Can't get pfSense to communicate with Ubiquiti switch

Arimil

I have a pfsense firewall that I've been trying to setup, the old network had a Ubiquiti switch setup and afaik all of the addresses on that switch are 10.0.0.0/8.

Then I configured a gateway:

And then setup a static route for all 10 series addresses to go to that interface:

Finally I configured firewall rules to allow LAN to send traffic:

However attempting to ping a known IP always results in timeouts, and a trace shows that it’s dying at the firewall.

Does anyone know what could be going wrong, is there something I’m missing or do I just have no clue what I’m doing?

Thanks

johnpoz

@Arimil said in Can't get pfSense to communicate with Ubiquiti switch:

Ubiquiti switch setup and afaik all of the addresses on that switch are 10.0.0.0/8.

What unifi switch do you have, when did they add L3 to their switches? Before they were all just L2..

mcury

@johnpoz said in Can't get pfSense to communicate with Ubiquiti switch:

@Arimil said in Can't get pfSense to communicate with Ubiquiti switch:

Ubiquiti switch setup and afaik all of the addresses on that switch are 10.0.0.0/8.

What unifi switch do you have, when did they add L3 to their switches? Before they were all just L2..

If I'm not mistaken, it seems that they implemented Global ACL features and fixed some routing problems after reboot since firmware 7.0.40 (https://community.ui.com/releases/UniFi-Switch-7-0-40/0a417343-8c4a-4835-9229-4b8b98b1193a)

johnpoz

@mcury what is the switch model? The enterprise models can have routing.. But many of their other ones do not.

If you want router or L3 switch that routes downstream, it should be connected via a transit network. And your going to need routes on both ends, pfsense side and on the "switch" where either the default route points to pfsense IP on the transit interface that the switch has an IP on, or to the networks that are on pfsense, etc..

Here is a good diagram on how to setup a downstream router connected to pfsense and route networks that are on the downstream router

mcury

@johnpoz said in Can't get pfSense to communicate with Ubiquiti switch:

what is the switch model? The enterprise models can have routing.. But many of their other ones do not.

I think only the Enterprise and the Pro lines are L3 capable. There is guy in youtube that is testing, it seems to work OK.
I didn't get one because they run really hot and they have a cooler, which for me is a show stopper.
Can't work with a noisy cooler near to me here..

johnpoz

@mcury never impressed with the unifi switches.. But I did pick up one of their little flex minis to play with.. And sure its tiny, and you can power via poe which are nice. But its actual "switch" features are lack luster at best.

Ah didn't notice you were not the OP, for all we know he is trying to route on some little 8 port lite switch, etc.

mcury

@johnpoz said in Can't get pfSense to communicate with Ubiquiti switch:

@mcury never impressed with the unifi switches.. But I did pick up one of their little flex minis to play with.. And sure its tiny, and you can power via poe which are nice. But its actual "switch" features are lack luster at best.

I have one of those too, currently in use, it works fine actually, nothing to complain about it.
A friend gave it to me, it was a "gift", he said it was broken but it wasn't, he failed to adopt it.. Told him but he said, "ah, just keep it, its yours".. hehe, a free switch is always a good switch :)

johnpoz

@mcury yeah it works.. And price isn't bad, and sure can not complain about free ;)

Not overly impressed with how its managed, not really a fan of how unifi does management overall for their switches, etc. And its underwhelming from feature set, etc..

Mine is currently just sitting on a shelf, there was a thread around here somewhere when I fired it up - it spews a lot of noise.. I think I was seeing issues with lldp or something if I recall.. I believe I figured out how to turn it off. Or it wasn't showing up correctly in the controller for where it was placed or something.

Only place I would most likely use it is behind my TV where I have a pi as well on a different vlan.. But the little tplink currently there works fine.. If it fails I would prob use the mini as replacement. I currently don't have any other use for it.

But I know when they first came out with their switch line - the lack of L3 was causing a lot of complaints.. Nice that they added it to their enterprise and pro lines.. But those are not cost advantageous either..

We need to understand what switch the OP is using to move forward if it can actually do L3 at all.

mcury

@johnpoz said in Can't get pfSense to communicate with Ubiquiti switch:

But those are not cost advantageous either..

Indeed..

We need to understand what switch the OP is using to move forward if it can actually do L3 at all.

Lets wait for his reply then, but I think he shouldn't have added that gateway in the first place, only the static route would be enough.

