I have had my pfSense SG-3100 and Unify switches for sometime, but what I can’t seem to figure out is how to keep my pfSense (10.0.5.1) from jumping to other VLAN segments.
Configuration: pic attached - the 9 VLANs are from the main mvneta1 LAN.
It will usually give itself an IP address and sometimes, like above it does not.
Placing in on the LAN (Unify side) only cripples everything else.
Here it just switched to another. When it jumps to the WiFi VLANs, my AP goes crazy and everthing starts to give themselves the 169.54… address.
I did go in the WiFi settings and in the Multicast and Broadcast Filtering I added the pfSense MAC Address.
In the WiFi Networks I did also notice: element-3450d127e3aa0072, which I have researched to disable and remove it, but it keeps coming back.
Thanks for the help.
showing that it actually gave it self an address in another VLAN.
Also and I don’t know if its related to this or not, but I keep getting pfSense flags:
I have gone into the Advance Firewall & NAT and changed the Firewall Maximum States to 300000 like many have suggested, but still keep getting them.
last add: Currently pfSense is setup as the DHCP and DNS. Would it be better to set that up from the Unify side? I have the Unifi Cloudkey Gen2 as my controller, which I actually want to move all my switches from the LAN side to one of the VLANs, researching (watching Tom’s vids) on how to do that.
I do notice that when pfSense goes down, which it does and I have to clear somethings at boot, I cannot connect to it from my computer, have to console in. Which is not bad, I have an older rPi that sits w/ it.
Keep pfsense as the DHCP & DNS, and if I am understanding your issue, my guess for the “Jumping” is that you do not have the VLANs properly defined in the UniFI switches/AP.
Thanks Tom. Here is what my network looks like. I always wondered if I had to state the LAN there.
What switches do you have?
I’m really wondering if I should have that LAN identified w/ in the Controller.
if the VLAN tags in pfsense match the ones in UniFi and there are no unmanaged switches in between, then I am uncertain as to where the issues is.
yeah, me too. The LAN does have to be identified w/ in the controller though, right?
I was going to delete see what happens
Think will move the management controller to a VLAN, and have all those switches/AP on the same VLAN.
Do I make the switch on pfsense first or controller? Guess will have to watch some vids to figure it out.
Wondering if the rules are properly set
your “Block All other DNS” in both networks shouldn’t have a destination - but the Source should be “LAN net” or “IOT_FAMILY net”.
your “!Minus_LAN” rule isn’t being effective because right below it is the default allow LAN to any rules. If you want the 4th rule to be effective, you should get rid of the 5th and 6th.
Other than that I don’t see anything wrong with your firewall rules.
One thing I want to call out that I don’t think was addressed by anyone yet - it appears you are concerned that the “client” shown in the unifi controller for your PFSense sometimes doesn’t show an IP, and/or that the IP changes. Clients in Unifi are tracked by their MAC address, so if the PFSense is using the same MAC on every VLAN (which is normal since they are all on the same parent interface) then Unifi would understandably not be sure which IP to show you in the interface. But that by itself should not be related to the way that switching happens - the APs and Switches can handle seeing the same MAC in multiple VLANs, because that is extremely common.
So what happened today: Woke up for work @345 to find out that Xfinity was down and would not be restored until 6:22. Started my work meetings @430 via iPhone LTE. Saw your post and thought, let’s give it a try, what could go wrong.
We finally got internet back around 9ish. However, I can’t get in. I see the WAN address via pfSense, but nothing can get in/out. I then start contacting xfinity, particularly that the WAN address was very different than what I normally see (no VPN). In my mind, I am thinking about the settings I messed w/, but I really thought it was their end cause of that weird looking WAN. After hours of doing troubleshooting w/ them w/ a laptop on their router and able to navigate the web, figured I called it quits w/ them and knew it was an internal issue…
I proceeded to revert what I had done, but still nothing. I even went ahead to roll back all the changes I had done, via the Configuration backup Cache settings, nope. Even had a backup config file I saved in Unraid, but seems I needed something else I did not save.
Well, tor it down and bringing it back up. Least all my settings are still okay on the Unify side. Least can now rearrange things like I been wanting to. May tear down Unify too and start from scratch.