Unifi switches passing through public IP via VLAN

Networking & Firewalls
#1

Hi,

We have a client who has a broadband circuit which is presented to us in Fibre SFP module. The client already has a SG3100 so i didn’t want to upgrade.

I created a random VLAN on the Unifi switch and tagged the SFP port and 1 of the ethernet ports to create a bridge in which i can connect my pfsense WAN port. Public IP details are now plugged in on WAN side on pfsense.

This seems to work perfectly fine using cisco switches but fails to work with Unifi and i cant understand why. I have another client with exact same setup but with cisco switches.

Any ideas, thanks in advance.

afn2
afn21222×493 15.1 KB
afn1
afn1969×810 28.4 KB

afn3
afn3367×683 14 KB

#2

Hello,

Please bear with me as I try and understand. You have public ip on a sfp module. That module comes directly to your switch,correct? Not passing through the sg3100… or any other routing device? in Unifi if you set up a port, to use your example vlan 555, that port will only pass packets tagged with vlan 555. If what you plug in is not tagged already with vlan 555 it will not pass information. I think this may be where mirroring option in the port policy overrides is what you want. As you wish to mirror what is coming in and out on the sfp port to another port. You might want to set port isolation as well…though I am be wrong. Have not tried your set up.

#3

Thank you will try this, i did set both ports to NATIVE network (in cisco terms, untagged). so i shouldn’t need to tag anything on my firewall. will try the port mirroring. thank you.

#4

You should not need LLDP med and I noticed the port is not showing connected.

#5

Thanks Tom, i did try without LLDP. The client is at some distance, so i left it running on the cisco until i re-visit. Just wanted to know some options before I drive down there again.

Thanks all!

1 Like
#6

Make sure the SFP is plugged in properly? Otherwise, two ports both in the same native (untagged) vlan should be totally fine if you’re just using the thing to bridge some traffic. And if the downstream devices’ network settings are correct.

#7

Is there a specific reason for not connecting the WAN connection directly to pfSense?

#9

Looks like he said there is no SFP port on the SG-3100.