VLANs with pfSense (with pfatt) and Unifi UAP AC Pros

Networking & Firewalls
1

I have viewed a couple YouTube videos on this and followed them to setup my system but something isn’t right and despite searching high and low, finding many people that have had similar issues, none of them seem to be resolving my issue. In my setup, starting at the top, I have AT&T Fiber as my ISP. I have used pfatt to help bypass the Residential Gateway provided by AT&T. In this setup, I have the Optical Network Terminal plugged into my pfSense igb0 (NIC), my LAN is on igb1, and the Residential Gateway is on igb2. Using pfatt, it creates a new interface called ngeth0 which is set as the WAN. It took a bit before I was able to get that portion working but once it was working well, I moved on to my VLANs. I created a “Guest” VLAN on VLAN 20, an IoT VLAN on VLAN 30 and a “Cameras” (for IP surveillance cameras) on VLAN 40. I assigned each on my LAN port (igb1.20, igb1.30, and igb1.40). I know it may be a bit awkward, but that is just me… my LAN operates on 172.18.0.1/20, I set Guest as 172.19.0.1/20, IoT on 172.19.16.1/20, and Cameras as 172.18.16.1/20. I have reviewed and changed my rules for firewalling the VLANS, going back (for testing) to just allowing any traffic, from any source, to any destination, but I just can’t get Interent.

So that is my pfSense setup. On my Aruba switch, I have my pfSense connected to “ge 1/0/0”, one UAP AC Pro connected to “ge 1/0/4”, and another UAP AC Pro on “ge 0/0/22”. I have made all three of these ports trunked. I run Unifi Controller as a VM on an XCP-ng server (Dell R710). I don’t think I need to make that trunked or not.

Meanwhile, on the Unifi Controller, I have my primary LAN on one SSID, I’ve created another for my guest network, one for IoT and finally one for cameras (I only have one camera that I plan on having on WiFi at the moment, my doorbell camera, most will be PoE IP cameras directly connected to the Aruba switch for network and power).

Using my iPhone, I am able to make a connection to each of the wireless networks. Each time, I am given an IP address corresponding with the IP subnet of the VLAN, but none of the VLANs have Internet access.

I’ve followed all the instructions I could find on pfSense and Unifi. The only thing I can think of that is different is my use of pfatt… I’m not sure if that is throwing a monkey wrench into the system or not. My thought is that there is something simple I’ve not done, but the more and more I look at it and the more I search for people having similar issues, I realize everything is set the way everyone is suggesting… as far as I can tell. My frustration is building to the point logic is failing me. All of this coincides with buying a newly constructed house and getting all the jobs done on the house my wife wants in addition to getting all my “technology” up and running.

2

What model aruba switch do you have? Can you share the config? Reason I ask is, on most Aruba switches you don’t “make a port a trunk” like you would on a Cisco style switch - on Aruba you have to tag each VLAN on each port. But “Aruba” does include some specific models which came from other acquisitions, and I’m not sure about them.

3

I have three Aruba S3500-24P switches, stacked with 10G-SR fiber modules. The three switches are physically in different regions of the house; my pfSense and servers are all in my detached garage with one serving the front half of house and one serving rear. I did this because it is easy to access anywhere on the front half or anywhere in back half, but impossible to access front from back without ripping out drywall. I ran fiber over the weekend between city’s pre-drywall inspection and builder starting drywall.

I set up a switching profile, initialing trunking 1, 20, 30, & 40. I later changed the profile to all VLANs but there was no change. I then applied this profile to the physical ports of pfSense, and each access point.

4

As I mentioned, my switches are Aruba S3500-24P. In the graphic below, you can see that I’ve created a switching profile called “VLANS”, which makes a port be set as a trunk and allowed VLANs are 1 (primary network), 20 (Guest), 30 (IoT), and 40 (Cameras). This profile has been applied to GE-0/0/22 (UAP-AC Pro in the front area of the home), GE-1/0/0 (pfSense router), GE-1/0/4 (UAP-AC Pro in the Office), and GE-1/0/16,18,20,24 (LAG ports on XCP-ng server).

VLAN_ports
VLAN_ports3088×1180 181 KB

Here you can see the interfaces on my pfSense:

pf-Interfaces
pf-Interfaces1201×589 48 KB

Here are my rules for the Guest network:

pf-RulesGuest
pf-RulesGuest1185×484 35.5 KB

Here are my Wireless Networks on my UniFi Controller:

Unifi-Wireless
Unifi-Wireless1668×852 40.2 KB

As I mentioned, when I connect to the SSID, I receive an appropriate IP, which for my guest network is 172.19.0.0/20 with DHCP range starting at 172.19.0.10.

WebbGuest-IP_info.PNG
WebbGuest-IP_info.PNG1242×2688 266 KB

I keep going 'round & 'round and getting nowhere on trying to figure out what is wrong.

5

Got a quick question are you able to port forward at all with Pfatt I just seem not not be able to get that working and are you using a static up if you are how did you set that up thanks

Just a few issues I’m having