WiFI novel issue. Connects but no data

1

I have built a bunch of systems. This is not seen before.

Netgate 6100
UniFi Pro Max 24 PoE
Unifi Pro 16 PoE
Cable modem to WAN
LAN out to switches
Some VLANs
Some UniFi Lite 6 APs.
Three WiFi networks. One on Default network and two on VLAN Networks.

No restricting firewall rules for now.

All was fine until I accidently tagged the uplink to the modem with a VLAN. Took awhile to find and corrected it. After that, I could again connect to the WiFi networks but couldn’t stream any data. Tried factory resetting everything and returning the router to a known good config. (Including making a simple setup by connecting the LAN to the 16 PoE switch and a single AP.) Same result.

Speed test shows “You are connected to the internet” but the test either works once and not again or not at all on WiFi on default network and WiFi networkd on VLAns.

PCs connnected to the network connect with no issues at all incl when connecting to a VLAN by tagging the PC’s port.

I unchecked “Allow DNS server list to be overridden by DHCP/PPP” and everything worked on WiFi again But I’m thinking that’s unrelated.

I’m probably going to book a service call bc I don’t like problems that fix themselves. (Esp bc this is in FL and I’m usually in Canada.) If any LTS people think they have some thoughts, I’m happy to book a call.

Obviously all other intel appreciated.

PS ChatGPT siad to specifically tag the AP ports with the VLANs. I’ve never had to do that before. Just leave the NATIVE VLAN / Network on Default and Allow ALL on VLAN Management. Always worked fine but ChatGPT says it’s a new thing. Anyone else heard that?

2

I would start by drawing out everything, at least just to have a block diagram. Which device is connected to what and on what port?

If your wired devices are able to use the VLANs, and you only experience issues on Wifi devices, I would check the ports one by one.

  • Is the port tagged with all necessary VLANs?
  • Is the port set to the correct native VLAN?
  • Are you using any settings on your Unifi controller or the specific port? (Allow all, or restrict to one VLAN)

One example: You have an AP connected to the switch port. The native VLAN is VLAN1 (where the Unifi devices are communicate with each other), VLAN 2 is IOT, VLAN3 is guest.
The port has to be tagged with VLAN2, VLAN3.

BTW, what is your Unifi controller? Is it a self-hosted one?

3

Thanks for this.

To make things simple, I factory reset the 16 port switch and an AP and connected the LAN out to that switch. No tagging on any ports but I’ve always had wifi setups with VLANs work fine with the native port ID set to default and VLAN tagging set to all. This is on many installations. In any case, the same thing happened with a WiFi network on the default network and one on a VLAN network. I did try tagging the port with the wifi VLANs but same thing. Tried a bunch of things that I’ve lost track of. It worked after I unchecked the DNS setting via the ISP in the general settings. But that may have been coincidental.

Controller is on HostiFi.

4

Hey happydog,

That’s a puzzler, especially since your wired VLAN traffic is fine and you’ve used similar setups before. The fact that DNS override fixed it (even temporarily) makes me wonder if WiFi clients were getting a DNS that wasn’t responding properly, maybe something cached after the VLAN tagging mishap. It could also be worth checking if mDNS or client isolation settings are doing something unexpected in the UniFi controller. Seems like the kind of thing where everything “should” work, but one small misstep lingers after a config change.

5

Redoing the DNS setup seemed to help. Here’s what ChatGPT has to say about Pfsense DNS:
Here’s a clear and reliable DNS setup recommendation for pfSense, optimized for security, reliability, and central control:

:white_check_mark: Recommended DNS Setup in pfSense (General + Enforced Use)

  1. Enable and Configure Unbound (DNS Resolver)
    • Go to Services > DNS Resolver
    • Enable the DNS Resolver
    • Check:
    :white_check_mark: Enable DNS Resolver
    :white_check_mark: Listen Port: 53
    :white_check_mark: Network Interfaces: LAN (or All if unsure)
    :white_check_mark: Outgoing Network Interfaces: WAN(s)
    :cross_mark: DNS Query Forwarding: Unchecked (unless you want to forward to external DNS only)

  2. Set Up System DNS Servers (Optional, for fallback)
    • Go to System > General Setup
    • Under DNS Servers, add reliable external servers like:
    • 1.1.1.1 (Cloudflare)
    • 8.8.8.8 (Google)
    • Leave “Allow DNS server list to be overridden by DHCP/PPP on WAN” unchecked to prevent your ISP from overwriting these.

