I’m having trouble with VLANs on pfSense / Unifi. I’ve followed steps from these videos but can’t quite get it to work.
How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsese
How to Have One UniFi AP-AC-LR & Two WiFi Networks with pfsense, VLANS, & No Managed Switch.
At a high level:
When I connect a device to my new Unifi AP, it does not get an IP if I have a VLAN configured on the AP. If I remove the VLAN, I get an IP. I’ve attached a rudimentary diagram to help explain the situation.
For reference, I have zero network drops. I have one Cat5e that I ran from an upstairs bedroom through the center of the house to the crawl space that gives me the ability to connect the “home lab” area with a bedroom on the second floor. Running additional cables would be extremely difficult.
Do you mean under Networks in the controller software? I have LAN created there as a Corporate network and pointing to my primary LAN 192.168.2.0/24 with DHCP mode set to none as I want pfSense to continue to be my DHCP server
Well I mean to say, I have a TPlink AP, it seems to prefer to have a management vlan set in the controller software. I would guess that Unifi have the same, this might help.
What make and model are your unmanaged switches? Not all unmanaged switches will pass on VLAN tags, they strip them which then breaks everything.
Also, I presume you have enabled a DHCP server on pfSense for each VLAN? Also check the logs to see if it is seeing a DHCP request.
Finally, you could configure a static IP on a device connected to the VLAN and see if you can get to anything from there. That way you take DHCP out of the equation if it had been misconfigured.
Switch on first floor - Netgear GS108T
Hub (I thought it was a switch) on second floor - EN108
Switch in crawl space - Netgear 108
Correct - DHCP server was enabled for each VLAN and a subnet defined for each. Firewall rules for LAN and VLANs are any any to eliminate that as a possible culprit.
I manually set an IP on a laptop with an IP from the DHCP range defined for the VLAN it was connected to on the AP. The controller software recognized the laptop had an IP and reflected as much in the controller settings for that laptop but the laptop itself couldn’t browser LAN or WAN. Additionally, when I looked in DHCP Leases on pfSense, that laptop still was not present.
Spend a few bucks on a managed switch that will pass vlans. I picked up an 8port Netgear on amazon for $17us.
I am betting your unmanaged switch won’t pass vlans. Of the three unmanaged switches only my Cisco passes vlans. I don’t use it for that but I tested the three I had for curiosity. You can use your pi to test this.
I would say your switch’s are giving you issues. The GS108 doesn’t list that it supports VLANs in the datasheet, so probably strips them. The EN108 is, as you say, a hub. So replace that with a proper switch, even if it’s just to get better network speeds as it only runs at 10mb.
The GS108T is a managed switch, so you should be able to connect to it and set VLANs on it. Look it up on the Netgear website to get he manual and find out how.
Thanks all for the suggestions! I’ll eliminate the Hub / old switch and see if I can get it to work with just the GS108T. I’ll have to do some research on how to get VLANs set on it.
So the good news is… I FINALLY got an IP from the DHCP server! I connected the Unifi AP to the GS108T and then set up the work VLAN on the GS108T under Switching > VLAN > Basic VLAN Configuration. Then under Switching > VLAN > Advanced VLAN Membership, I tagged the port with the work VLAN ID. Now the less good news. This did not work. Out of curiosity, I tagged all the ports with the work VLAN and magically I got an IP. I’m not 100% sure why this is.
In reading, I found “if you want that a port only belongs to one VLAN, set the port to UNTAGGED. If you want a port in more then one VLAN, you need to set it to TAGGED.”
In fact, I will ultimately need ports to pass multiple VLANs so I assume they will need to be tagged. What I’m not clear on is why they all had to have work VLAN tagged at this point in time when the AP is only connected to one port on the switch.
Well that’s good news, it also means you probably have pfSense configured correctly for the VLANs and DHCP. I can’t explain why it worked when you tagged everything, other than to say you need to tag the port going to pfSense and the port going to the AP. I’m not sure if you only tagged the AP port and not the pfSense port when you did your test.
You’re right in that tagged ports allow traffic on that VLAN to pass through that port, and untagged ports are for end devices to ‘appear’ on that VLAN. Essential what the untagged means is that traffic from devices that don’t understand VLANs (generally end devices, PCs, printers etc) will have that VLAN tag added to it once it enters the network (it’s also removed when it exits the network). Hopefully that makes sense
Sure that’s how the netgear switches work, if you want all vlan traffic to pass through a port (e.g. for an access point) it needs to have T in vlan membership or U for a single vlan.
Netgear switches are a bit odd as they also have a PVID per port, which is usually set to the same VLAN as the untagged VLAN. This shouldn’t be an issue for @jbuckley as long as the default VLAN doesn’t need to be changed.
yes that’s right it will default to 1 out of the box, you have to remember to change it. Though I don’t use the 1-9 for my vlans. However I noticed that on the GS516TP it will change when the vlan on the port is changed.
That was my mistake… I only tagged the port going to the AP and not the one going back to pfSense… Completely overlooked that.
With regards to the GS108T, each port can allow multiple VLANs, correct? I just follow the same steps where I create the VLAN ID, select it in advance, and make that port tagged for the new VLAN as well as the other?
@jbuckley, seems we’re in the same boat. I started with an unmanaged Netgear GS208 switch and is currently battling with the Netgear GSS108E and GS724T managed switches.
In my scenario (XCP, pfsense & VLANs), PFsense is virtrualised and everything works. Depending on the WIFI or port connected to, the correct DHCP parameters is provided. Traffic to and from the internet works. Even IPv6 is working, as along as I do not amend the “Allow ANY to ANY” rule on any of the VLAN related PFsense interfaces …
Cannot thank yall enough! I think I’m on the right track now - just need to work on the firewall rules and decide between the $30 netgear managed switch or the $109 Unifi switch (that will be way more fun in the controller) to replace the dumb switches I have now.
Addressing the firewall rules is my next task so not much guidance I can give yet. I know Tom has some videos on the subject though so I’ll be re-watching those in preparation for the task.