Solved! Has anyone recently (2024) set up a VLAN using pfSense and Unifi Network application and switches? (DHCP back-end has to be ISC)
-
I tried about a year ago to get a VLAN up and going for isolating a device. Spent quite a bit of time on it and a lot of interaction with folks here but never did get it to work (problem was the device would never get an IP, even though DHCP was enable for the VLAN).
Anyhow, since Unifi updates their setup screens on a seemingly constant basis, I'd like to try this again using the setup that someone else did recently using the same configuration so that I'm not trying to translate between older support threads here that look nothing (on the Unifi end) that they (the screens) do now.
I have a Netgate SG-1100 and 2 downstream Unifi 8-port smart switches.
I set up the VLAN this morning using this guide: guide
As far as I can see I have everything set up. Interface is enabled, DHCP is enabled, VLAN ID matches what I have on the Unifi end. However, I'm not getting an IP issued when I attempt to connect to that device (separate WiFi network defined in Unifi Network, port is tagged, etc.).
This is exactly where I got stuck the last time I attempted this.
-
@NGUSER6947 Pretty sure there is something misconfigured in your Unifi settings.
First of all, the port connecting to pfsense needs to be set to TAGGED. Either select Allow all or use Custom to define which ID's should be included. The same is true for the port(s) connecting your AP's (and connecting the two switches), they also need to be TAGGED.
Under the Wifi settings you create a wifi network for each new VLAN network you want (and have created under Networks).
Any device that you want to have on a specific VLAN that is directly connected to one of the switches need to have it's port set to Untagged.
-
@Gblenn Thank you for responding. I think I have things set as you specify:
Port 3 on the switch is the port with the AP.
-
@NGUSER6947 That looks ok, and can I assume that port 1 is pfsense and that is also set to TAGGED for VLAN 10, and the same for port 4 (TRUNK to other switch)? If you don't use VLAN 10 on that switch you can leave it but port 1 has to have VLAN 10 TAGGED for it to be able to pass along VLAN traffic to/from pfsense correctly.
Also I'd turn off the Captive Portal during testing, just to see that things work correctly. And just to be sure, is that something you want and need?
-
@Gblenn If I tag Port 1 on the switch for the VLAN like this:
all communication stops. I reset the switch twice, same result. Dead, nothing gets to the pfSense router.
Wait - this is where Ubiquiti's UI messes with my head - should I have ALL ports green (tagged with 10-Automation (bottom row) and 1=Default should be all blue (top row)?
Fortunately I have Port 2 unused and I was able to get things back up again by plugging the cable from pfSense into switch Port 2 and restarting the switch.
I did turn off the Captive Portal as you suggested. No I don't need that. Also the 2nd switch doesn't need to be part of the VLAN so I don't plan to tag any of those ports.
Ok I updated this and have Port 1 set this way. Is this correct?
Configured this way, with pfSense plugged back into Port 1, everything works fine... except if I try to connect a device to the Automation wifi it still doesn't get an IP.
-
I have a Unifi AC Lite AP which I have configured to use with a VLAN & 2nd SSID. I also have a Cisco switch. I enabled the VLAN on the pfSense main LAN interface and on the AP, to connect the VLAN to the 2nd SSID. I also enabled the VLAN on the 2 switch ports it passes through.
-
@JKnott said in Has anyone recently (2024) set up a VLAN using pfSense and Unifi Network application and switches?:
I have a Unifi AC Lite AP which I have configured to use with a VLAN & 2nd SSID. I also have a Cisco switch. I enabled the VLAN on the pfSense main LAN interface and on the AP, to connect the VLAN to the 2nd SSID. I also enabled the VLAN on the 2 switch ports it passes through.
@JKnott I have mine set this way:
Are you saying yours is set like this?
-
@NGUSER6947 said in Has anyone recently (2024) set up a VLAN using pfSense and Unifi Network application and switches?:
Wait - this is where Ubiquiti's UI messes with my head - should I have ALL ports green (tagged with 10-Automation (bottom row) and 1=Default should be all blue (top row)?
Well, since Native means Untagged, it should normally be 1=Default all across the ports. Except when you only want VLAN traffic to exit through that port. Like when you connect a Camera or some device that needs to be in a specific VLAN.
And Green means Tagged so it needs to be 10=Automation on port 1 (if that is where pfsense is connecting) and any ports where you have your AP's connected. So your picture is correct what you are showing.
If it still doesn't work, I'd suggest you set one of the free ports to 10 Native and connect your PC to that port. Does it get an IP? If not, you need to check your VLAN settings or DHCP for the VLAN in pfsense.
In your picture it looks correct with VLAN 10 on mvneta0, if I understand how it should be on those units. Perhaps you can show the rest of the settings for that interface and the DHCP server allocated to it?
-
@Gblenn So, the way I have Port 1 configured is like this:
and yeah just looking at this page it appears Port 1 isn't tagged. But! drilling into it shows this for Port 1 and Port 3:
Unless the Unifi UI is once again messing with my brain (quite possible), the way I understand this is that Port 1 and Port 3 are set for Default but also is tagged for the Automation VLAN.
If I just tag Port 1 by setting the Native VLAN/Network to Automation, this is when all network comm halts. I assume that's because nothing else on the switch can get to the router (but who knows, that's just my assumption). Nonetheless, that's what I have observed via testing.
I did the test you suggested. With a PC plugged into Port 2, set up like this:
it does not get an IP, just spins a bit then gives up.
-
Here are the screenshots from pfSense.
-
@NGUSER6947 Well I can't see anything out of the ordinary there. It looks like it's correctly set up in pfsense. Perhaps one more thing... there is a menu item under Interfaces called Switch / VLANs, correct? What does that look like?
Aaand, I assume you are connecting the switch to the port with the label LAN on the Netgate device? -
In addition to everything that has Been said here. I noticed that you are Using the KEA back end. As a last resort, you may want to try switching the back to ISC and see if that makes any difference. I know the first time you tried to do this you were probably using ISC. Even though that didn’t work out. KEA is still in the detail shop and not ready for the showroom floor.
-
@Gblenn This is the setup page you asked about:
And yes, the switch is plugged into the LAN port on pfSense.
-
@Uglybrian To change it to ISC where is that, also do I need to restart the router or just save and apply changes?
-
@Gblenn I did some research and apparently with the SG-1100 you have to set up tagging inside Interfaces/Switch/VLANs.
This is how I have it configured now, which exactly matches several of the tutorials I found:
Still, no happiness. Neither a wifi device or the PC I have plugged into Port 2 (which is tagged) will obtain an IP.
-
If you want to give it a try. Go to System> Advanced> Networking. Click on ISC DHCP then save at the bottom. There is no need to restart the router.
-
@Uglybrian Well sure enough, that did it! Man, this has been driving me nuts.
Phone connected right away.
Thanks to you and @Gblenn for your help and assistance.
-
@NGUSER6947 Great that it works now, but really strange that KEA would be the culprit. I think you had some issues with KEA all along, which you didn't notice until you were testing with something requiring a new IP. I would try changing back to KEA to see if it still works, which I'm guessing it will...
-
@Gblenn yeah I may try that at some point. Since ISC is marked "Deprecated" I would think that KEA would be pretty well sorted out by now.
-
@NGUSER6947 Yes but things seem to pop up, at least in discussions. I had it crash a few months back and it didn't want to restart due to a lock file lingering, so changed back. But I also have it running on another instance on CE where it's been working fine...
