I am using pfSense and the Ubiquiti AP/controller combination. I have my controller running in a docker container on the LAN section of my network along with my APs.
Last time I moved that Linux server to a vLAN, away from the APs but with access, the entire controller went down and lost track of the APs. I had to reset everything.
Do I need to move the APs along with the controller?
Unifi specifically warns you when you are moving the controller to a vLAN. Am I missing a part of the protocol? Last time I had a static IP address set instead of a static DHCP lease.
This is why I’m looking into Engenius, a local web gui to modify an AP would be much better than starting over. I’m guessing you’ll need to put the management VLAN on each AP and provision it out, then move your controller. I lost access to devices while tinkering around with all the network separation and it sucks that there isn’t a local page to update. I’m sure it can be manually done via console, since commands are fun to learn.
Make your life simple and keep the controller and the Access points on the native VLAN. Create VLANs for the other devices that need to be isolated with rules.
I am confused by the term native VLAN in pfsense and how is it different from the LAN?
I think I should draw up another diagram now that I have all of the VLANs setup to visualize things again.
Native VLAN – term in confusing – is untagged VLAN 1 in unifi speak. Unifi trunk ports can pass one untagged network and all the other vlans need to be tagged. Most people refer to LAN as vlan 1. It’s possible for your Access point to broadcast LAN and various VLANs. It’s also possible that your actual IP address of the AP and controller are on a management VLAN. Whatever you choose, I’d keep the controller and APs (as Tom suggested) on the same VLAN.
Watch Tom’s video since its pretty clear – that’s how I learned
You need to setup all you vlans inside of pfSense and need to do something similar inside the Unifi controller defining all the VLANs and there tag #.
In terms of the actual wiring, I’m betting you have your AP and docker host connected to two separate ports on the Unifi switch. I’m actually running a unifi Gen2 Plus controller rather than a docker host.
For the port connected to my Access Point - I configured the port as a trunk port (which is Unifi’s default if you do nothing – pass untagged VLAN 1 and pass all other tagged defined networks). When configuring the AP, I chose my management VLAN as shown below (management for me is VLAN40):
For my Gen2 controller – I defined the switch port that controller is plugged into as an access port and just assigned
It’s possible to connect your docker host to the switch over a trunk port, however I don’t know then if the host would be able to pass along the tag information to docker. I’m definitely no networking expert but I think in order to do this you’d have to create some virtual bridges and assign a VLAN network to each bridge and then connect your docker network to the specific designated management virtual bridge. I’m sure someone on these forums have done this and could tell you how to do this exactly.
Perhaps a better approach is to just define a Management vlan say 10, so keeping all your switches / AP / Controller on that subnet. Though I would run the controller in a VM rather than docker, at least for me it’s easier to rescue the situation if it messes up.
I’m running TP-Links omada controller, it looks similar, as soon as a management vlan is set the AP needs to be able to speak to the controller. Being on the same vlan makes that easier.
Don’t forget if you setup a Guest SSID you need to add a rule to allow the Captive Portal (if you use one) to be accessed on the management vlan.
