I have 4 UAP-AC-PRO to deploy over 10000 square feet. I want to use pfsense to do all routing and firewall rules. I don’t have a USG, plan on doing a mesh network with the AP.
have already installed latest pfsense on a hp5800, intel 4 port network card, installed pfblocker
apart from the WAN, I’m assigning one port for office lan and one for student
student can’t get to office lan , but office has access to everything
Need to lock down student lan from, gaming, porn, gambling, social apps etc. All has to be replicated to APs. So my network would be : isp -> pfsense -> unmanaged switch-> APs.
The big problem you are going to run into is you are going to need a managed switch to do this properly. If it were me I would
Create a student VLAN and create VLAN’s for your other networks as you see fit. You need to have proper logical separation so you can apply the right access to the right people/servers.
Then create a student SSID that is tagged with the VLAN you created in pfsense and I would be careful about putting critical networks on wifi (Not best practice).
You will have to have a unifi controller so use an old pc or create virtual machine (I recommend VM in case you need to add resources later). Minimum specs for that is like 2 core 2 gigs of RAM should do fine for what you are doing.
The reason you will need a managed switch is because when you configure multiple SSID’s you will have to set up a trunk port to your AP’s so you can specify the VLAN tags to the proper SSID.
I totally agree with @xMAXIMUSx where you need a managed switch to manage the VLans but in case you can’t get one at the moment, you can connect one Unifi AP physically and create the VLans from there and have it meshed wireless to the APs via the Unifi Controller.
Got a tplink tl-sg1016pe, created a vlan for student and office on pfsense opt 1 and 2. Installed and configured pfblockerng-devel and selected the categories i needed blocked. Created the allow all, block dns, block lan, and allow dns to pfsense for student and office. With my managed switch and four aps, do i apply to the four ports the aps will be plugged into, then plug all other devices eg network printer. Would the pfblocker suffice or other firewall rules need to be setup for the two vlans.
I have created my vlans, added them to the unifi controller, yet i’m not able to get an ip address from either vlans. Vlans have been configured on the switch.
In the diagram above should help with this setup. Also haven’t used TP-link much so this will be fun lol.
The trunk ports for all AP’s have to be the same. Right now in your screenshots you have EM1 setup as your trunk port that should be connecting to the switch. Then your switch should have trunk ports going to each AP. You’re unifi controller looks right.
The fact that i need to push out vlan 3 and 50 from the unifi APs, can both be set on the same port. When i configure the vlan i loose connectivity to the ap from the controller.
You are using vlan 1 office and management, vlan 3 students, and vlan 50 guests. This means your trunk ports should be config with vlan 1 untagged with a pvid of 1 and vlan 3 and 50 tagged.
If you are loosing connectivity between the AP and controller you most likely have a management vlan mismatch.
I think your controller and pfsense is set up properly I just don’t know how to configure a tplink switch with native VLAN 1 and trunk ports. I’ve only done this with Cisco switches.
Looking at your photos I would say the switch is configured incorrectly. Do you have your pfsense connected to port 1 on the switch? That is what I think you said, and if you do it will never work. You need to make sure port 1 on the switch has a PVID of 1 and an be untagged set to 1, it MUST also have a tagged port of 3 and 50. Ports on switches can generally only have 1 untagged port, but they can have multiple tagged ports. The multiple tagged ports are what effectively make them a trunk port. The ports going to the APs should also be configured with the same settings. The only time you would want to set a port to be untagged and with a PVID of say 3 or 50 is if you had a device connected to that port that didn’t understand about VLANs and needed to be on a specific VLAN. For example, if you had a wired PC that had to be on the student VLAN (3) then you would set that port to untagged 3 with a PVID of 3.
This is exactly what @sdfungi told you to do earlier. Maybe post some more images of what you have now configured, and let us know exactly what you have connected to which ports.
I’ve only done this with Cisco switches.
