Clients doesn't receive correct VLAN IP Address with Unify & pfSense setup

I have searched for info about this and while there is a lot to find, I have yet to come up with a solution that describes my setup. (pfSense → SG300 → Unify UCK-G2)
The problem is that before I had my Unify Wi-Fi equipment, I was using a Cisco WLC2504 wireless LAN controller with two 2802 Access Points (also Cisco) and had setup 4 Wi-Fi networks, each with it’s own VLAN associated with it.
This worked great, and each Wi-Fi client connected got the appropriate IP address that has been assigned to the VLAN interface.

Now I have removed the WLC2504 and the two Cisco access points are replaced them (almost one-on-one) with a Unify CloudKey Gen2 Plus in a rackmount kit and two Unify U6 access points.
The ClouKey gets an IP Address in the Management VLAN range which I think it should.
Both U6 Access Points are also getting an physical IP address in the same management VLAN IP range.

In the UCK-G2, I have re-created the 4 VLAN virtual networks with the associated VLAN ID’s assigned to each virtual network.
After this, I create 4 Wi-Fi SSID’s, each with it’s own virtual network associated to it.

When I connect to whichever Wi-Fi SSID, I always receive an IP address in the first VLAN IP range, like 10.10.40.xx (where the number “40” stands for the VLAN identifier.
I never get an IP address from the other VLANS although I think I have set them up correctly.

Below you’ll find a picture of the setup I currently have.

pfSense with SG300 & Unify1965×1377 172 KB

Do you get the correct vlan assignments on your switch when you test it? If you do then it sounds like the config error is in your AP.

I think I have the correct VLAN assignment in my switch. And it has worked before with the Cisco Wireless LAN controller and access points. However, I’m having trouble getting it to work with my Unify access points.

Below is an overview of the VLAN setup of the switch.
(There are some other VLANS but those are working just fine)

SG300-10PP#show vlan

Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN

Vlan       Name           Tagged Ports      UnTagged Ports      Created by    
---- ----------------- ------------------ ------------------ ---------------- 
 1           1                                gi6,Po1-8             V         
 10         DMZ            gi6,Po1-2                                S         
 20     Management         gi6,Po1-2            gi1-5               S         
 30       Servers          gi6,Po1-2                                S         
 40      WiFi Home      gi1-3,gi6,Po1-2                             S         
 42      WiFi IoT       gi1-3,gi6,Po1-2                             S         
 44     WiFi Guests     gi1-3,gi6,Po1-2                             S         
 46     WiFi Games      gi1-3,gi6,Po1-2                             S         
 50      VPN Users         gi6,Po1-2                                S         
 90   Virtual Servers      gi6,Po1-2                                S         

Unifi changed how they did vlans recently, you might want to look this up and then inspect your config again. Though it sounds like the trunk port isn’t passing all the vlans to the AP.

The only vlan config change I’m aware of is how they do switch ports, and OP isn’t using a Unifi switch.

@Stef-r please share the pages where you defined the network and the ssid in Unifi, for one of them such as 42. Your switch config looks fine.

Thanks so far for all the help, I really appreciate this!
Below are the screenshots from my CloudKey setup (network & Wifi)

Networks1468×831 58.8 KB

As you can see, I have all my WiFi networks in the 10.10.40.xx network, divided into four /26 networks.
But I don’t think this would be any different than using four /24 networks.

[KSG300-10PP#show running-config 

config-file-header
SG300-10PP
v1.4.11.5 / R800_NIK_1_4_220_026
CLI v1.0
set system mode router 

