2:02 AM

What are you actually seeing?

How are the APs and controller actually attached in your network?

dragonfire1119 · Aug 28, 2021, 2:02 AM

@stephenw10 I'm seeing in the events on Unifi it's saying my "Netgate disconnected from LAN or Guest Network" (34m connected, 71.5 KB, last) AP.

Not sure if this is normal or not though?

I talked with UI Support and they kept wanting to troubleshoot the wifi, I don't think this has anything to do with wifi?

My Unifi Controller is a Raspberry PI hooked up to my Unifi Switch 48 port and all AP's are hooked up to the same 48 port switch.

Netgate XG-1541 > Unifi 48 Port

AP's 4 of them > Unifi 48 Port

Unifi Controller > Unifi 48 Port

Thanks for the reply.

johnpoz · Aug 28, 2021, 7:17 AM

@dragonfire1119 are you using any sort of lagg or lacp to connect 1541 to the switch?

Are you using any sort of tags, guest network is another vlan? Your saying the netgate is being seen on 2 different vlans?

Netgate disconnected from LAN or Guest Network"

So more details on your actual physical connections/tags/interfaces and setup could be helpful

dragonfire1119 · Aug 28, 2021, 3:18 PM

@johnpoz

Netgate LAN Port > CAT 6 > 48 Port Switch - SFP+ 1G

VLAN's

LAN - Default VLAN 1
C Network - VLAN 5
IOT Network - VLAN 10
Guest Network - VLAN 30

Almost all these VLANs are a separate network on Unifi as VLAN Only networks.

Unifi Networks

LAN - Default VLAN 1 - Main LAN - Corporate
C Network - VLAN 5 - VLAN Only
IOT Network - VLAN 10 - VLAN Only
Guest Network - VLAN 30 - VLAN Only

Thanks for the help!

johnpoz · Aug 28, 2021, 3:26 PM

@dragonfire1119 did you mean LAN port there - not wan?

You might need to get with unifi forums or support or docs on how unifi determines some device is connected or disconnected..

Your problem sounds related to the OP where all of those vlans will be sharing the same mac.. Not sure how unifi handles seeing the same mac on multiple networks when you have 1 of their switches in the network..

I don't have a unifi switch on my network. So the unifi controller doesn't show me any wired devices only wireless. Hmmm wonder if I could pick up 1 of their cheap $30 switches to play with - have to see if those can be added to the controller to show me wired devices - then I could try and duplicate this sort of problem.

edit: Or maybe their cheap poe one - then I could get rid of my injectors atleast ;)
edit2: Hmmm have to rethink the poe idea.. 1 of the AP I would want to power is OLD lite model before they added 802.3af support. Mine is one of the passive only models.. hmmmm Plus the 100$ poe switches seem to be back ordered anyway..

dragonfire1119 · Aug 28, 2021, 3:28 PM

@johnpoz Ya my bad LAN. Programming and responding don't always work out. LOL It's only doing it on certain networks. The really active IoT Network never shows disconnected for some reason. Not sure about the Mac Address idea.

Ya UI Products are always out of stock.

johnpoz · Aug 28, 2021, 4:25 PM

@dragonfire1119 So just ordered the USW-Flex-Mini, figured I could swap out the for the old smart netgear I have behind my tv.. Give me a way to play with switch in my controller.. Should be here monday.

It was a bit more on amazon.. But comes out a few dollars cheaper than paying for shipping on ui store.. Let you know if I find anything once I play with it for a bit.

edit:

The really active IoT Network never shows disconnected for some reason

Yeah I wonder if doesn't see mac in X amount of time if marks it disconnected. Can play with that for sure by bringing up device in specific vlan that unifi switch will see, and then turning off client in that network that would be talking to pfsense.. And see if it then say pfsense disconnected after X amount of time.. Curious to play with the switch in the controller for a few different things.. Even if I end up hating it - can swap it out for the dumb switch have at my sons house, his usg and flexHD ap report to my controller. $38 well spent for play time.. hehehe