Unifi - VLAN Trunk - What am I missing

Networking & Firewalls
1

Hey…hope the group can lend me a hand on this as it has to be something really simple.

On my UNIFI, I have setup 2 vlans (3509 and 3517).
I have then gone to my switch and setup:
port 29 = vlan 3509 (block all)
Port 31 = vlan 3509 (block all)
Port 34 = vlan 3517 (block all).

I have a PC connected to port 32
I have pfsense connected to port 31

Pfsense has the vlan bound to an interface (that is plugged into port 31).

I am now trying to ping the pfsense interface (192.168.123.1) from the computer (192.168.123.10) and am unable to do so.

I have also put in any/any rule on the vlan but that does not seem to help.

I don’t think it is a pfsense issue but rather my vlan setup. Any Ideas?

unifi
unifi655×523 25.3 KB

pfsense
pfsense1134×836 57.8 KB

2

Let’s get some clarity.

  1. Just because you made it a trunk port doesn’t mean that traffic is allowed to those VLANs. All you are doing there is tagging the VLANs you want going over your trunk.
  2. You need to make sure from the default VLAN 1 that you have the proper firewall rules to communicate with other VLAN’s.
4

What do you get if you run a trace route from the computer to the pfSense?

5

Nothing on TraceRoute…but I think I solved it…but don’t understand why it works the way it is.

I had to setup a port profile with Vlan 3509 and 3517 associated to it. I then applied that to my “Trunk Port” and magically data started to flow.

So ports 31 has a “Port Profile” associated to it.
Port 32 just has a vlan tag.

Seems kinda wierd…is that how it is supposed to work? If I remove the port profile on 31 and just tag it, data stops flowing.

6

This is just my running theory (someone feel free to correct me if I’m totally off base). I also hope I word it okay and it makes sense!

Because you had set vlan3509 as the ‘native’ network on both ports 29 & 31, traffic on those ports will have been treated as un-tagged.

The vlan interface on your pfSense however is configured for traffic that’s tagged with vlan 3509 (bge3.3509). Since the traffic from the switch to the interface was untagged, it got dropped.

By applying a port profile with the vlans configured on port 31, vlan traffic becomes tagged, allowing your pfSense to properly communicate on those vlans with it’s respective interfaces.

7

thats correct. more simply said:

the untagged “native” traffic of the switch port goes to the plain machine interface like eth0.

The tagged switch port traffic goes to the VLAN subinterfaces, like eth0.3509.

either you define VLANs in the pfSense and assign them to interfaces, then these will need tagged traffic from the switch port. if you have several VLANs on the same interface you need a switch port profile containing the same VLAN tags. The latter is what you call a trunk.

you could also just connect the pfsense with several plain interfaces to the switch and put the VLANs as native to each of the connected switch ports.