I am totally new to pfSense and was looking for some advice. I have recently received a Netgate XG-7100-1U and am looking to integrate this in to my network. Currently I have the following hardware:
- Netgate XG-7100-1U
- Netgear XS708T (10g managed switch)
- Unifi AP AC HD (x2)
- Unifi Cloud Key Gen 2
- Unifi Switch (US-16-150w)
- FreeNAS running on 4U Supermicro chassis
I was going to connect my devices:
Internet -> pfSense -> Netgear XS708t -> Unifi US-16-150w
I am wanting the FreeNAS server along with 3 computers connected to the Netgear (as all have 10g Intel nics) and the 2 Unifi AP’s connected to the Unifi US-16-150w switch (as this has PoE). However, I would like the FreeNAS server to be available to wireless clients that will be connected to the Unifi AP’s (mobile phones/tablets/laptops/Apple TV). I was planning on having pfSense do all the DHCP duties.
Is it ok to daisy chain both switches together or should I place them on separate ports of the pfSense (eth2 & eth3)?
I don’t think I will need VLANs as I want all devices to communicate with each other.
That setup should work fine. Switches can be daisy chained even if they are different brands. If in the future you want to setup VLANS, all those devices support it but you will to configure each device (pfsense, Netgear, UniFi) will have to be configured individually to match settings.
Thanks for the reply. If I had separate VLANs, all devices could still communicate with each other? Also, would I connect say the Netgear to eth2 and Ubiquiti to eth3?
With the VLANs, this would have to be set within pfSense and individually on each switch?
Btw, love the YouTube videos. Been subscribed for a while now
Considering you have a pfSense box and managed switches, why would you not use VLANs? VLANs help segregate traffic and heighten the security of your network.
Set up your VLANs in pfSense first. After that, I recommend connecting only the UniFi switch at first and get it set up for VLANs (the networks you set up in UniFi should be VLAN-only and use the same VLAN numbers that you set up in pfSense).
It’s easy to set up firewall rules in pfSense to control traffic flow (such as one-way traffic).
Here is one of Tom’s videos on pfSense, UniFi, and VLANs.
Set the port of the UniFi switch that will connect to the Netgear switch to “All” VLANs. After that, set up the ports on the Netgear switch accordingly (native VLANs for each port and trunk port for the one that connects to the UniFi switch).
For switch ports for your UniFi APs, set those to “All” VLANs as well. VLANs can be set for SSIDs in the UniFi software.
Don’t apply any “guest” policies for wireless networks in UniFi; let the firewall rules in pfSense control those.
Wow! Some fantastic information, I do appreciate the help.
The reason I was against VLANs is due to the fact I have never created them however I have watched the video you linked before so that will give me a good idea how this is done.
Regarding connecting my switches to the pfSense, is it better practice to daisy chain the switches from eth 2 (pfSense -> Netgear -> Ubiquiti) or should I create VLANs on pfSense and connect the Netgear to eth 2 and Ubiquiti to eth3 (individually connected not daisy chained)? If I did the latter, would devices on eth2 VLAN (Netgear) be able to communicate to devices on eth3 VLAN (Ubiquiti)?
If only Ubiquiti produced a 10g RJ-45 switch only with PoE!
You could use the extra ports on the pfSense box that way, but it would be easiest to just use one:
pfSense ==> Netgear switch port in trunk mode
Connect the FreeNAS box and computers to the Netgear switch (in order to make use of 10Ge); use ports that are only assigned to one VLAN. You can connect the Cloud Key to either switch.
Different Netgear switch port in trunk mode ==> UniFi switch port in trunk (“All” VLANs) mode
You can connect your UniFi APs to trunk ports on either switch; it’ll just look “prettier” in the UniFi interface’s topology view if they’re connected to the UniFi switch.
Also concerning VLANs, make sure any IoT devices (such as home automation) reside on a different VLAN. If you need to “talk” to them, you can set up firewalls rules to allow that while blocking any communication originating from them.
I also recommend any media devices that require UPnP to be placed on yet another VLAN (don’t use UPnP on your “main” LAN). You can assign UPnP to be active on any VLANs as needed. You can also set it to block all UPnP traffic by default and only allow access to the devices listed in the ACL.
All of our smartphones connect to an SSID that is on a VLAN (with UPnP enabled) assigned to media devices; we can cast content from the phones to our Rokus and Chromecasts. I have a firewall rule that allows them to print to the Dell printer on our “office” network if needed.
For UniFi, I set up a firewall rule for my phone that allows it to connect only to the port required by the UniFi controller (for the UniFi mobile app), which resides on a different VLAN.
Here’s another one that allows the A/V network to use my Pi-hole server for DNS:
And one that allows our smartphones (in the A/V network) to connect to our IP cameras (in the IoT network):
That makes a lot of sense, thanks for the detailed description and pictures
I will have an attempt at this over the weekend and let you know how I get on.
Regarding the UniFi AP’s, I have to connect them to the Ubiquiti switch as it is PoE. Also, I was planning on connecting the Cloud Key to the Ubiquiti as well.
So connection wise, it will be:
pfSense -> Netgear port “x” in trunk mode -> Netgear port “y” in trunk mode -> Ubiquiti port in trunk mode
I was so focused on VLANs that I forgot about the PoE requirement.
One more on VLANs… make sure you create at least this rule for each one, provided you actually want them to connect to the Internet:
Thank you for the information! It definitely answers a lot of questions I had.
