pfSense/Unifi and VLANs

I use pfSense with a few Ubiquiti switches/APs for a small home network. I divided the network into several VLANs for the usual Servers, IOT, Security Cameras, etc.

My Ubiquiti devices are connected to the LAN interface, and I also derive the several VLANs from this interface.

For the Unifi APs (U6-lite), I set the “Management VLAN” to default, and I have a port profile that passes three VLANs to the AP which then appear as three SSIDs.

I seem to be getting leakage from other VLANs onto the LAN network. I think this because I see Snort alerts on LAN that show source and destination addresses that are not from that LAN. Also, if I run a packet capture on LAN and view it in wireshark, I see this traffic.

The network is generally working – i.e. I can connect fine, etc…

I have seen some discussion online about Ubiquiti APs needing a bit of special treatment (they like to live on the default network). What am I doing wrong? Is there some peculiarity I’m unaware of? I am pretty familiar with networking back in the days of bridges and routers and thinwire, etc. But, VLANs are newish. In the past, I’ve viewed them as synonymous with “subnet”, but I’m not sure that’s quite true.

Any suggestions?

Marty Wise
Gloucester, Virginia, USA

Have a look at these video’s

Basic Setup and Configuring pfsense Firewall Rules For Home - YouTube

How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense - YouTube

Make life easy, have the Unifi hardware on the same network as your main network - does not need it;s own management vlans. Check 42 mins into this video VLOG Thursday 291:Sponsor Updates, UniFi Updates, Backup Solutions, Errata, and Q&A - YouTube

Excellent points. I got into watching the video a bit and a few minutes later (48:05) a listener suggests having default as your management vlan and tag all the user traffic which is what I was shooting for. But, I buy his initial argument about the links being secure in the unifi design and will happily switch if that would resolve the issue I’m seeing. With security not really an issue, the main advantage of splitting the management systems out is to simplify firewall rules… maybe an issue if you have lots of network devices, but I have 5.
A big part of my question is really am I interpreting the data correctly? i.e. the snort alerts and packet capture data… is data actually leaking as I suspect?

Traffic will only go between the vlans if you have incorrectly configured your PFSense rules

Example of one of my network rules

RFC1918 is a aliases , containing RFC network IP’s

Do not know Snort, so can not answer questions about Snort.