pfSense Firewall with Unifi Dream Machine and VLANS

katakuri · October 27, 2024, 11:23pm

First post here. I am a longtime network application programmer and have managed small, simple physical networks. I currently have a Unifi Dream Machine Pro with 6 APs and a camera plus a whole household of devices. My UDMP is the router of the network. I watched this video https://www.youtube.com/watch?v=Omm2pQUJO0o and decided I should add a pfSense firewall to my network. I am getting stuck getting the pfSense box (netgate 4200) to be anything other than my internet gateway. My pfSense VLANs do not do anything (unifi vlans are fine). My goal is to configure a VLAN in pfSense, plug the port into my UDMP, plug my laptop into another port on the UDMP and get an IP for the VLAN. I just factory reset my netgate so I could start fresh. Here are my interfaces so far (Figure 1).

I create a VLAN IoTVLAN tag 77, parent interface port 3 (igc1). I add it under interface assignments. Lan Port 2 is 172.16.56.1/24, Port 3 (igc1) is 172.16.36.1/24, and the IoT is 10.77.0.1/16, Port3 and IoT both enabled and configured with Static IPv4 (Figure 2):

DHCP Server active on IoT 10.77.5.100 - 10.77.8.100. Port3 DHCP is 172.16.36.20-172.16.36.200.

Firewall rules set for port3 and IoT VLAN to allow any/all.

When I plug my laptop into port 3 of the netgate, I get an IP for the port3 network 172.16.36.20 and can get to the internet. All good here. Can’t figure how to test the VLAN directly on the netgate.

In the UDMP I create a network, matching the VLAN tag 77 (Figure 3).

I connect Port 3 of the netgate to port 3 of the UDMP, and designate that UDMP port for the IoT vlan.

When I plug the laptop into Port 5 on the UDMP I get an IP address for netgate Port 3 (172.16.36.20) not the VLAN. If I disable DHCP on Port 3 I get nothing.

VLANs in unifi are in the 4th picture.

I know this is a long post but I wanted to make sure all the info was out there. I had it looking nice but LTS would only allow one image that’s why the one big picture.

The original video made it seem like not a big deal but I am beginning to think it is.

Moseph_V · October 28, 2024, 12:21am

It’s a lot to take in, lol (no offence intended)… But it sounds like vlan tagging is getting in your way.

On the client you’re connecting to test, do you have the NIC configured to use vlan 77? If the vlan tag isn’t configured, it’s just going to connect to whatever the native/untagged vlan is. From what I read, it sounds like you are trunking vlans across both the pfSense and UDMP ports.

With the UDMP - When you’re connecting to port 5, is port 5 configured to vlan 77 natively? Or are you trunking multiple vlan’s through it as well? If the latter, see above.

katakuri · October 28, 2024, 8:34pm

I just configured my client machine to use VLAN 77 and it got a VLAN 77 IP on the netgate port 3. The client is currently using a port 3 IP and a VLAN 77 IP on the same port.

When I plug the same client into port 5 of the UDMP I get a port 3 IP but the VLAN interface does not get an IP. I was under the impression that in UDMP if I set the port to use the network of the VLAN then VLAN 77 traffic would be native.

I set ports 3 and 5 on the UDMP to use VLAN 77 as native and block tagged. But the client on UDMP/port 5 still gets the DHCP IP for the untagged port 3 on the netgate:

DHCP gives client 172.16.36.20.

katakuri · October 29, 2024, 2:59am

I believe I figured this one out - at least it works now. My problem was that I set UDMP/Port 3 to use VLAN 77 natively, but the netgate/Port 3 was sending untagged port 3 traffic AND tagged VLAN 77 traffic over that port. So I changed my UDMP/Port 3 to use native on the same subnet as the netgate/Port 3, but include all tagged. Then UDMP/Port 5 can use VLAN 77 natively. That allowed UDMP/Port 5 to receive traffic from the netgate, and untagged traffic stayed on the untagged network and tagged traffic came in and flowed into UDMP/Port 5 natively as VLAN 77. So any untagged client on that port will receive a VLAN 77 IP.