Unifi SSID/VLANs blocked from internet due to static IPs?
-
@johnpoz No I meant I had set up the pool earlier (.51 to .254)and left space for static IPs (.1 to .50). The ones I allocated were from that static reservation (.2 and .3).
When I removed those 2 static routes and rebooted the pfSense, the VLANs regained internet access. Now the switch and key are back in the DHCP pool again (.50+).
I tried to google anyone else having this issue unsuccessfully. My only current theory is the Androids treat the WiFi/VLAN IDs differently?
-
@dj_jc_jase said in Unifi SSID/VLANs blocked from internet due to static IPs?:
When I removed those 2 static routes
Routes - what are you doing with routes?
But again if you have vlans setup and ssids tied to vlans - changing some devices IP inside a network has nothing to do with any of that.
How about you give some details of how your network is setup, and what your actually doing..
Are you trying to route between your vlans downstream of pfsense?
Why would end devices care what vlan they are on, and they shouldn't have a clue to what ID it is.. Are you trying to set vlan IDs on a device directly?
-
@johnpoz sorry again I meant IP not Route above! Its a pretty easy setup I have pfSense as my FW and pfBlockerNG and this connects directly to my Unifi PoE switch. On the switch are the CloudKey and my APs etc.
The DHCP and VLANs are in pfSense and I think set up ok, as it works currently. The Unifi NW has the Networks and SSIDs setup and tied to those VLANs, again correctly enough as it works atm.
The bit I get sketchy on is the FW rules, Outbound NAT (both in pfSense) and the Port controls in Unifi (although they are currently all set to Trunk, not Access yet).
Is that what you mean? Not keen to post/show the actual setups publicly naturally?
-
@dj_jc_jase why would firewall rules have anything to do with changing an IP from dhcp to static??
I want nothing more to help you.. but without info I have no idea what your doing to be honest.. Nothing you have mentioned have anything to do with changing some devices IP to being 192.168.1.x/24 from dhcp to 192.168.1.y/24 that you set static on the device.
Why would that have anything to do with your outbound nat rules in pfsense or if a port is access or trunk on some switch? If your going to carry multiple vlans over a port, then yeah it has to be trunk - access is for 1 native network only..
Why would you care about sharing your network setup if your using rfc1918 space?
I always fail to understand this tinfoil hat mentality.. What do you think someone could do with say the layout of your house, if they have no idea where your house even is?
Not asking for your root passwords, a simple napkin drawing of your network is more then enough - pointing out what your actually changing, etc.
But changing a devices IP from .x to .y has zero to do with anything - unless you step on some other devices IP that is used for something you need like dns or your gateway, etc. Or you mess up something when setting that IP - then yeah that device isn't going to work.. But the network configuration/layout has zero do with changing some IP from .x to .y on the same network..
What I am trying to understand is what exactly your changing.. To help figure out why your having issues when you change it..
-
@johnpoz thanks for trying but the reason I am posting the question is I also don't understand why going static IP would cause the issue I am seeing. Here is a napkin :)
Its the .2 and .3 that went static and caused the WiFi androids to lose internet access...
-
@dj_jc_jase the management IP of a switch would have zero to do with anything.. And your cloudkey doesn't even need to be on..
But what could happen is an adoption thing since your clouldkey manages your switch. Are your PCs on the same ssid/vlan as your android?
When your cloudkey changes its IP or the switch does - guess its possible that they get re provisioned??
I have a unifi switch, I could try changing its IP and see if provisions or has to re-adopt it?
Are you changing them both at the same time? Are you moving them to a different vlan? Are they currently in your lan that is untagged, and your trying to move them to infra that is tagged vlan?
And that drawing is perfect by the way to help understand! Thank you!!
edit: Here I changed the IP of my flex mini.. It was on .6, I made sure nothing was on .7.. I then changed it and you could see it provisioned it to change the IP, I could then ping it on .7
The ping at the bottom was me pinging a device that is connected to flex mini on a different vlan - I started the ping from my pc that is on different vlan and multiple switches away from my flex mini before I changed the IP.. And then waited until after it had been changed - didn't even loose a single ping while the switch was provisioned with its new IP.
But I bet when you changed the IP of your cloud key things have to be readopted and provisioned. I would change your switch IP first. Then after that working change your CK IP..
Another thing that could be going on, but not sure is when that switch gets updated, I wonder if poe cycles and your APs reboot? I wouldn't think so? But maybe.. Changing the IP of the switch first would allow you to see if your APs go offline, etc. Maybe get a ping going to one of their IPs from pfsense or some other device on your network that is wired..
-
Hi Thanks again, had family stuff interrupt things! Will try again this afternoon, switch first as suggested and see what happens. I did change them both at the same time last time, so yeah could have caused issues?
-
@dj_jc_jase let us know how it turns out - but the IP of CK or the management IP of switch really has nothing to do with the conversations of devices on different networks.
Other than a re-provision or maybe adoption issue.. Your not doing L3 adoption are you, your CK IP and your switches and access points are all the same management network - right, and they use L2 for discovery?
But even when your CK is offline your devices shouldn't change from their last config. So even if the ap and switch could not talk to the CK because of an IP change they should just continue to function with their last config.
Are you running some services on the ck like dhcp, or dns? Or maybe captive portal?
-
OMG its now working! I did the static IP assignments slowly, switch first, carefully waiting and checking it was working after each. Now both the switch and the CK have the static .2 and .3 and everything is still working on the VLANs and SSIDs, Android WiFi connected devices included.
I'm very confused as literally nothing else has changed. I guess something got discombobulated in the original setup/changes??? Maybe Mercury is retrograde or something...
In any case appreciate your efforts to help, ultimately you did :)
-
@dj_jc_jase glad to hear sorted.. Possible something got messed up with during the double change at same time? I don't have anything on poe switch from unifi - so not sure if AP might reboot on switch IP change because of loss of poe? And then possible loss of talking to the controller to get info.. Something was not right.
But from a actual network pov - the management IP of the switch and ck has zero to do with anything.
