Assigning VLAN tags for Staff/Guest network w/ Unifi WAPs, and passing via singular pfSense ETH7 port in Trunked mode.
-
Hi all!
I've been tasked with setting up a network much like that stipulated in this video. I'm using a pfSense router (7100) connected to a UniFi USWPro 24port switch, which in turn has two Unifi WAPs connected to it broadcasting two SSIDs - 'Guest' & 'Staff'. I have also watched this video to try and troubleshoot, to no avail.
Here's a network diagram to explain my setup:
The 'Staff' SSID is associated with a VLAN-only network on the UniFi WAPs, assigning VLAN ID 70 to connected devices & passing it through to the pfSense to be assigned an IP via DHCP.
The 'Guest' SSID is associated with a VLAN-only network on the UniFi WAPs, assigning VLAN ID 75 to connected devices & passing it through to the pfSense to be assigned an IP via DHCP.Both of these WAPs are connected via ethernet cables to ports on a UniFi USW switch (with port profile "all" set on the switch for each WAP's connection, so should allow through all VLAN tags untouched).
Then, the USW switch's cable uplink runs to the ETH7 port on the front of the pfSense to be processed. This is where (if it hasn't already) it gets a bit confusing.
If you navigate within the pfSense+ UI to Interfaces > Switches > Ports, you can see which ports on the front of the device are 'active', and passing traffic. For context, I have 802.1q enabled, so all ports are automatically assigned a Port VID as in the following picture (which has the default 4092 applied), which (I believe) corresponds to the VLAN traffic that passes through it (?).
There is also the Interfaces > Switches > VLANs tab which, as far as I can tell, is where you can configure VLAN access/trunk interfaces (documentation here)
However, it seems that you can only assign one Port VID per port in this panel (in my example, the default value of "4092"), which is an issue when the cable running to that port (ETH7) has traffic tagged with one of two different VLANS - 70 (Staff) and 75 (Guest)....
THE QUESTION: How can I set up the ETH7 port so it acts as a Trunk port & just passes traffic tagged with VLAN 70 OR VLAN 75 by the UniFi WAPs through to the pfSense untouched, without reassigning VLAN tags on all the incoming traffic to presumably whatever the Port's VID is?
I want this so that when the traffic hits the internal pfSense interface logic, it can be separated to the corresponding VLAN (Staff or Guest) & assigned the corresponding IPs.
So, to rehash, I think what I'm asking is: whether it's possible to set one port on the pfSense (ETH7) to Trunk Mode when it contains traffic tagged with different VLANs, in order for those tags to be preserved on their way to the internal pfSense interface logic.
And doing this without switching to "Port VLAN Mode". (documentation here)I have read the pfSense documentation but feel I may have confused myself in the process - if anyone could provide some insight, alternate suggestions/setups to achieve a similar result, or tips, it would be very much valued.
I am happy to provide more information as needed, and thank you for your time and patience ^^.
(this totally didn't take hours to write :'))
-
@caramel_juni I don't have this device but it's quite straight forward. It operates as a switch which the software segregates via different Port VIDs. A trunk port simply carries all the VLAN traffic so it has to be VLAN-aware first - set the Port VID as your management VLAN and tag the rest.
You can also enable port VLAN mode (by unchecking that box on the VLAN tab) and set up the ports in a traditional sense. Take a look at this example here.
-
@Popolou Thank you! I'll give that a try tomorrow and see what I can get going, just has been confusing as have been trying to understand the router's pre-existing config (that someone else set up before me) without redoing it all completely.
So how to tell which one is the management VLAN has been a bit touch and go, but hopefully I'll get there - I assume the management VLAN is the VLAN associated with the network that the pfSense itself is on (aka being "managed" from)? E.g. the one displayed on the pfSense GUI homepage, and from which I access the GUI (172.16.66.1 in my case).
And thank you so much for that example, it seems to be what I was looking for - to assign ETH7 & uplinks to "accept traffic that has already been tagged with a VLAN ID of X", without tagging them again. Hopefully I can create two of these rules so the pfSense can accept pre-tagged VLAN traffic of X or Y, to accomodate incoming packets from my guest/staff SSIDs.
-
Hello all!
For anyone who finds this thread in the future, I figured it out and wrote up a guide on how to do it with a UniFi USW switch here.
A similar process applies when using UniFi WAPs, and i've done as such, and may write a future guide on that if desired/needed. But the aforementioned article should give you enough to apply it to a UniFi WAP :3
have a lovely day! <3