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 10,20,30,40,42,44,46,50,90
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp relay address 10.10.20.1
ip dhcp relay address 10.10.30.1
ip dhcp relay address 10.10.40.1
ip dhcp relay address 10.10.40.65
ip dhcp relay address 10.10.40.129
ip dhcp relay address 10.10.40.193
ip dhcp relay address 10.10.90.1
ip dhcp relay address 10.10.100.1
ip dhcp relay enable
ip dhcp information option
bonjour interface range vlan 1
hostname SG300-10PP
username stefan password encrypted 2e8b782741518a1c5e29430ee6eabb38d99c3616 privilege 15
ip ssh server
snmp-server location ""
snmp-server contact 
ip http timeout-policy 1800
clock timezone " " 2
clock source browser
!
interface vlan 10
 name DMZ
 ip dhcp relay enable
!
interface vlan 20
 name Management
 ip address 10.10.20.4 255.255.255.192
 ip dhcp relay enable
!
interface vlan 30
 name Servers
 ip dhcp relay enable
!
interface vlan 40
 name "VLAN40"
 ip dhcp relay enable
!
interface vlan 42
 name "VLAN42"
 ip dhcp relay enable
!
interface vlan 44
 name "VLAN44"
 ip dhcp relay enable
!
interface vlan 46
 name "VLAN46"
 ip dhcp relay enable
!
interface vlan 50
 name "VPN Users"
!
interface vlan 90
 name "Virtual Servers"
 ip dhcp relay enable
!
interface gigabitethernet1
 description UCK-G2-PLUS
 ip dhcp snooping trust
 switchport trunk allowed vlan add 40,42,44,46
 switchport trunk native vlan 20
 power inline priority critical
!
interface gigabitethernet2
 description AP-U6-#1
 ip dhcp snooping trust
 switchport trunk allowed vlan add 40,42,44,46
 switchport trunk native vlan 20
 power inline priority critical
!
interface gigabitethernet3
 description AP-U6-#2
 ip dhcp snooping trust
 switchport trunk allowed vlan add 40,42,44,46
 switchport trunk native vlan 20
 power inline priority critical
!
interface gigabitethernet4
 switchport trunk native vlan 20
!
interface gigabitethernet5
 switchport trunk native vlan 20
!
interface gigabitethernet6
 description "TrunkLink to Woonkamer"
 switchport trunk allowed vlan add 10,20,30,40,42,44,46,50,90
!
interface gigabitethernet7
 description "TrunkLink SG300-28PP"
 channel-group 2 mode on
!
interface gigabitethernet8
 description "TrunkLink SG300-28PP"
 channel-group 2 mode on
!
interface gigabitethernet9
 description "TrunkLink pfSense"
 channel-group 1 mode on
!
interface gigabitethernet10
 description "TrunkLink pfSense"
 channel-group 1 mode on
!
interface Port-channel1
 description "TrunkLink pfSense"
 ip dhcp snooping trust
 switchport trunk allowed vlan add 10,20,30,40,42,44,46,50,90
!
interface Port-channel2
 description "TrunkLink SG300-28PP"
 switchport trunk allowed vlan add 10,20,30,40,42,44,46,50,90
!
exit
banner login ^C
SG300-10PP 10-Port Gigabit PoE+ Managed Switch
^C
ip dhcp snooping
ip dhcp snooping information option allowed-untrusted
SG300-10PP#exit

Hold on - here’s your problem on the switch config - why are you using DHCP relay if the switch is not a L3 router (it doesn’t have IP addresses within the VLANs like 40-46). Only the device acting as the default gateway for the VLAN should be doing DHCP relay (technically this isn’t a requirement, but otherwise there’s no way for the source subnet in the relayed request to be filled in)

Ok, my SG300 is in Layer3 mode and the IP addresses are assigned by the pfSense firewall.
I thought this was the ‘correct’ setup to do.

So if I’m correct, I should assign IP addresses to the VLAN’s just like I did to the switch itself? (SG300 has a static IP address of 10.10.20.4

SG300-IP963×315 51.4 KB

So what I should do next is assign an IP address to each VLAN interface, something like:
VLAN 40 - Static - 10.10.40.2 - 255.255.255.192
VLAN42 - Static - 10.10.40.66 - 255.255.255.192
etc…
etc…

Does PFSense have VLAN entries with IP addresses for these VLANs - for example, does it have 10.10.40.1?

What reason do you have to do Layer3 on the switch? If the answer is better performance between VLANs, then why do you have VLANs at all? (Or why not merge the specific VLANs that need high performance to each other?)

If you set the switch up as the gateway (router) for those VLANs, then for inter-VLAN security you are limited to only what the switch ACLs allow, and those are typically processing individual packets, not sessions. You should have a very good reason before doing L3 on a switch, and limit it to just the VLANs that need the high performance between them.

Personally I would remove the dhcp relay config from the switch and mostly use it for L2 only - you can leave it in L3 mode.

Yes, the pfSense firewall also acts as DHCP server and has an IP address assigned for each VLAN.
I initially configured the SG300 as a Layer3 because I’ve red that the old Cisco WLC2504 Wireless LAN Controller needed to be connected to a L3 Switch.

