pfSense + Unifi - No internet, ping, nothing on the VLAN

Networking & Firewalls
1

Hi all-
Trying to setup a guest VLAN within my pfsense & unifi stack. It seems I have double checked everything against numerous forum posts & videos and yet still nothing. Any help is much appreciated.

Network Layout

pfSense —>
Unifi 8 port —>

  1. Unifi AP
  2. wired clients

(Unifi controller hosted via docker. no dumb switches or other APs)

pfSense config:

  1. Here is my VLAN config:

    image
    image2342×656 50.3 KB

    4x VLANs - (None setup yet other than Guest)

  2. Here are my interfaces:

    image
    image2306×924 169 KB

  3. Here is the interface config for VLAN30:

    image
    image2326×2270 490 KB

  4. Here are my basic testing firewall rules: I’m aware these won’t isolate the guest vlan, but I’d like to first get it functional before I complicate things.

    image
    image2396×774 81 KB

  5. Here is the DCHP server config. At first I left the DNS empty to use the pfSense DNS resolver, but to reduce complexity for testing I tried using public dns.

    image
    image1920×4640 413 KB

Unifi setup

  1. Here is my networks page on the Unifi controller where I have added a network w/ VLAN tag 30.

    image
    image1996×746 59.8 KB

  2. Here are the settings that are specific to VLAN 30 within the networks page:

    image
    image1956×866 54.8 KB

  3. This is the guest wifi setup: (I have been testing the VLAN using wired and wifi, neither work)

    image
    image1910×1074 126 KB

  4. Here is my unifi switch config. I have tagged port 6 as VLAN30. I have an ubuntu laptop I am using to test this vlan and it is connected to port 6 here, (wifi shut off on laptop)

    image
    image780×1240 44.8 KB

Testing

These tests are all performed from an Ubuntu laptop that is wired into VLAN30 with WiFi off. (Yes I plugged the laptop into a separate port back on the primary LAN to write this post)

Here is my config:

charles@thinkpad:~$ ifconfig
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.130.10  netmask 255.255.255.0  broadcast 192.168.130.255
        inet6 fe80::ed7a:1e7e:bb86:3ed3  prefixlen 64  scopeid 0x20<link>
        ether 50:7b:9d:d7:0d:d6  txqueuelen 1000  (Ethernet)
        RX packets 116234657  bytes 128142988564 (128.1 GB)
        RX errors 0  dropped 260884  overruns 0  frame 0
        TX packets 124693873  bytes 154646716529 (154.6 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xf1400000-f1420000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 3583303  bytes 860917530 (860.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3583303  bytes 860917530 (860.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Ping to the VLAN gateway:

charles@thinkpad:~$ ping 192.168.130.1
PING 192.168.130.1 (192.168.130.1) 56(84) bytes of data.

^C
--- 192.168.130.1 ping statistics ---
25 packets transmitted, 0 received, 100% packet loss, time 24582ms

Ping to the firewall LAN IP

charles@thinkpad:~$ ping 192.168.110.1
PING 192.168.110.1 (192.168.110.1) 56(84) bytes of data.
^C
--- 192.168.110.1 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6145ms

Ping to public internet:

charles@thinkpad:~$ ping google.com
ping: google.com: Temporary failure in name resolution
charles@thinkpad:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4100ms

pfSense Firewall Logs

All the traffic is being blocked by the Default Deny Rule - however I thought my firewall rules were configured to allow traffic?? (Please note the source ip for my testing laptop is 192.168.130.10. The device 192.168.130.100 is my phone which is also not working on the VLAN)

image
image1920×11886 2.42 MB

Any possible ideas as to what I have configured wrong?? Thanks

2

Think you might be missing an outbound NAT rule.

3

Personally I like to have an alias with my subnets in, I use this in rules to either allow cross vlan access or deny to block access for say the Guest vlan. I can still snoop on guests with such a scenario :wink:

4

I don’t think this is it. You can still ping the gateway even if outbound NAT is disabled (I just checked :crazy_face:).

