Basic setup help, single VLAN from SG-1100 to Unifi switch

NGUSER6947

I'm trying to set up a WiFi AP via a VLAN so that I can use it with a single PC that I want to isolate from everything else in the house.
Physical setup:
Netgate SG-1100->Unifi managed switch->Wifi AP (and other devices/clients)

On the Unifi Network side, I set up a 2nd Network as VLAN #2. I tagged the port on the switch as a VLAN port. I then set up a 2nd WiFi network assigned to that new Network. It seems to be ok and reports a single client (the PC I want to isolate) connected to it.

My question is, where do I go from here on the pfSense side? Never did this before so it's all new to me. I read through some of the documentation but having trouble grasping much of it.

the other

@NGUSER6947
hey there,
in short terms...

• go to Interfaces > VLANs: there create a VLAN, parent interface should be LAN - carrying that VLAN, set VLAN TAG (id), SAVE
• then switch to interfaces: here create a new one by ADDING a new one, fill out the form
• then create firewall rule(s), since that is a must for subnets. For starters, make one like
  For isolating from other networks in your home:
  DENY, Source VLAN X, Destination your other Subnets/VLANs/LAN (to isolate from other devices), Ports as needed (or ANY)

To get to Internet:
PASS, Source VLAN X, Destination ANY, Ports as needed (or ANY)

You can also make an ALIAS, including all private networks, then use THAT ALIAS in your first rule for isolating...

Here: https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html

NGUSER6947

@the-other Thank you. To confirm, the VLAN tag field needs to match the VLAN tag number I set up on the Unifi side? I.e. I set it up as Network #2 in Unifi Network, so set it to 2 also in pfSense, correct?

Then here I'm confused. Just select Save here?

So if I understand correctly, OPT2 is my (virtual) interface similar to LAN and OPT physical interfaces on the device.

the other

@NGUSER6947
Hey there,
Might be me as a result after a long fu$%#g monday...
But your vlan screenshot looks strange.
To me it seems as if you have everything, including wan, on one interface (mvneta0).
How is your device set up?
Here, i use 1 physical interface for wan, another one for lan...
On that lan interface i created my 4 vlans.
So i have interface x1 wan.
And interface x2 lan
Vlans are on interface x2.
Just wondering...might be your doing it right, didn't dig into your device's specs.

Yes, your vlan (if configured correctly) is a new separate network with need for its own ip range, dhcp, dns, ruleset and so on. Since you seem to have a vlan capable switch and ap with more than just one ssid...you could not only isolate that one pc but also create a vlan to separate all your iot smart home equipment or...it is by default virtually separate from your other existing networks.
You usually use vlan 1 as a trunk (connection between vlan aware router, swith, ap) which carries the vlans you need.

NGUSER6947

@the-other Yeah, I see what you are saying, however it's been set up this way for years with the exception of the OPT2 interface at the bottom. Also, note that it does show different VLAN numbers corresponding to the associated physical port (WAN, LAN, OPT) for each interface:

I'll proceed with setting up the DENY and PASS rules to allow the VLAN2 to pass only what I want and see how that works.
Thanks again.

Edit: is this system log (DHCP) confirming that the client PC is trying to obtain a lease?

the other

@NGUSER6947
hey there, just a short follow up...
never mind my wondering about your interfaces setup...just saw:
your hardware uses vlans to seperate those physical ports...so, all should be well and it is purely my mistake. sorry for any confusion.
Have you figured it out? Everything's working now?
:)

NGUSER6947

@the-other I haven't had time yet (between other commitments, house projects, etc.) to create the firewall Deny/Pass rules.

As of now I think that's the last thing left. I made sure that I gave the "virtual" interface an address of 192.168.3.1 and that matches the gateway defined for the VLAN on the Unifi side.

With the bottom-most screen capture above, does that confirm that the one client PC on the VLAN is requesting a DHCP license (or is it the other way around, meaning pfSense is trying to see if any clients are looking for a license)?

NGUSER6947

@the-other Here's where I am today. I created the Pass rule for the VLAN. pfSense's DHCP log I think is indicating that it's trying to issue a lease:
or at least some activity is taking place.

However, the client never obtains an IP. Ipconfig shows that the wireless adapter is staying with its autoconfiguration IPV4 address.

This is the rule I created for OPT2 (the VLAN) to allow traffic out to the internet:

Starting at the client, it does have a connection to the AP, here (in Unifi) you can see it with the autoconfig IP:

On pfSense, I have the OPT2 interface set with the same IP as set in Unifi as the DHCP server (192.168.3.1):

One thing I am not sure about, is (on the interface screen), is the MAC address for the interface:
I'm not sure what to set it to. Suspecting this is part of the issue.

Finally, here's what the Dashboard page shows for interfaces in pfSense:

Edit: after rereading some documentation, I switched OPT2 to a static IP and set the address to 192.168.3.1. Now, in the DHCP server tab, OPT2 shows up. However, the client still doesn't get an IP.

the other

@NGUSER6947
so...you are using the new KEA dhcp server mode...as do so many, mislead by that warning about "...ISC dhcp has reached end of life...".
My hint would be: go back to ISC dhcp....it is still working just fine whereas KEA is still...developing. I'm sure it will be all well, once it has settled in. But for now, ISC is just (still) fine.

and: you try to configure a client with ip 192.168.3.1...shouldn't THAT be pfsense's IP for the "new" interface (for vlan 2 on interface opt2)?
So under Interfaces...set a static IP for that one (VLAN2) with 192.168.3.1...no upstream gateway.
Then your vlan2 should show under Services > DHCP server. There enable dhcp, set IP range...then your client should get its IP (either dynamically or you set a reserved one with its MAC under Services > dhcp server > vlan2 > static mappings...)

NGUSER6947

So yes I corrected the OPT2 by setting a static IP of 192.168.3.1.

I do have VLAN2 showing up under the Services->DHCP page.

the other

@NGUSER6947 yeah, and still runninge KEA... ;)
Given everything else is set your pc should (in auto mode) get its IP between .10 and .20...
Does it?

NGUSER6947

@the-other No. The wifi adapter remains with it's default IP of 169.254.4.82.

I've reset the adapter, IPCONFIG /RENEWd, etc. to no avail.

I'm not seeing any errors in the pfSense DHCP logs either, though I'm also not seeing anything that indicates that it's trying to serve up a license for that PC.

On the Unifi side, I can view the live network topology and it shows that PC, with the isolated Wifi network, and online.

the other

@NGUSER6947
well, how did you set it all up? as a trunked vlan?
So you have your lan, this carries vlan 1 as the default vlan in trunked vlan mode and vlans x, y, z...being carried on your lan.
so, all your productive vlans (incl your "isolated" one) go over one cable to your ap.
there you set your ssids, so that ssid x handles vlan x and so on.
that way all your vlans are carried to your ap and are being broadcasted with their own ssid. your ap also needs a management ip (default this is in vlan1).
is there another dhcp running (on that ap) by chance?

NGUSER6947

@the-other There isn't any DHCP running on the AP. Yes, I have both a default (non-VLAN) and a separate VLAN network defined on the AP, each with separate SSIDs. Clients that I'm not trying to get onto the VLAN are connecting and operating fine on the default (non-VLAN) network. If I tell that one PC to connect to that SSID it works fine and it gets an IP and is good to go.