  3. Prevent DNS Leaks (Force LAN Clients to Use pfSense for DNS)

Go to Firewall > Rules > LAN and do the following:

a. Pass Rule (to pfSense only)
• Action: Pass
• Interface: LAN
• Protocol: TCP/UDP
• Source: LAN net
• Destination: This Firewall (LAN address)
• Port: 53
• Description: Allow DNS to pfSense

b. Block Rule (to any other DNS servers)
• Action: Block
• Protocol: TCP/UDP
• Source: LAN net
• Destination: any
• Port: 53
• Description: Block DNS bypass

Move the pass rule above the block rule. This ensures clients can only use pfSense for DNS and cannot bypass it using external DNS (e.g. Google or Cloudflare directly).

:wrench: Optional Add-ons
• DNS over TLS or DNSSEC in Unbound for additional privacy (optional but advanced)
• Host Overrides if you want local DNS names for specific IPs (e.g. NAS or printer)

6

And this for multi WAN and VLAN setups.

:white_check_mark:

Enhanced DNS Setup for pfSense with VLANs & Multi-WAN

  1. DNS Resolver (Unbound) Global Settings

  • Go to Services > DNS Resolver

  • General Settings:

    • :white_check_mark: Enable DNS Resolver
    • :white_check_mark: Listen Port: 53
    • :white_check_mark: Network Interfaces: Select all interfaces/VLANs that need DNS
    • :white_check_mark: Outgoing Network Interfaces: Select all active WANs (both if failover or load balancing)
    • :cross_mark: Enable Forwarding Mode: Leave unchecked to use DNS resolution directly (more private and faster in many cases)
  1. System > General Setup

  • Add:

    • 1.1.1.1 and 1.0.0.1 (Cloudflare)
    • 8.8.8.8 and 8.8.4.4 (Google)

  • Uncheck:

    • :cross_mark: Allow DNS server list to be overridden by DHCP/PPP on WAN
    • :cross_mark: Do not use the DNS Forwarder or Resolver as a DNS server for the firewall

These DNS entries are mainly used for fallback resolution by pfSense itself.

  1. Firewall Rules (DNS Enforcement Per VLAN)

For each VLAN (e.g., VLAN 10, VLAN 20), repeat this on Firewall > Rules > [VLAN interface]:

a.

Pass Rule to pfSense

  • Action: Pass
  • Protocol: TCP/UDP
  • Source: VLANx net
  • Destination: This Firewall (interface address)
  • Port: 53
  • Description: Allow DNS to pfSense

b.

Block Rule to External DNS

  • Action: Block
  • Protocol: TCP/UDP
  • Source: VLANx net
  • Destination: any
  • Port: 53
  • Description: Block external DNS

:up_arrow: Make sure the pass rule is above the block rule.

  1. Multi-WAN DNS Failover

If you’re using Gateway Groups, go to:

System > Routing > Gateway Groups

  • Create a group like:

    • DNSGroup: WAN1 (Tier 1), WAN2 (Tier 2)

  • Then in System > General Setup, set this Gateway Group under “Gateway” for DNS entries.

  1. Optional Enhancements

  • DNS over TLS:

    • Go to Services > DNS Resolver > Advanced Settings

    • Enable DNS over TLS and set upstream servers like:

  • Per-VLAN DNS Restrictions:

    • Use pfBlockerNG to assign different DNS filtering levels per VLAN

  • Host Overrides:

    • In DNS Resolver settings, define custom DNS names (e.g., nas.local) mapped to local IPs