I am thinking of using sfp+ between pfSense and Netgear switch. Are these the correct modules to use?
Ok, so I ended up acquiring a Unifi Switch XG16 and have used this instead of the Netgear.
I have only set up the Unifi AP network and am having a bit of trouble with the UniFi Network page. All devices have been updated however when I connect my AP’s, they are shown as connected but only for a minute or 2 then they appear as “disconnected”.
I can still connect to the Wireless network through devices however I am guessing there is a firewall rule I have to add that allows the Cloud Key to communicate with the Wireless AP’s to check on their status?
Edit: I have removed the pfSense box and connected my old router to both switches and the AP’s are staying connected. I read that port 8080 needs to be opened but not entirely sure. The cloud key is connected to the same switch as the AP’s
Are the APs on the same VLAN as the Cloud Key? No firewall rules are necessary if that is the case.
The UniFi AP’s receive IP address from LAN DHCP (with IoT devices using VLAN 50).
I enabled VLAN 50 on the port profiles of the UniFi switch that the AP’s are connected to and set the UniFi Cloud Key port profile to All.
I set the rules for VLAN 50 as per Jon’s video here (skip to 7.05 for Firewall rules).
I thought setting the port profile to All on the Cloud Key would allow the CK and AP’s to communicate with each other. The IP addresses are from LAN DHCP for AP’s, Cloud Key and Switches
Edit: I just re-watched Jon’s video here and I think I may have been doing the port profiles wrong.
From the video, I should be creating the VLAN in pfSense, applying firewall rules then in the UniFi Switch, selecting “All” as port profiles for AP’s & Cloud Key with the VLAN being managed by the devices (or setting this in network & wireless network). I will try this later tonight and hopefully this works
Always set switch ports for APs to “All” so they can support all VLANs. You assign VLANs to SSIDs in the UniFi controller.
Now that I have the AP & Cloud Key ports set to All (with VLAN assigned in Network and Wireless Network) everything is working great!
I did try and set a static IP address for both Unifi Switches and AP’s however the devices didn’t update. Is there a way in pfSense I can “restart” the DHCP server and reassign the static IP’s?
This weekend I will set up some more VLAN’s on the pfSense for FreeNAS, computers and Raspberry Pi’s
Services > DHCP Server > Network-in-Question
Look for this at the upper right:
Thanks! Once I allocated the Static IP addresses for the UniFi gear (switches & AP’s) then reset the DHCP service, everything is working as it should
However, I have spent most of the weekend trying to configure my 2 Raspberry Pi’s to work on their own VLAN with no success These RPi’s are running headless on Raspbian with OpenVPN and Qbittorrent. I have had no success creating firewall rules to allow internet access and even internal LAN access only works occasionally (SSH into RPi). I also cannot map these network drives to my primary Windows machine.
I have created VLAN 40 which is strictly for the RPi’s. I have created a new network in the UniFi software for VLAN 40 and changed the port settings to use VLAN 40 only. The RPi’s have been allocated a static IP address via pfSense and all this works well.
The main problem I am having is getting these RPi’s to connect to the internet (and PIA via OpenVPN) and my computer located on the LAN network (10.10.10.19).
I am assuming there are some firewall rules I need to add however I cannot work this out at all I did set 2 firewall rules for internet access and LAN access but these do not work. I also turned on uPNP hoping to access the logs for this VLAN and see which ports it was trying to use so I could add this in the firewall rules. The main log report was for udp 1198 (this is for the PIA network via OpenVPN).
If any one has any suggestions that would be great!
I have been at pfSense, the UniFi switches and VLANS for the past week and everything I have watched on YouTube or read doesn’t seem to work.
I have tried pinging devices on different VLANS with zero success. I’m guessing I am doing something majorly wrong but I can’t figure it out.
I have set up 3 VLANS within pfSense 20, 40 & 50. These are:
VLAN 20: 10.10.20.0/24 (Desktop pc’s)
VLAN 40: 10.10.40.0/24 (Raspberry Pi’s)
VLAN 50: 10.10.50.0/24 (IoT)
On the UniFi switches, I have both connected via SFP+ passing all VLAN traffic. My wireless network (IoT - VLAN50) is working so I know the VLANs are passing through the UniFi switches correctly.
Is there something else I can try? My pfSense box is the xg-7100 and I have assigned the ix0 interface (10gbe) as the LAN if that helps. My configuration is:
pfSense -> UniFi 16xg -> 16-150w
16XG has 2 ports tagged for VLAN20 and the 16-150w has 2 ports tagged for VLAN40.
What I am trying to do is ping a computer from VLAN20 on the 16xg switch to VLAN40 on the 16-150w switch however the request times out.
Just wanted to provide an update with all the networking gear…
Everything has been configured and is working. I have blocked all inter-VLAN traffic via firewall rules, fine tuned ports via firewall rules, set up PIA via OpenVPN for the RPi VLAN including Killswitch in case the PIA connection goes down it does not default to WAN connection, FreeNAS server sits on its own VLAN with no internet access however has outgoing rules for DNS connection as well as Gmail server connection.
It took me a while to get to this point however it was definitely all worth it. Once pfSense is configured, it is a very powerful and advanced Firewall. I am more than impressed with both it and the UniFi range of switches/AP’s
I originally told you to use just one NIC for all your VLANs; I got bored one day and set up mine to use all four NICs.
Great post with lots of info. I love to see the progression from the original question back in April to having a solid network thanks to everyone’s help.