Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wifi/VLans/Unifi

    L2/Switching/VLANs
    2
    2
    967
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cnanoharman
      last edited by cnanoharman

      We have around 19 locations & we use pfsense at all of them, we recently finished a network project putting unifi switching/AP’s in place and it’s been working really well. I am however having a little bit of a problem with setting up wifi & guest networks with pfsense & unifi. At our main office location it is set up just fine and working how it’s intended, at some of our other locations or satelite sites when setting up the guest network I set it up similar to how our main location is set up except our main location is using a 7100 and the satelite sites are using 3100’s. I think I might be doing something wrong when it comes ot interface assignments and switches, but I can’t figure it out. Following tom lawrence video on youtube to set up vlan’s/unifi I have a wiki page as a step by step for setting it up.

      Vlan Setup
      IEE 802.1Q Dot1q is the networking standard that supports virtual LANS (VLANS) on an IEEE 802.3 ethernet network. The standard defines vlan tagging for ethernet frames and the accompanying procedures to be used by bridges and switches in handling such frames.
      If you define a vlan in pfsense but don’t define it in ubiquiti switches it won’t throw it “away” it just doesn’t know what to do with it.
      The default settings for unifi are “all”. The switchports are set to “all” by default, between the two or more unifi switches you want them set to “all”
      Same goes for the access points, as you define an SSID they have the option to view the vlan ID’s.
      Defining VLAN’s in pfsense - choose the proper parent interface “IGB2” for example, give a vlan a description. Interface > Assignments > Attach the Vlans to the proper interface.
      You don’t actually have to set the default IP address, unifi doesn’t care if we aren’t using unifi routing.
      VLAN Only > VLAN ID (VLAN ID can be the 3rd Octet of the IP and has to be the same as the one in pfSense).
      Vlan’s in pf & unifi have to match.
      Wifi Create a wifi network and then select a VLAN you want it to be on.
      Go to the switch and then select the port you want to set the VLAN on and click the drop down for port profiles and set the port to which VLAN you want it on.
      Using VLANS to create switch networks.
      Defining Vlan’s in unifi only. Doing this allows the switches to run a native network with no other vlan traffic going through it. You don’t necessarily need it all tied to a singular interface as there can be bandwidth issues.
      Vlan is tied to the router’s physical interface & not the software vlan within pfsense.
      To create Vlan’s in pfSense
      Interfaces > assignments > Vlans > +Add > Use 3rd octet to identify Vlan Tag.
      Once Vlan is created, add it to interface assignments. (VLAN Name LAGG0) since netgate ports are link aggregated together use the lag ports for the vlan. Enable the interface, describe the vlan > static IP > set the IP scheme.
      Interfaces > switch > vlans > edit. Add the vlan tag and description and then tag all the members (however many ports are physically on the switch. This is important as it allows all switch ports to be a trunk port since they are all linked together logically within the router.)
      Once done head to Services > DHCP Server > Guest Network
      Check Enable DHCP Server on Guest Network interface > enter a random range of .50 / .250. DNS > can be google/cloudflare what you decide. Click Save at the bottom and then apply changes at the top when it refreshes.
      Firewall > Network > add rule > action pass > interface is the assignment you enabled earlier > ipv4 family > TCP/UDP protocol > source Select the network(vlan) you created (GUESTNETWOR net) > Destination Single host or alias pfB_NAmerica_v4 click save at the bottom.
      This should complete the pFsense firewall vlan side.
      Unfi
      Settings > Networks > Create New Network > Name the Vlan & Select VLAN Only > VLAN ID will be the same tag as set in pfsense if not ubiquiti will not know what to do with the packets.
      Wireless networks (If applicable) > Create new wireless network > Name the SSID > Enable > Select Security(Recommended) > Set password > select network (GuestNetwork VLAN20) > and click save. This will provision the access points and the SSID should be broadcast shortly after.
      If you are not doing a wireless style network you will have to create switch port profiles for each vlan you are using. This tells the switch ports which vlans are allowed to go through, by default the switch port profiles are set to “all” which is a trunk port.
      Thank you for anyone who knows where I’m messing up.

      Thank you!

      dotdashD 1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash @cnanoharman
        last edited by

        @cnanoharman
        I can't tell what you did and what you pasted from some random wiki.
        Here's a rough workflow of adding a couple of new networks for wireless and guest on Unifi/pfSense.
        I used vlan 100 for the wireless network, and vlan 200 for the guest in this example. The LAN is assumed to be native. I used foo0 for the network adapter, which isn't a real thing. Substitute igb0, or your lagg, or whatever. I didn't go into details on configuring the interfaces, rules and such. I'm assuming you know how to do that.

        Unifi controller-
        settings, networks
        create new (type vlan only/third party gateway)
        name wireless
        vlan id 100

        create new
        name guest
        vlan id 200

        settings, wifi
        name corpssid, password, etc
        network- wireless (old version vlan 100)

        name guestssid, password, etc
        network- guest (old version vlan 200)

        You can leave the switchports the APs are in set to 'All'
        The port connecting to pfSense should be set to 'All'

        pfSense-
        interfaces, assignments, vlans, add
        select parent interface (usually LAN)
        vlan tag 100
        description wireless
        save
        add
        select parent interface (usually LAN)
        vlan tag 200
        description guest
        save

        back to interface assignments-
        Available network ports: vlan 100 on foo0 (wireless) [add]
        do the same for vlan 200 (guest)

        Now, interfaces, OPTx (foo0.100)
        configure interface with unique subnet, etc

        Now, interfaces, OPTy (foo0.200)
        configure interface with unique subnet, etc

        services, dhcp, enable and configure on OPTx and OPTy

        firewall, rules, configure rules for the two new interfaces

        firewall, nat, outbound. If you're not using automatic outbound nat, add rules for the new subnets

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.