Arimil

@johnpoz said in Can't get pfSense to communicate with Ubiquiti switch:

@Arimil said in Can't get pfSense to communicate with Ubiquiti switch:

Ubiquiti switch setup and afaik all of the addresses on that switch are 10.0.0.0/8.

What unifi switch do you have, when did they add L3 to their switches? Before they were all just L2..

USW Pro 24

Arimil

@johnpoz said in Can't get pfSense to communicate with Ubiquiti switch:

@mcury what is the switch model? The enterprise models can have routing.. But many of their other ones do not.

l2switch.jpg

If you want router or L3 switch that routes downstream, it should be connected via a transit network. And your going to need routes on both ends, pfsense side and on the "switch" where either the default route points to pfsense IP on the transit interface that the switch has an IP on, or to the networks that are on pfsense, etc..

Here is a good diagram on how to setup a downstream router connected to pfsense and route networks that are on the downstream router

pfsense-layer-3-switch.png

It looks like I mostly had it setup correctly, I just need to configure the default gateways correctly, I wont be able to attempt this again until Friday likely since these systems are being used atm, I replaced the old hardware for now.

johnpoz

@Arimil yeah if the old L3 was routing, its gateway was prob set to whatever the old network was. Which prob now different?

johnpoz

@mcury said in Can't get pfSense to communicate with Ubiquiti switch:

but I think he shouldn't have added that gateway in the first place

you need a gateway to point the route too ;) So yeah pfsense needs to have a gateway, that it sends traffic to get to other networks that are downstream or upstream depending on where pfsense sits in the network ;)

mcury

@johnpoz said in Can't get pfSense to communicate with Ubiquiti switch:

you need a gateway to point the route too ;) So yeah pfsense needs to have a gateway, that it sends traffic to get to other networks that are downstream or upstream depending on where pfsense sits in the network ;)

hmmm ohh yes, you need to create that gateway to use it in the static route, my mistake :)

Arimil

I got a chance to mess with this over the weekend, it seems I was mistaken about the switch doing the routing, the switch just has a bunch of VLAN configured that it's resolving using the upstream gateway, so it seems I have to configure all those VLAN to match what the switch is expecting for the VLAN ids.

coxhaus

@mcury
Look at Cisco. They have been doing layer 3 for many years and it works well. All of Cisco small business 300 and 500 switches do layer 3. I have been running layer3 at home for 15 years.

You want to point all the local gateways at the layer 3 switch and point the default route to Pfsense.

If you are doing trunking then you are NOT doing layer 3 switching.

mcury

@coxhaus said in Can't get pfSense to communicate with Ubiquiti switch:

@mcury
Look at Cisco. They have been doing layer 3 for many years and it works well. All of Cisco small business 300 and 500 switches do layer 3. I have been running layer3 at home for 15 years.

You want to point all the local gateways at the layer 3 switch and point the default route to Pfsense.

I used to work a lot with Cisco switches, but at that time, most of them didn't support L3.
The VLAN interface was for management only.

According to the specs, USW Pro 24 is L3 capable but I'm not sure If I would use it.
See, the L3 support is pretty recent, maybe three months ago (not sure exactly when) they released a firmware that fixed ACL and other things.
Until that moment, nobody was using the L3 features of these switches because a simple reboot would erase all your ACL configuration.

mcury

@coxhaus said in Can't get pfSense to communicate with Ubiquiti switch:

If you are doing trunking then you are NOT doing layer 3 switching.

That is router on a stick.

@coxhaus said in Can't get pfSense to communicate with Ubiquiti switch:

You want to point all the local gateways at the layer 3 switch and point the default route to Pfsense.

We were not aware that the end user was speaking about L3 at that time.

coxhaus

@mcury
You must be as old as me. Back when I worked, we only used Cisco enterprise. I retired around 20 years ago.
I have been running Cisco small business equipment since then. The nice thing about Cisco small business networking equipment is you get firmware updates for life of the product. It is not like Cisco enterprise where you have to pay for IOS upgrades. So, it works well for home and small businesses. I run a CBS350 switch and 3 Cisco 150ax WiFi 6 Aps.

mcury

@coxhaus said in Can't get pfSense to communicate with Ubiquiti switch:

You must be as old as me.

Yes, I feel old ehhe

@coxhaus said in Can't get pfSense to communicate with Ubiquiti switch:

I have been running Cisco small business equipment since then.

They are way to expensive around here, maybe one day I get one to play with, for fun :)