PfSense + CloudKey Gen2 + USW Pro Max 48 PoE + U7 Pro & VLANs - A little Help

Hello everyone,

I’m new to Ubiquiti and decided to give it a try.

I already have a pfSense setup with rules in place, but no VLANs. Since I’m upgrading to a better switch, I figured this would be a good time to implement them.

Current setup:

• WAN from ISP router → pfSense

• pfSense LAN: 192.168.88.254/24 (no VLANs)

What I want to implement:

• Two VLANs:

• VLAN 40 → Guests

• VLAN 50 → IoT / Management

• pfSense connected to switch on Port 1

• Cloud Key on Port 2

• APs on Ports 40–48

• Two SSIDs: internal + guest

I have this working at a basic level, but I want to refine it—especially VLAN 50.

My goal is for the switch, Cloud Key, APs, and future devices like CCTV to all reside in VLAN 50.

However, when I set the switch’s native VLAN to 50, all other devices on the network lose access to the switch UI.

How can i set this up?

Leave VLAN 1 just for the APs, Switch, CloudKey and PfSense on 192.168.88.0 and then create a new vlan called “Internal” or something like that and assign all the other ports (Port 3 - 40) to said VLAN? AKA use the VLAN 1 as the MGMT vlan of sorts?

Yes, that is the easier way to do things for your setup. The control plane on UniFi that allows the cloudkey to talk to the AP’s and switches is encryped and can live on VLAN1 but you don’t necessarily want all things that you do internally on VLAN1 so move your systems to their own VLAN. Make sure you have the rules in pfsense that will allow your system to traverse those VLANs.

Yes, the “rules” in pfsense are defined “correctly” i think - “Guest” just has access to internet, blocked from LAN, etc etc etc

So what you are saying - just to “close it” - use “LAN” (VLAN1) as MGMT and create VLAN 10 and call it “LAN” or “Core” or something right?

Yes, that is the easier way to do things. Keep UniFi switches on VLAN 1, but keep clients OFF of it.

Thanks! it does make sense! Have a good one Tom!

This video is from a few years back but it still holds true