UAP (VLAN) -> Cisco(VLAN) -> pfSense -> Proxmox -> Unifi Controller

Chip · June 18, 2022, 9:04pm

(first time poster - huge fan of the YouTube channel)

Hi, this is my first foray into VLANs and I’m having trouble to setup the Unifi AP in this setup (think homeish setup/livingroom like):

The right side of the router (10.10.10x) is trusted with no restrictions, while the left side of the router (192.168.107.x) is generally untrusted and can only get to the internet. To allow the AP to serve devices out of both categories, I created two VLANs: one for ‘AP management/internal/trusted LAN’ and one for ‘IoT/guest’.
The Unify Controller (10.10.10.63) is in a Proxmox container ‘on the other side’ of the router, which is VLAN-unaware (the 10.10.10.x switch is unmanaged).

I created VLANs 10 and 20 on the pfSense router:
Interface: “VLAN10”, static IPv4, 192.168.10.1/24, DHCP enabled, BBOOTP/DHCP Options:43, String, 01:04:0a:0a:0a:3f
Interface: “VLAN20”, static IPv4, 192.168.20.1/24, DHCP enabled, BBOOTP/DHCP Options:43, String, 01:04:0a:0a:0a:3f
To simplify debugging, there’s only one rule in the FW settings for each VLAN right now: IPv4: any, any, any, …
The 10.10.10.x subnet also has a rule to access anything: IPv4: any, any, any, …

From the 10.10.10.x side of the network, I can reach the web UI of the Cisco switch via all three IP addresses: 192.168.107.20 (no VLAN/well default VLAN, I guess), 192.168.10.2 (VLAN10), 192.168.20.2 (VLAN20).
I created VLANs 10 and 20 on the Cisco switch.
The uplink port (#8) (to the router) and the port to the UAP (#7) are configured to be “Trunk”, all other ports are “Access”
For VLAN ID 1: All ports are untagged
For VLAN ID 10: ports #1…#6 are Excluded, #7, #8 are Tagged
For VLAN ID 10: ports #1…#6 are Excluded, #7, #8 are Tagged

I adopted the UAP while it was on the 10.10.10.x subnet and created both VLANs in the Unifi Controller SW. Now that I’ve moved the UAP behind the managed switch, it won’t stop blinking and the Unifi controller SW can’t see it anymore.
How do I get the UAP and the Unfify controller to caommunicate with each other?

Thank you!

Update1: Additional infos:

I have static reservations for the APs MAC ID in all four DHCP configs (Internal, IoT, VLAN10, VLAN20).
The access point is configured for DHCP.
I cannot ping the access point once it’s on the Cisco switch.

xMAXIMUSx · June 19, 2022, 12:26am

What is your native VLAN (untagged) on your Cisco switch?

Chip · June 19, 2022, 1:28am

Still “1”, never touched it:
VLANs_cisco
So I *assume* that this will basically be the 192.168.107.x subnet.

innz · June 19, 2022, 2:42am

I use Nano AP’s at work connected to 2960x switches. My native vlan is 100 and here is an example so the Controller will see the device.

interface GigabitEthernet1/0/8
description —AP-117—
switchport trunk native vlan 100
switchport mode trunk
end

xMAXIMUSx · June 19, 2022, 2:46am

Ok so going by your diagram and reading about this setup I am a little confused. What VLAN is your 10.10.10.x and 192.168.107.x on? Also I noticed if you joined you AP on the 10.10.10.x network then you need set the 10.10.10.x as your native VLAN in your trunk port to the AP. Right now I’m confused on the 10.10.10.x and 192.168.107.x network. Are all the networks built in PFsense?

Chip · June 19, 2022, 3:08am

I did not define any VLANs other than “VLAN10/20”. I assume that 192.168.107.x is basically what the Cisco switch takes as default VLAN ID1 or do I have to also explicitly define VLAN #1 (as the 192.168.107.x one) on pfSense?
VLANs_pfsense

Since the switch on the right side of the picture is unmanaged (and not VLAN aware), I can’t really create a VLAN on that side. Shouldn’t the FW rules allow the controller in 10.10.10.x to access 192.168.10.x and vice versa?

Yes:
VLANs_pfsense_2

xMAXIMUSx · June 19, 2022, 3:49am

All of your networks need to be built in pfsense with a vlan tag. I built a quick diagram to help with the visual.

The issue you are running into is that you are not able to trunk the 10.10.10.0 network to your AP because that network is its own interface without a VLAN tag. If they all have a VLAN tag then you can trunk you 10.10.10.0 network and have your AP talk to your controller (with the appropriate rules in pfsense of course). Then by using your Cisco more like a core switch you are then able to break out your VLAN’s appropriately. Unfortunately you will have to select a single interface on your pfsense box to trunk all your VLAN’s to your cisco switch.