Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN Tagging. getting the hang of it with ubiquiti unifi's (SHOULD BE EASY)

    Routing and Multi WAN
    4
    7
    14.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      elementalwindx
      last edited by

      Hey guys. I have multiple Cisco SG300 switches setup on this network and we just got a few unifi wireless access points. They will have two wireless ssid's coming off them. A guest one, and a corporate one. The guest one has the ability to use vlans.

      I've told the ap's to use vlan 6, and I've assigned under port to vlan in the cisco interfaces for those ports of the AP's to be untagged on vlan 6 of course with the PVID of vlan 6 as a trunking port.

      On the router which is pfsense I've created a vlan and tied it to the LAN interface with vlan6. That port on the cisco is a trunked and tagged vlan 6 port.

      I've of course created a static ip, and turned on DHCP for that vlan in pfsense.

      I cannot seem to get this setup to work for the guests.

      Any idea what I am doing wrong?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • A
        abeauchamp
        last edited by

        I believe you will need to set the port that the Unifi connects to on the Cisco SG300 as tagged for VLAN 6, but untagged for the VLAN that you are managing the AP under.

        For example in one of the environments I manage with Unifi APs they have 3 VLANs relating to the wireless, VLAN 110 (corporate), VLAN 120 (guest wireless), and VLAN 200 (MGMT). On the Unifi the 2 wireless networks are set to VLAN 110 and VLAN 120 respectively, and the Unifi AP has a static ip address assigned to it in VLAN 200 (10.10.200.15).

        Now on the switch port that the Unifi is plugged into, VLAN 110 and VLAN 120 are tagged, and VLAN 200 is untagged.  The trunk port from the switch to the pfSense box would then have VLAN 110, VLAN 120, and VLAN 200, set to tagged.  On the pfSense config, the interface that the switch trunk is plugged into would then have 3 subinterfaces that are tagged 110, 120, and 200 respectively.

        This guide should be helpful explaining what you need to do.  http://wiki.ubnt.com/UniFi_and_switch_VLAN_configuration

        Let me know if you run into anything and I can try to assist you.

        1 Reply Last reply Reply Quote 0
        • R
          richharmer
          last edited by

          This is the exact problem I'm having right now.  There was no solution, so I'm posting in hopes that someone has found the key.

          Basically, I have 9 Ubuiqiti AP Pros and they work great.  I have multiple SSIDs on them and two of them have VLANs setup in 'advanced'.  I have one 52 port SG300-52MP POE switch in Layer 3 mode, The ports that the AP Pros are in are in VLAN groups supporting IDs 1, 100 (tagged), 200 (tagged).  The Pfsense is doing DHCP for everything and it is on a port that supports 1, 100 and 200.  I even went as far to connect two additional ethernet lines into the PFsense Opt1 and Op2 ports for tagged traffic even though I could go virtual all on one ethernet interface.  Currently the firewall is setup to allow anything from the subnet to anywhere.. I'll lock it down once it is working properly and DHCP scopes are setup for these VLANs.

          The SSID for the two tagged/vlaned traffic is showing up, I am able to connect.  If I set a password, it accepts that, and then I can't get an IP

          Help?

          1 Reply Last reply Reply Quote 0
          • R
            richharmer
            last edited by

            I thought I might add some pictures to this..

            PfSense setup:


            Unifi setup:

            1 Reply Last reply Reply Quote 0
            • H
              heper
              last edited by

              you've created the vlan100 in pfsense, but forgot to actually assign a vlan_interface (interfaces–>assign / click dropdown of 'guestwireless')

              1 Reply Last reply Reply Quote 0
              • R
                richharmer
                last edited by

                Thank you for your reply! Hopefully it is the last roadblock.

                Rich

                1 Reply Last reply Reply Quote 0
                • R
                  richharmer
                  last edited by

                  I wanted to end this with the solution(s) to my problems.

                  As said in this string, I didn't have the right interface assignment done.  But it should have worked after that… but it didn't.
                  I screwed around with possible settings on the SG300 because I don't know the network world as well as others, but it turns out, that wasn't the issue.
                  I had one firewall mistake.  I needed "ALL" instead of just TCP.
                  Eventually I manually assigned an IP on the GuestWireless SSID and it was able to talk to the internet, but I still couldn't get an IP.
                  I used the Capture network traffic on the PFsense to verify the DHCP request was going through, but no answer was coming back.
                  I rebuilt everything including the vlan and interfaces, but that wasn't the issue.
                  It turns out that I had to hit STOP on DHCP and then Start on DHCP and everything started working.

                  The moral of the story (I think) is if you mess with interfaces, you need to stop and start DHCP service.

                  Rich

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post