pfSense + UniFi VLAN propagation issue (10G SFP28 trunk)

Networking & Firewalls
1

Hi all,

I’m looking for a sanity check and guidance on a pfSense + UniFi design that is mostly working but failing at VLAN propagation.

Target architecture

  • pfSense is the only router/firewall/DHCP server.

  • Bell 10G ONT → pfSense 10G NIC.

  • pfSense trunks multiple VLANs over SFP28 (ice0) to a UniFi USW-XG-24.

  • XG-24 uplinks to a USW-Pro-XG-8-PoE, which powers two U7 Pro XG APs.

  • VLANs are /24s using 192.168.<VLAN>.0/24, gateway .1.

  • UniFi Gateway Ultra exists only for UniFi OS / device management (not intended as the client gateway).

Current state

  • All UniFi devices (XG-24, XG-8-PoE, APs, UGW) are adopted and manageable.

  • pfSense VLAN interfaces exist and DHCP servers are configured per VLAN.

  • The SFP28 link between pfSense and the XG-24 is up.

  • However, clients on UniFi ports/APs are not receiving DHCP on VLANs, suggesting VLANs are not propagating correctly from pfSense into UniFi.

Suspicions / questions

  1. On the UniFi XG-24, should the SFP28 port facing pfSense be:

    • a trunk with all VLANs tagged, and

    • a specific native VLAN (e.g., management), or fully tagged with no native?

  2. Do UniFi access ports require explicit VLAN tagging for DHCP to work, or is port profile selection sufficient?

  3. Any known STP/RSTP considerations when pfSense is upstream of UniFi over SFP28?
    I suspect STP blocking may be preventing VLAN traffic even though the link is up.

  4. Is there any reason to assign an interface directly to ice0 in pfSense, or should only VLAN sub-interfaces exist?

I’m aiming for a clean model where pfSense does all L3 and UniFi strictly handles L2 + Wi-Fi. Any confirmation of best practices or common pitfalls here would be greatly appreciated.

Thanks in advance.

2

There are a few people here who know more about networking as a whole, plus have more experience with both pfSense and UniFi. But I can try answering a couple of the questions you asked.

  1. Yes, with a specific native VLAN for management is how I’ve always had my UniFi switches and AP’s configured2
  2. Not sure if I’m understanding it right. Port profiles have always worked for me. One thing to note though is to ensure that the DHCP Mode for each VLAN/network in UniFi is setup as DHCP Relay with the pfSense as the target, not None or DHCP Server (which will set the UCG-Ultra as the DCHP server)
  3. Best let someone else answer this
  4. I’ve never tried having VLAN sub-interfaces only before (I’ve never had a pfSense, but my old EdgeMax has a similar interface setup method (to a degree at least). If you only have the sub-interfaces currently, it might be worth setting up the direct interface with your management VLAN to see what happens.
3

This video might help you.