pfSense + Unifi network, DHCP works but no internet connectivity

dchiang1987

I am trying to setup an IOT VLAN using a Netgate SG-3100 router, UniFi USW-Lite-8-POE managed switch, and a UniFi AP-AC Lite access point. I was able to create a VLAN 99 only network, which I then attached to a newly created SSID. In pfSense, I created an IOT VLAN with a parent link of LAN, configured the DHCP server, and added an ANY:ANY rule in IOT for testing purposes. When I connect, I'm able to ping my internal devices but I'm never able to reach WAN.

Any pointers on where to look? Here's a screen shot of the states I'm seeing.

johnpoz

@dchiang1987 and had you messed with outbound nat, when you add a new network be it native or vlan, auto outbound nat would add the new network.

Don't see any nats with your wan IP..

dchiang1987

@johnpoz Thanks for the clue! I went in and toggled between "Automatic outbound" and "Manual Outbound" and it appeared to reset/create the appropriate WAN rules for the IOT network. I've verified that it works.

Quick question though. I noticed that it populated everything as interface "IOT" or "WAN". I also have "LAN". I'm assuming because I have set the IOT's parent interface to "LAN", that's why that happens? Do I need to manually go in to update? It doesn't look like it impacts functionality as my network's still running from what I can tell. But I guess for sake of understanding later on. Here's what it looks like:

johnpoz

@dchiang1987 and why wow you think you need to be in manual?

And it would only setup natting for other interfaces if you put a gateway actually on the interface - which is wrong. When you put a gateway on an interface pfsense assumes its a wan type interface that is used to get to other networks. This would not be the case for a vlan your creating for you iot devices.

Why would you set a gateway on the iot interface?

dchiang1987

@johnpoz I'm not sure. I just read up on the Outbound NAT rules in the pfSense documentation and it says default is automatic. Your previous message about the outbound NATs made me think to try toggling it. It had been set on Manual so I reset it to that. I've changed it now to Automatic.

I don't think I put a gateway on the interface.

I did leave the Gateway text field blank in the DHCP Server configuration for IOT. Should that be "none"?

Sorry for the dumb questions. I'm learning.

johnpoz

@dchiang1987

That looks correct.. And yes on your dhcp server for devices on your 192.168.99 network, they would point to pfsense 192.168.99.1 as "their" gateway to get off the 192.168.99 network.

But the only way pfsense would create a outbound nat like that is if thought that interface was a way to get to other networks.

Out of the box, dhcp server when enabled for an interface it would auto point clients to pfsense IP on that interface.

Had you created a gateway in routing that would use that interface to get to the gateway?

It had been set on Manual so I reset it to that

It would only have been on manual - if you had set it to manual. Default is yes auto, had you tried setting up some vpn service or something... They quite often say to change to manual - even though its not normally required, hybrid would be fine for using say a vpn service. Where you create the specific outbound nat via hybrid mode to nat when going out the vpn.

dchiang1987

@johnpoz That's probably it. I had followed a tutorial for setting up OpenVPN tunnel a long time ago but with working from home due to COVID, I haven't really had a need to access that stuff in ages. I'll keep it in mind if I ever revive that workflow.

In Routing, the only rule is for the WAN DHCP. Default gateways are set to Automatic for both IPv4 and 6. Nothing in static routes or gateway groups.

johnpoz

@dchiang1987 well if you were on manual, and it wouldn't of created the outbound nat.

But if you switched to auto, not sure why it would of created an outbound nat for your IOT.

What does your outbound nat show now..

example.. Here is mine - and you see it all my networks and vlans natting to my wan interface..

And then my 2 hybrid nats for specific stuff, like out my vpn connection (that I use for testing and helping others with vpn - don't actually use).. And then one natting access to my modems IP, etc.

dchiang1987

@johnpoz So I had toggled on to Auto, saved, then toggled back to Manual, saved. Maybe that's where it got confused? I have it on Auto now. Here's the snip of what it looks like.

I think I need to make a network diagram on how my rules are setup and why they're setup the way they are. I make changes so infrequently that once a change is made, the next time I get into it it's a mystery on why a thing is in there.

johnpoz

@dchiang1987 I would kill off all those other mappings.

dchiang1987

@johnpoz Done. Thanks for your help!