pfSense and Unifi

Networking & Firewalls
1

New to networking. Crash course to get pfSense + Unifi equipment up and running after storm took out old Orbi R5R50 router – vs. getting around to it.

EQUIPMENT
Netgate 6100, pfSense, UniFi = Cloud Key Gen 2, Pro Max 24, U6 access point, U7 access point, 10G Aggregation Switch (not presently worried about Aggregation switch).

ORIGINAL NETWORK PLAN – Just get something working for home office ASAP.

  • LAN (igc0) (2.5Gbps) to Port 17 on Pro Max. No VLANs (execpt native).
    LAN includes pfSense, Pro Max, Cloud Key (Port 1), Synology Port 18), PC1 (Port 19), PC2 (Port 20). Static IPs assigned to network equipment and NAS. Everything is working. Port 17 displays as uplink in UniFi controller.

  • DMZ (LAN2) (igc1) (2.5 Gbps) to Port 22 on Pro Max. No VLANs (except native). U6 access point on Port 23 and U7 access point on Port 24 meant to be serve DMZ wifi for phones, laptops, and IOT devices.

PROBLEM:

  1. Port 22 not recognized as uplink to DMZ (LAND2) (igc1) on 6100.
  2. U6 and U7 access points assigned LAN (igc0) IP addresses.
  3. UniFi network controller seems to want to deal with VLANs only.

QUESTIONS:

  1. Can you get pfSense/6100 and UniFi to work using multiple interfaces INSTEAD of VLANS? …or…
  2. Are VLANS from pfSense/6100 required to work with UniFi?
  3. Do the VLANS have to be across the same interface from pfSense/6100 (i.e., just igc0)?
  4. Can the VLANS be from multiple interfaces from pfSense/6100? (i.e., vlan 1 from igc0 and vlan 200 from igc1)?
  5. The UniFi Network input for VLANS does not allow for assignment of VLAN 1 (despite older YouTube vidoes) …is default assumed to be native VLAN 1?

Many thanks.

2
  1. It’s typically best practice to run VLAN’s but that doesn’t mean you couldn’t run multiple ports on different networks. I think it would be more complicated that way personally.
  2. Not sure what you mean by “required to work”. Networking equipment that supports layer 2 support VLAN’s. Both pfsense and UniFi switches support layer 2.
  3. When you configure your VLAN’s you assign the parent interface. Typically this is the LAN physical interface.
  4. Yes, but not in typical network setups. They are all on a single interface and then you connect your firewall to your switch and you configure your switch port to be a trunk port (accept all VLAN tags)
  5. Yes, VLAN 1 is always the native VLAN.
3

To start, thank you…

  1. Got it, VLANs = best practice = this is what I will do
  2. OBE
  3. Got it.
  4. OBE
  5. Got it. I was thrown off by default UniFi IP (but not in play because of pfSense.

Right now I am using VLAN 1 and VLAN 200 tags.
VLAN 1 = My pfSense, Cloud Key, NAS, and my work PCs
VLAN 200 = Eveything else Unifi Access Points + IOT are in VLAN 200 (DMZ).

VLAN 1 has internet. Can ping within VLAN 1. Can’t ping VLAN 200.
VLAN 2 PC has internet. Can’t ping other VLAN 200 devices. Can’t ping VLAN 1.

Pings being blocked by pfSense firewall. But firewall rules are default for VLAN 1. and VLAN 200 only has the copy of the default for VLAN 1 and set from interface = DMZ, Source= DMZ subnets, Destination = Any. I removed prior block rules above the any rule to see if they were the problem (and I reset states etc.).

Additionally, Cloud Key can no longer communicate with Access Points in VLAN 200 in UniFi Controller.

Translation = All dorked up.

Would it be better practice to put:
All on interface LAN or igc0 on pfSense/6100
CloudKey and Switch in a VLAN 10
Work PCs and NAS in VLAN 20
and IOT (aka DMZ) in VLAN 30

4

Tom has a video setting up pfsense with unifi

1 Like
5

This vide may help

1 Like
6

Cool thank you. I re-watched this one at the same time. Hard to see on phone, but now I have some internet back up I see the 2nd part of the video is exactly what I wanted to do originally.

7

This… I started independently trying to do. But obviously this presents it correctly and concisely. Fingers crossed, I am still running into a few issues…but won’t reference until I at least try to work thru a few myself…

image
image1095×960 86.4 KB

8

I figured it out. I think/hope.

My problem was my network design.

I have igc0 (LAN) going to Port 17.
I have igc1 (LAN2) going to Port 22 for my IOT DMZ
I set Port 22 as VLAN 66 in UnifFi (not pfSense) per video.

The problem was this:

I had my U6 and U7 in Ports 23 and 24 and both ports were set to VLAN 66 and to block all tagged traffic. I was trying to keep all IOT traffic isolated.

So as soon as I enabled the pfSense firewall rule to prevent LAN2 devices from talking to LAN devices my CloudKey on LAN lost telemetry from the U6 and U7.

Solution:
Ports 23 and 24 for U6 and U7 set to Default (LAN) and Allow All Tagged traffic (or Custom set to VLAN 66). This puts U6 and U7 on LAN to allow comms with CloudKey. As VLAN 66 is passed thru Ports 23 and 24, I assume this will allow me to then create isolated VLAN 66 (LAN2/DMZ) only SSIDs for IOT on the U6 and U7 that can’t talk to LAN devices. My second assumption is that telemetry from the U6 and U7 to the CloudKey will include info on connected devices even though they will be LAN2.