I have a pfSense firewall at home and a UNIFI AP-AC-LR.
In pfSense I created a VLAN based on my LAN interface and created DHCP server for the VLAN interface and created the Firewall rule to go out to the internet.
In UNIFI controller, I created a VLAN Only network and set the VLAN ID. I then created a wireless network and in the advance option set ‘user VLAN’ with the VLAN ID.
I can connect to the wireless but I have no internet.
Can this be because my UNIFI controller is hosted in the cloud and not in the house?
I second, verify the switch ports are configured for the VLANs you intend to use. Make sure the port that pfSense uses is trunked, and if you only intend a single VLAN for your AP set the vlan of the port.
For pfSense if you’re going to use an interface for VLANs then you cannot use the interface directly anymore. You will get bleed-over between the VLAN(s) and LAN traffic.
In Cisco you would first create the VLAN and then edit the port and either change it to trunk or set the default VLAN ID (PVID in some cases).
Why are you putting edgerouter before the pfsense?
Put pfsense at the head of your network and set dual wan on it. Then create your vlan in pfsense and connect a couple of unifi ap. You migh need a switch that speak vlan… Can you give more details?
My VMWARE server with multi PFSENSE server and current no more physical lan interface so I can not do Dual WAN on PFSENSE that why I use Edgerouter Lite 3 as Load balance and I also use it as DPI to block some website to my client.
I tried guide to create VLAN on pfsense and I found that under Unifi controller, I tried to add new network with VLAN but it showed “USG required” . My current unifi controller ver 5.10.25.
In the network map you provided, you listed an unmanaged switch from pfSense to AP. Unmanaged switches cannot handle vlan tags. It probably is why it says “USG required” because there is nothing between the AP and the FW that can handle vlan’s. If you add a managed switched you should be good to go.
In regards to your Unifi Controller, technically it is accessed via IP. If you wanted to you could swap the localhost to be the <ip address> of the host you installed the controller software. And still be able to access it. But I think you can change it under settings -> Controller -> Controller Settings and set the Controller hostname/IP.
@xmemex to my knowledge unmanaged switches don’t know what to do with VLANs as you cannot define or manage VLANs in an unmanaged switch. I think I may have read on the Internet that some unmanaged switches will pass it on. But from what I know generally unmanaged will not pass on the VLANs.
Unifi is meant to be a magic piece of software that sets everything up for you, but it only works to the full extent if you have every piece of network equipment as Unifi. When trying to use non-Unifi items, the magic is lost and you have to properly understand network concepts in order to set up the network properly.
VLAN tags only work to keep traffic separate if every piece of hardware is VLAN aware, and properly configured to recognize the VLAN tags. On the Network page that you shared a screenshot of, pay close attention between the items that say “USW REQUIRED” versus “USG REQUIRED”. USW means Unifi Switch, USG means Unifi Security Gateway.
For the APs: By assigning a VLAN number to an SSID, traffic leaving the AP from that SSID will be tagged with that VLAN number. There is also an option to set the management IP of the AP into a VLAN - stay away from this until/unless you really understand what is going on.
For the switches: Any network that is created as “Corporate”, “Guest”, or “VLAN Only” will be created on Unifi switches. By default all ports on a Unifi switch are set to the “All” Profile, which means it will accept traffic tagged for any of the VLANs that you set up. This is appropriate for connections to APs, Firewall, and other switches. For other ports, you should change the profile to the appropriate VLAN. For non-Unifi switches, you have to do this set up manually. Unmanaged switches come in two varieties: Some will keep and pass-through the VLAN tags, which means that when the traffic from the APs gets to the Firewall it will still be in the VLAN, but also the traffic will be sent to every port which is a security risk. Other unmanaged switches will strip away the VLAN tags, or drop packets with VLAN tags, either of which will mean that when the traffic reaches the firewall, it won’t be in a VLAN anymore.
For your firewall: If using a USG, “Corporate” and “Guest” networks will be created on the USG’s LAN port. The other types of networks are not related to VLANs. For a non-USG firewall, you have to do this manually.
I use pfsense at the head, create vlan with associated dhcp, did the switch I use dell powerconnect 5548. I set the ports connected to the AP as trunk otherwise its doesn’t work…
Get a managed switch, play with it and post back any issue you have. We’ll try to help then.
What’s the standard for creating VLAN? Should I use an interface like my LAN as the physical interface of my VLAN too? or buy a network card with 3ports use the 1 and 2 ports to WAN and LAN then the third port for VLAN? Assuming my firewall is pfSensense? and unifi as my AP’s with Managed switch but not unifi…
Unless you expect >800Mb/s traffic between two subnets, creating VLANs on the main LAN interface is fine. The LAN interface itself is automatically the default VLAN - in most hardware this is “VLAN 1”. So you can pass both VLAN traffic (packets that have a tag on them) and non-VLAN traffic on the same port. By the way, never manually create a VLAN 1, unless you really really know what you are doing. There are times when it is necessary but they are rare. Otherwise you’ll mess up the assumptions that the hardware engineers made when they made each certain device.
Yes, your PFSense is your firewall.
You can use any managed switch, the Unifi ones just make things simpler for you.
Thanks for that info… So I think our problem on setting up AP’s using pfSensense as the firewall and other managed switch is the VLAN tagging and untagging. But ill search and test for that…
Awesome, let us know. I’m about to do my first vlan network with pfsense, mixed unmanaged switches and unifi APs. All this reading and planning has been a great help.
