Challenges with vlans between pfsense and Unifi network

I have now seen quite a few different tutorials about setting up Vlans and firewall rules on pfsense, and have tried even more to get it to succeed.
I have the following devices: Netgate 2100, Unifi 8-Ports and 4-port switches, Cloud Key and an AP.

I want the Netgate to be the gateway / router, as I skip my ISP’s router. I have also made this work with a required VLAN (from my ISP) on the WAN port.
I also get the LAN network out on both switches and AP, but I can’t get the part about VLANs to work.
Everything connected to the Unifi networks is just assigned the same IP range as the gateway’s LAN network, even though I have defined the same VLANs in both pfsense and in the Unifi controller

I have tried to follow the instructions in the many different videos, and have the feeling that the Unifi devices are set up correctly, as there are not as many settings as in pfsense, where I suspect the error lies.
Under Interfaces-VLANs I have defined the various desired VLANs and assigned them to ‘mvneta1’ which are the LAN ports. (Although I eventually want each of the 4 LAN ports separated into individual VLANS, I have chosen initially to follow the standard, and let all ports be the same and forward everything).
Each interface is named, enabeled and set to its own sub, just as DHCP servers are set up for each interface.

I have also tried to set up the firewall, but am unsure if it is correct.
Another point I am in doubt about is whether ‘802.1q VLAN mode’ must be enabled - I think I have only seen this in one of Tom’s videos.
Can anyone help me on my way?

Have a look at this video - How To Setup VLANs With pfsense & UniFi 2023 - YouTube

Do you need a management vlan for the unifi hardware - UniFi Management VLAN & Network Security - YouTube

On the switch port connected to pfsense, you have to change the port to the correct vlan / network (not all profile)

Hi Paul
Thank you for your reply.

I have followed those videos and several others.

When I do that for a port dedicated to a specific pc, the Ethernet isn’t even connected.

I also tried to wire a port with an AP (all profile here) and created a wireless network with a vlan defined both on the gateway and switch. Here I can find the SSID, both connection is either not established or it is established with the same sub network as the gateway, not the network I defined as an interface on the gateway.

Should the LAN(all) and the WAN also be defined with a vlan of both gateway and switch?

Or do you think it is my firewall that is setup incorrectly?

Make sure to assign the VLAN to the correct parent interface. The parent interface refers to the physical interface that will transfer the VLAN tagged traffic. Historically the best practice was to leave the parent interface unassigned due to undefined, unpredictable or inconsistent behavior by some hardware, depending on the manufacturer. There was a chance that tagged traffic could be stripped of its tags and end up allocated to the parent interface introducing a security risk. On the Unifi Switch set the up link Port Profile to All. Make sure to setup you VLANS on the Unifi controller under setting>networks.
image

Yes!! I got it working. I realised that ‘802.1q VLAN mode’ should not be enabled…

Now I just have to get my head around the firewall rules.
Thank you for all your anwers :+1:

I have a netgate 2100 and a unifi switch with ap set up with vlans. IP ranges are correctly assigned to the respective network devices, and I have firewall rules set vlan 10 to be blocked from accessing the other networks, but still have access to the internet.
So far so good…
However, even though I have vlan 30 set up for full access,(see rule for Admin/vlan30 above) I cannot ping my PC on vlan 10 from my PC on vlan 30.
What am I doing wrong?

Does your PC’s firewall allow ICMP inbound?

Only if is a default setting.
I have only activated the Windows 11 firewall, and done no manual configurations, as this topic is new to me.
Could you tell me how to check if it is set up to allow ICMP?

You need to skim through the pfSense handbook pfSense Documentation | pfSense Documentation

In your rules inspect the protocol field icmp

Stock windows does not allow ICMP.

  1. Search for Windows Firewall, and click to open it.

  2. Click Advanced Settings on the left.

  3. From the left pane of the resulting window, click Inbound Rules.

  4. In the right pane, find the rules titled File and Printer Sharing (Echo Request - ICMPv4-In).

  5. Right-click each rule and choose Enable Rule.