pfSense / UniFi: "VLAN only" works, but "Corporate" works as well

Hey guys, just wondering about this little experiment I did.

I’m in a transitioning phase where I am replacing my USG with a pfSense box. Gradually. I am still alternating between the USG and pfSense to learn how to set things up. Also, I am trying to set things up in a way that I can hot swap between the USG and pfSense.

Normally, in a fully functioning all-UniFi network (USG / US / AP), when replacing a USG by a pfSense router, one needs to set up VLANs on the UniFi controller as “VLAN only” instead of “corporate”. And this works well. The rationale is that UniFi “corporate” networks automatically configure DHCP server, which of course is not required anymore now that DHCP is handled by the pfSense box.

So, the correct way to do it as also shown in Toms videos is:

  • pfSense / Interfaces / VLANs -> add VLAN, then enable that interface, then Enable DHCP server, then set FW rules
  • UniFi / Networks -> add network type “VLAN only”
  • done

This works great!

I found, however, that using “corporate” type VLAN networks work just as well with pfSense as the router.

E.g. On pfSense I have a “VLAN10_Secure_Network” set up, VLAN Tag = 10, DHCP server enabled. On UniFi side under Networks I have a “NW_10_Secure” network, purpose “Corporate”, VLAN 10, Gateway/IP/Subnet -> DHCP server enabled by default

This works perfectly fine. This enables me to just hot swap the USG for the pfSense and back (just “plug over” the WAN and LAN ethernet cables from the one to the other and back) and the network simply continues to run. And run well.

Eventually, when I consolidate a definite switch to pfSense and abandon the USG altogether, I will re-configure the UnFi VLANs as “VLAN only”.

However, in this transition phase, are there any drawbacks / caveats by keeping the UniFi networks as “Corporate” for a while?


1 Like

A Corporate network attempts to set up DHCP and all the rest of the Layer 3 config, but if the USG isn’t online then all those settings do nothing. The only thing I would be aware of, regardless of type, is DHCP Guarding.


Thank you @brwainer, good point and yes I realised that the USG cannot process DHCP requests when it’s down, thanks for confirming that.

In UniFi, all networks have set DHCP guarding disabled. Would you say enabling them, specifying the pfSense box IP, would add an extra layer of security?

Or could this be handled (better?) from the pfSense itself?


DHCP Guarding operates on the switches, which is why it shows up even in VLAN-only. The switches block any DHCP offers from an unauthorized source.

I understand. So that is a good thing, right? Or would enabling this feature in a “corporate” network identify the pfSense DHCP as “unauthorised” and block it?

If what you put in as the allowed servers would also include or apply to PFSense, then it would be allowed.