1 Like
5

Judging by the fact that your phone’s IP address is 192.168.130.100, I gather that DHCP and thus the underlaying Layer 2 configuration is working.

You said the switch port that your laptop is plugged into is tagged with VLAN 30. Based on image 4 I think you mean untagged on VLAN 30 (native VLAN), which you would need if VLANs are not set up on the client device. Can you confirm this? Also it seems your laptop uses a static IP, maybe confirm whether DHCP works with the laptop.

I don’t suspect there are any floating rules since the logs say “Default deny rule”.

What I’ve never done before is having one interface on the native VLAN of a NIC (your LAN network) and other networks on VLANS on that same NIC. I don’t think this is the problem, logically this should work, I’ve just never done or even seen it like that.

6

Actually I think you’ve spotted the issue, I’ve also got my LAN on one NIC and my vlans on another. It looks like you have another spare port I’d put the vlans on igb2 and inspect the results. If you resolve this and have spare ports on your pfsense box you can put these in a LAGG, if one connection was to fail you’d still have the others as a failover.

1 Like
7

Think you might be missing an outbound NAT rule.

image
image1168×789 77.9 KB

Thanks for the idea- I don’t know much about outbound NAT, but it looks like these were auto setup when I created the VLANs? Not sure here- should have included this screenshot in my original post.

Personally I like to have an alias with my subnets in, I use this in rules to either allow cross vlan access or deny to block access for say the Guest vlan. I can still snoop on guests with such a scenario

Agreed that I do intend to do this- I started setting up actual guest vlan rules and then wasn’t getting internet so figured I’d first focus there before expanding further.

8

Agreed- I set the laptop as a static just to try to further reduce variables- but devices with DHCP leases or static assignments behave the same. I’d agree DHCP is working ok.

This could be onto something. I’d trust what the screenshot shows for sure- I do not know the proper terminology. Some basic research has led me to understand that “tagging” is typically used when the switch port is used for another switch or maybe a server where you’re sending multiple VLANs over a single switch port. My original post used the wrong terminology- I’d agree it is untagged & assigned to VLAN 30. Thanks for pointing this out.

Hmm this kind of makes sense. I do have 4x ports on the firewall- only using 2. My plan is to move away from using the primary LAN- however I did not want to mess with the existing LAN until the VLANs were already set up. I think I could put the primary lan on igb2 using a separate switch while I setup the VLANs on igb1 with the unifi switch. Thank you this could be the ticket.

Main LAN on a VLan
9

I do recall when I was first setting up pfSense I had loads of issues with the vlans and my Netgear switch. Eventually, I found if I configured the vlans on the pfSense box, then configure the vlans on the switch, then connect the two it worked, not sure if it’s correlation or causation mind you.

If you configure one NIC on your pfsense box to be the LAN, you can plug directly into it. If you then setup your vlans and switch, I doubt you will ever need the LAN. You can always plug directly into the pfsense box if your switch fails for some reason.

10

image
image1166×705 59.1 KB

It looks like this is the suggested config? OR should I have igb2 assigned as a LAN2 (unused). I.e. is it ok that I have VLANs assigned to igb2 without anything else assigned there?

11

Yes that looks like it ought to work. If that solves your problem you are good to go. From memory, I believe that there is an unassigned port, which is the parent interface which I think ought not to be assigned, though I don’t fully understand it.

If it’s not that it might be the switch, or next your rules.

If you want to “use” the remaining ports on your pfSense box, I might put 20,30,50 in a LAGG and 40 on its own port. Or perhaps the same but with 40 on a second LAGG. Just gives some redundancy, don’t think you’d come close to saturating your network.

12

Ok saying all that I now notice that parent interface for my vlans is the lagg. Well my setup works.

1 Like
13

Still having some issues. I’ve now configured the 4 physical interfaces on my pfSense box as follows:

igb0 - WAN
igb1 - LAN
igb2 - All vlan interfaces
igb3 - LANTEST (not a vlan, rather another LAN)

I am using the LANTEST simply to plug my laptop directly into pfsense to allow me internet & internal access while setting up the VLANs etc.
However now LANTEST does not work! I must be doing something totally wrong here.