So basically, just to keep it simple, I want my setup to be so that the pfSense acts as the Firewall and DHCP server. Based on the firewall rules in the pfSense box, I want to allow or deny traffic between VLAN’s.

To be honest, I don’t think the L3 functionality is necessary anymore.
So in that perspective, would the best way to just reconfigure the SG300 switch to a L2 switch?
And then just only configure the corresponding VLAN’s in the switch, together with their VLAN IP Addresses and subnets?

Convert the switch to L2 and program in the VLANs. Everything to do with the IPs is done in PFSense. Once the switch is in L2 mode it will only support one IP address anyway.

OK, so today I took the time to convert the switch back to Layer2.

1. I have shut down the Unify devices
2. Cleared the DHCP leases in pfSense firewall
3. Performed a factory reset on the SG300 and left it in L2 mode.
4. Configured all VLAN in the switch and assigned the corresponding ports to it:
   * Configured ports 9-10 as a LAG port. (same for pfSense)
   * Port 1-3 has VLAN 20 as “untagged” and VLAN 40,42, 44 and 46 as “tagged”
   But when I connect to the different Wi-Fi networks, I still get only IP addresses assigned to the VLAN 40 network.

Still confused in where the problem might be, in the pfSense device (Netgate SG6100), the switch (SG300-10PP PoE+ which now is configured as a L2 switch) or my Unify setup. (CloudKey G2 Plus with two U6 access points)

Below is the new config of the Cisco switch:

KSG300-10PP#show running-config 

config-file-header
SG300-10PP
v1.4.11.5 / R800_NIK_1_4_220_026
CLI v1.0
set system mode switch 

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 10,20,30,40,42,44,46,50,90
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname SG300-10PP
username stefan password encrypted 2e8b782741518a1c5e29430ee6eabb38d99c3616 privilege 15
ip ssh server
snmp-server location ""
snmp-server contact 
!
interface vlan 10
 name DMZ
!
interface vlan 20
 name Management
!
interface vlan 30
 name Servers
!
interface vlan 40
 name vlan40
!
interface vlan 42
 name vlan42
!
interface vlan 44
 name vlan44
!
interface vlan 46
 name vlan46
!
interface vlan 50
 name "VPN Users"
!
interface vlan 90
 name "Virtual Servers"
!
interface gigabitethernet1
 description UCK-G2-PLUS
 switchport trunk allowed vlan add 40,42,44,46
 switchport trunk native vlan 20
!
interface gigabitethernet2
 description AP-U6-#1
 switchport trunk allowed vlan add 40,42,44,46
 switchport trunk native vlan 20
!
interface gigabitethernet3
 description AP-U6-#2
 switchport trunk allowed vlan add 40,42,44,46
 switchport trunk native vlan 20
!
interface gigabitethernet6
 switchport trunk allowed vlan add 10,20,30,40,42,44,46,50,90
!
interface gigabitethernet7
 channel-group 2 mode on
!
interface gigabitethernet8
 channel-group 2 mode on
!
interface gigabitethernet9
 channel-group 1 mode on
!
interface gigabitethernet10
 channel-group 1 mode on
!
interface Port-channel1
 description "TrunkLink pfSense"
 switchport trunk allowed vlan add 10,20,30,40,42,44,46,50,90
!
interface Port-channel2
 description "TrunkLink Cisco"
 switchport trunk allowed vlan add 10,20,30,40,42,44,46,50,90
!
exit
banner login ^C
SG300-10PP 10-Port Gigabit PoE+ Managed Switch
^C
SG300-10PP#exit

While you have devices connected to the (42,44,46) SSIDs, do “show mac address vlan 40” and repeat for the other VLANs. Compare where the client MACs show up with what you expect from the Unifi client list.

Edit: duh! You need “switchport mode trunk” on all the ports with trunk configs - 1-3, 6, and the port-channel (you don’t need to do vlan config on 9-10, they inherit the config from the port-channel)
Edit2: I’m sorry I missed this in your prior (L3) config as well.

Well, the strangest thing just happen…
I was so sure I had setup everything correctly but still it didn’t work.
So I decided to reboot everything, my firewall, cisco switch and Unifi devices.
And guess what?? After a reboot everything just worked!

If I connect to my wireless networks, I receive an IP address from the corresponding networks, as expected.
So I don’t know where something got stuck, but after several reboots everything just keeps working properly. (It wasn’t because of an unsaved configuration in the Cisco switch, because I saved every config before rebooting the devices)