Hello everyone. I’m having some difficulty setting up a VLAN for my home network which is my test bed for works network. I have a PfSense with 2 NICs (one LAN and one WAN). It connects to a normal dumb switch (PoE) then to the Ubnt AP AC Pro. I’ve followed Toms video “DL4vMLgBrYI” but the system on there is outdated. So much has changed in the new UBNT controller software. I am able to follow along and make changes as needed for the PfSense, but when I get to adding the WiFi network on the ubnt controller, there is no option to tag the VLAN there. I did learn that you must do this under “Network” now, so followed along on another video “r4C2yu2wLI4” that shows tagging the VLAN there. However that video shows being able to set the Network as “VLAN Only”. That option is only if you have a USW which I do not. I’m not sure if I’m missing something or if it’s just not possible without a smart switch any longer. Any help is appreciated. Thanks, Scott.
What you are doing sounds like a good way to lose your day !
If you want vlans buy a switch, you can get them cheap.
If you want to use your dumb switch, stick everything on the LAN. Maybe your AP allows guest mode, which might work. Trying to fudge your network to do something that it’s not setup to do may or may not work.
Many non-managed / not VLAN aware switches do not pass VLAN tagged traffic.
Now that makes sense Tom. I’ve always thought a dumb switch passed all traffic, but if it’s blocking the tagging that would explain it. I’ll have to rework the home net to work around that. I can add second LAN port to the PfSense to plug the AP into so it can bypass the switch.
Thanks guys. 
If you set up “guest isolation” on your guest network in Unifi and assign that network to your guest SSID, it’s almost like having a VLAN for that network. All the traffic will really be on your LAN (which your dumb switch will support) but when the Unifi IP gets a packet from a device trying to go to another internal device, it just drops the packet at the AP. It never sees the firewall.
My experience is that every “dumb” switch I have used (made in the last 20 years) are configured at the factory in “vlan transparent” mode. Meaning that they care nothing about what is in the ethernet frame following the dst mac and src mac. So they can’t remove vlan tags, they just get passed along unchanged like every other ethtype.
What brand/model is the PoE dumb switch?
I don’t know if the UAP-AC-Pro came with a power injector or not. If it did, you could connect your “configured” UAP-AC-Pro directly to the “PoE” port of the injector, and the LAN port directly to the pfSense LAN port with vlan subinterface configured. If the tagged vlan works through the injector, but not through the PoE switch, then the switch is not vlan-transparent, and is filtering out tagged frames, but that is more the exception than the rule. Also, the ER-X switch, when not configured as vlan-aware, is vlan-transparent; it will pass tagged ethernet frames as-is. When it is vlan-aware, then it will only pass the tagged frames that are defined on each switch-port. E.g. if you configure every port as an access port for vlan 1, it will pass only untagged frames (I did not test for vlan 0 priority tag only frames, so I don’t know it those would be passed or not).
I had an ASUS N16 with Tomato that I used before switching over to an ER-X, and it had a built in 4 port Gb switch, but it was not vlan transparent. So only the untagged frames would pass through. But is supported vlan tagging, and every port by default was set to pvid 1 untagged.
All that said, I don’t recommend using dumb switches if you are using vlans. Because in essence every cable will then be configured as a trunk port, and that isn’t secure. Never do it in a business (at least if you keep your networking equipment physically secured from access, other wise it makes no difference, all your base are belong to us anyway.
At home, where you know who has access, it is common for most people not to have a dedicated management vlan, and guests only connect via a wireless connection. And that will work with a dumb vlan-transparent switch, but you won’t be able to connect a wired device to the “guest” vlan.
For $30 you can get a TL-SG108E 8 port Gb “smart” switch that is vlan-aware (but not business class).
I recommend taking a step back and look at the design. A router, PFSense, in your case can be programmed to pass traffic between vlans. As others stated, your non-managed switch will probably pass all traffic so why create a VLAN?
My UniFi system has a USG, managed switches and two Nano APs. The USG does the routing between VLans.
Truthfully, I don’t know what VLAN only does:-). In particular, when you specify that I think it doesn’t allow you to specify a DHCP range for the VLAN. As such plugging a computer into the VLAN didn’t work. I took a step back and asked what I was trying to do and determined to make a Guest vlan ie it could talk to the router, itself and the internet but not other vlans like the corp default Vlan=1.
My next migration is to replace USG with PFSense which is causing a bunch of questions about what I change in the UniFi controller so it doesn’t do something illogical. Eventually – nothing should run on the default subnet (VLAN=1 I think). I will have an IoT VLAN, Main computer VLAN and my Dante audio VLAN.
At EOD I recommend you design what the VLAN structure is and have a managed switch that plugs into your PFSense router. Then comes the fun.