The firewall rules are setup like this for LANTEST:

image
image1164×334 30.9 KB

And yet the firewall logs still show that traffic is being blocked:

image
image1176×801 153 KB

It seems like both my VLAN issues and my now new TESTLAN issues are all pointing back to this Default Deny Rule IPv4 which leads me to believe I have not created firewall rules correctly, however the firewall rules for the VLANs and the TESTLAN are dead simple- allow all traffic for now.

I’ve read a ton of vlan threads & watch a lot of YT videos but if anyone knows of a particularity detailed thread that really spells it out for pfsense + Unifi, then i will definitely give it a read. I may need to pivot away from this project temporarily as it has become quite a time suck.

14

Personally I set the NAT to manual and add the rules, mine look like this:

NAT
NAT1140×250 32 KB

For my LAN, which I don’t use much, the rules look like this:

LAN
LAN1147×398 58.7 KB

If you remove the switch from the equation, I do believe if you plug into the pfSense box directly it will give you internet access over the LAN.

If that still doesn’t work for you, could be your DNS. Inspect the results from Diagnostics > DNS Lookup

15

Famous last words…

I gave the NAT thing a shot as the only NAT rule I had configured manually was for a WG VPN tunnel. I don’t really use WG- I had just set it up to experiment. That didn’t help unfortunatley.

However I did solve my issues with LANTEST- pfBlocker!

Within the Firewall / pfBlockerNG / IP page:

image
image1177×458 45.2 KB

The section here that says “Outbound Firewall Rules” only showed LAN as selected. I’m not totally sure what this does exactly but it looks as if it has something to do with which interfaces the pfBlocker rules should apply to. I figured I’d see what happens if I add LANTEST to this and reload pfBlocker.

LANTEST now works as expected!
My thought is if I do the same for the VLANs we should see similar success there.

Thanks all for the input- hopefully this thread can be of some help to anyone else who runs across the same issue in the future.
I will update back if this also solves the VLAN issues.

16

Hmmm … looks strange, pfBlocker adds a rule to the interface when selected for it. I doubt that it will affect anything with respect to traffic getting out of the WAN. Maybe the states table needed to cleared at some point, if you rebooted it will have the same effect.

Took me several months when I first started with pfSense, until I settled on the final configuration.

I’d advise doing everything manually on pfSense so you can get a better idea how it works. Pretty sure you will still have a few complete rebuilds to go before you finish :wink:

17

Oh I’m sure I will. I’ve been running pfSense since 2018, however for a while I simply used it for nothing else than basic routing. Was sick of rebooting the ISP junk.

18

Update:

It looks like the issue with pfBlocker has resolved most of my issues.

This video from Tom is really helpful with setting up the VLANs specificlaly between pfSense & Unifi. The part I found most helpful was setting up the switch ports on the Unifi switch.
Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using UniFi & pfsense

At this point, I am now working through figuring out how to get the Unifi Controller onto the VLAN1 management vlan since I am hosting my Unifi controller on my linux server and I do not want the Linux server to be on VLAN1. I think I need to better understand the switch port profile in Unifi. In addition, I’ll need to read further on how Unraid and TrueNAS handle VLANs.

19

I have the feeling that vendors treat management vlans inconsistently.

At least with Netgear switches the first 3 vlans are defaults (which I don’t use), so I’ve just started mine at 10, 20 etc.

I’ve just used a vlan and stuck all my switches and AP’s on it, calling it the management vlan. Probably it’s easier to lock down a vlan tighter, most users won’t need access to switches etc. Not sure it’s much more than that.

20

I had similar issues when setting up my VLANs with unifi and pfsense. I think the problem maybe in how your switch is configured. When I setup my VLANs I have to tag them on the port that pfsense is connected to so that my switch will route packets there. Try tagging VLAN30 on the ports for your APs and your pfsense box. Also if you want to designate a port as being guest only then you have to mark it Untagged for VLAN30 as your laptop will send it’s traffic untagged by default(Unless you specify a VLAN in the NIC config).

I hope this helps.

CC