pfSense/Unifi Network Setup with 2 unswitched uplinks

Netgate 8200
-WAN: DHCP

-LAN: xxx.xxx.83.0/24
–FW rules: Allow IPv4 * FROM LAN Subnets to Any

-LAN2: 84.0/24
–FW rules: Allow IPv4 * FROM LAN2 Subnets to Any

Unifi Pro Max 16 PoE (local controller, 9.0.108)
-Network
–Default (1)
–Main (84)
-Ports
–13: LAN Uplink (showing ^ icon; Default + Allow All [trunked?])
–14: LAN2 Uplink (NOT showing ^ icon, Main + Block All)

TrueNAS Core 13.3
-Repurposed desktop computer
–Onboard 1Gb NIC
—Static: xxx.xxx.83.20
—Port 3 (Default + Allow All)

–Aftermarket Intel x550-DA2 NIC
—Static: xxxx.xxx.84.20
—Port 17 SFP+ (Main + Block All)

From watching LTS videos …

  1. There is no reason to use VLANs on the LAN interface since I have four 2.5Gb unswitched NICs on my Netgate. Therefore, no VLANs created on the pfSense side; just both LAN and LAN2 active with DHCP servers

  2. Switch port 14 is intended to be an uplink port. BUT appears to be acting as a downlink port and showing a MAC address of the Netgate LAN2 interface.

  3. To NOT route storage, TrueNAS intended to be on Main network (84, LAN2 interface) with all other clients (computers, printers, phones, etc).

–SMB share access DOES work

  1. Default network (83, LAN interface) intended only for TrueNAS GUI access and network gear (Unifi switch + 2 AP)

Problem (No problem??): Why doesn’t Unifi show Port 14 as an Uplink port and show the MAC of the pfSense?

Do I have the switch port trunked/not trunked correctly?

Much obliged for any insights to my setup or whether some other have a better idea for such setup.


I think this is not a problem. In some versions of the controller the uplink and topology map were shown incorrectly to me. It may be that the controller only allows for 1 uplink per switch device. I have a router-on-a-stick setup, so there is just 1 connection from the router to the Unifi switch and there it shows the uplink icon. There is no problem as long as devices in VLAN 84 (Main) can route effectively to the internet, even though the uplink icon is missing.

Do you mean port 14 (VLAN 84 native, no VLAN on netgate port LAN2)? Then, yes, this looks OK.

If you mean port 13 (VLAN 1 native, allow all tagged, no VLAN on netgate port LAN): LAN will use VLAN 1 on the Switch. Since you have not defined VLAN 84 for LAN, you cannot access that VLAN on netgate port LAN. So the “Allow all tagged” on Port 13 is useless, possibly even dangerous, you the netgate COULD access VLAN 84 on port LAN if someone defines that VLAN for port LAN on the netgate.

I have not understood why you have configured LAN and LAN2 the same way on pfSense and then NOT configured port 13 the same way as port 14.

If I understand you correctly you want to have no VLANs on the netgate ports configured, so all traffic there is native / untagged. So you would do the same on ports 13 and 14:

netgate LAN ---- port 13: native = VLAN 1 native, tagged = block all
netgate LAN2 ---- port 14: native = VLAN 84 native, tagged = block all

In general you would just configure the ports on both ends of a CAT cable to have the same VLAN for native/untagged traffic and the same set of VLANs for tagged traffic.

Yes. I meant Port 14.

Thanks for looking at it for me.

I have added more response, something about port 13 you seem to have misunderstood and configured incorrectly (but it still works that way).

The problem I point out means that VLAN hopping is possible for the netgate port LAN. This is always possible if you allow more tagged VLANs on a switch ort than are actually needed by the connected device.

Help me out here.

On an Uplink port, should I restrict it to only the subnet in question (in this case Port 13–Default, VLAN1, xxx.xxx.83.0)

I just read your “additional”.

I get it.

Most excellent response.