Hello all,
I managed to get pfSense working in a VMWare hypervisor on my 2010 Mac Pro. I then followed Tom’s video here: https://www.youtube.com/watch?v=b2w1Ywt081o&app=desktop to create a VLAN. I followed all steps meticulously.
Devices connected to the UniFi switch ports with “LAN” switch port profiles work great. But when I assign a “VLAN10” switch port proflile to a port on the UniFi the connected computer doesn’t get an IP address.
So what I did basically is create a VLAN 10 in pfSense, add it to an interface (LAN), set DHCP service and create a pass-all firewall rule.
Then in the UniFi controller I adopted the 8 port switch, created a VLAN-only network with VLAN ID 10, went to Ports → select switch port profile VLAN10.
Then I connected a windows laptop, no IP.
Then I connected a Macbook, no IP.
Both laptops get LAN IP addresses when connected to other ports on the UniFi switch, “LAN” and “All” both work.
I double checked all settings and rewatched parts of the video a couple of times.
Here you can see that the windows laptop L211907 doesn’t get an IP address while it is connected to switch port #7, for which the correct VLAN port profile has been selected.
Problem with starting off with pfsense in a vm is that it’s another layer to troubleshoot, spent 3 months poking at it myself in a vm and never did get it to work.
Looking at your WAN IP it’s a private address range, somewhere in pfsense there are settings relating to BOGON networks (or something like that) that need to be either turned on or off when you are passing through a private range, the default is for it to receive a public IP.
It’s just a punt, though I can’t honestly even say if your setup will work.
Hi neogrid, thanks for your trouble of reading and replying! You know, getting to understand how VLANs in pfSense are configured and pass over to UniFi is the whole reason I set this up. So I can make a decision to buy or not buy a NetGate device. So I’m almost there
Actually this setup in the VM works flawlessly except for this VLAN issue. I get 60/10 ISP throughput (which is what my plan says) and internet browsing and routing is working as desired.
Yes you are right about the bogon setting: it’s in the interfaces section at the bottom under “Reserved Networks”. I unchecked it like Tom instructed in his video, because this is a (kind of) lab setup, it’s all off an internal IP.
If I could only figure out what this VLAN issue is all about…
This my be a daft question, but is the UniFi port connected to pfSense set with the ‘All’ profile? I’ve seen so many people forget to do that I always check that first.
There may be something you need to do on the hypervisor software to allow the VLANs. At my prior job we ran PFSense inside of ESXi, and we always needed to add the VLANs to ESXi before it would allow them through to the VM.
Hi neogrid, I mean that I wanted to do a full pfSense-to-UniFi-VLAN-setup to see how it’s implemented. As Tom set up DHCP for the VLAN in the pfSense, on the UniFi side we need to create a “VLAN only” type, not “corporate”. I had never done this before.
I like the pfSense system and it may be a good USG replacement (USG 3P is not powerful enough and UDM/Pro or UXGpro is not mature yet). But I have about 10-15 granular FW rules in my USG now and it’s important to me that I can do the same in pfSense and let it work seamlessly with my UniFi switches and AP’s. My USG FW has been super stable and precise so I don’t want to make this decision overnight.
yeah I get you … took me up to 9 months to get pfsense to a point where I didn’t make any further refinements … it just takes the time it takes.
Nothing wrong with your approach … but I remember a lot of faffing around at the start. Think you will get it all up and running eventually.
Good luck !
Thanks! If you say “nothing wrong with my approach” does that mean you think the configuration settings I entered (see screen shots I provided) are correct?
Maybe I’ll just order an SG-1100 to start with so I can fiddle with the settings and see if pfSense is all I want it to be. I reckon I can count on automatic VLAN port config on dedicated hardware.
This VM setup took me two full days so far so 179 would have been a bargain if I count hours lost.
I would say @brwainer is probably on to something. Are you using fusion as the hypervisor? If you are I’m not sure it supports VLAN pass-through. Have you tried using a static ip on the VLAN and seeing if you can ping pfSense? Have you tried using another Mac (I see you have more than one from the screenshot) and set that with a specific VLAN tag under the network properties? From what you have shown it looks like it should work to me, although I could have missed something!
I think you hit the nail on the head here. I checked the vmware ESXi documentation for VLAN configuration on port groups and it’s something one has to do in order to progagate VLANs trhough the VM LAN port. So I think that has to be what’s causing this VLAN issue.
Regretfully, I am now using a legacy VMWare Fusion 7 version (current version is 12 now) which has no options for VLAN settings.
So like I replied to neogrid, I will order an SG-1100 to play with and save me time.
Hi Acestes, I was typing a reply to Bruce while yours came in. Thanks for your suggestions also, I may try them just for the hell of it. But a dedicated box is better to save me further problem solving…
Depends on your budget and requirements but those Netgate boxes seem kinda pricey for me. I have a cheap Chinese box mainly for their 6 ethernet ports but you might want to also consider a Protectli box they kinda look good. Getting more ports now might save you some hassle in the future.
Excellent advice here guys, I’m glad to have registered here. As a civil engineer I don’t have a lot of networking experience from my professional life (well, if I don’t count knowledge about USB ports and floppy disks) so I started to learn IT stuff very recently. There is a lot to catch up on, that has become very obvious to me. I don’t know if I can afford to spend the time to dig very deep here, probably even mastering the pfSense settings is a lot of work for me already.
But I managed to master the UniFi controller (which is admittedly much more basic, simple and convenient ) so pfSense should be no problem
Anyways I don’t know about the chinses boxes, but the SG1100 is just 179 which is not all that much and it even looks more powerful than my USG 3P.
Tried a fixed IP address 172.16.10.200 on a Macbook, but it would not ping at all to the pfSense. Also no internet connection. So we can conclude the issue is on the VM virtual Ethernet port.
Given this issue and the fact that I’m working with an old Mac and outdated OS and VMware version, I think it’s not bad I’ve gotten this far. I am routing traffic on LAN and to internet and I can play with all the pfSense settings.
On ESXi you need to set the physical NIC that is passed through to pfSense to VLAN 4095. Otherwise it will remove VLAN information from the data packets. Perhaps something similar is necessary here
Hi Chris, thanks so much for chiming in I appreciate that. I had a good look at all the possible network settings in vmware fusion 7, but there don’t seem to be any related to VLAN functionality. This might be because it’s quite outdated.
So I think this lab exercise stops here for me, it has been good fun but I’m not getting where I want to be.
