We have around 19 locations & we use pfsense at all of them, we recently finished a network project putting unifi switching/AP’s in place and it’s been working really well. I am however having a little bit of a problem with setting up wifi & guest networks with pfsense & unifi. At our main office location it is set up just fine and working how it’s intended, at some of our other locations or satelite sites when setting up the guest network I set it up similar to how our main location is set up except our main location is using a 7100 and the satelite sites are using 3100’s. I think I might be doing something wrong when it comes ot interface assignments and switches, but I can’t figure it out. Following tom’s video on youtube to set up vlan’s/unifi I have a wiki page as a step by step for setting it up.
- Vlan Setup
-
- IEE 802.1Q Dot1q is the networking standard that supports virtual LANS (VLANS) on an IEEE 802.3 ethernet network. The standard defines vlan tagging for ethernet frames and the accompanying procedures to be used by bridges and switches in handling such frames.
-
- If you define a vlan in pfsense but don’t define it in ubiquiti switches it won’t throw it “away” it just doesn’t know what to do with it.
-
- The default settings for unifi are “all”. The switchports are set to “all” by default, between the two or more unifi switches you want them set to “all”
-
- Same goes for the access points, as you define an SSID they have the option to view the vlan ID’s.
-
- Defining VLAN’s in pfsense - choose the proper parent interface “IGB2” for example, give a vlan a description. Interface > Assignments > Attach the Vlans to the proper interface.
-
- You don’t actually have to set the default IP address, unifi doesn’t care if we aren’t using unifi routing.
-
- VLAN Only > VLAN ID (VLAN ID can be the 3rd Octet of the IP and has to be the same as the one in pfSense).
-
- Vlan’s in pf & unifi have to match.
-
- Wifi Create a wifi network and then select a VLAN you want it to be on.
-
- Go to the switch and then select the port you want to set the VLAN on and click the drop down for port profiles and set the port to which VLAN you want it on.
-
- Using VLANS to create switch networks.
- Defining Vlan’s in unifi only. Doing this allows the switches to run a native network with no other vlan traffic going through it. You don’t necessarily need it all tied to a singular interface as there can be bandwidth issues.
-
- Vlan is tied to the router’s physical interface & not the software vlan within pfsense.
- To create Vlan’s in pfSense
- Interfaces > assignments > Vlans > +Add > Use 3rd octet to identify Vlan Tag.
- Once Vlan is created, add it to interface assignments. (VLAN Name LAGG0) since netgate ports are link aggregated together use the lag ports for the vlan. Enable the interface, describe the vlan > static IP > set the IP scheme.
- Interfaces > switch > vlans > edit. Add the vlan tag and description and then tag all the members (however many ports are physically on the switch. This is important as it allows all switch ports to be a trunk port since they are all linked together logically within the router.)
- Once done head to Services > DHCP Server > Guest Network
- Check Enable DHCP Server on Guest Network interface > enter a random range of .50 / .250. DNS > can be google/cloudflare what you decide. Click Save at the bottom and then apply changes at the top when it refreshes.
- Firewall > Network > add rule > action pass > interface is the assignment you enabled earlier > ipv4 family > TCP/UDP protocol > source Select the network(vlan) you created (GUESTNETWOR net) > Destination Single host or alias pfB_NAmerica_v4 click save at the bottom.
- This should complete the pFsense firewall vlan side.
- Unfi
- Settings > Networks > Create New Network > Name the Vlan & Select VLAN Only > VLAN ID will be the same tag as set in pfsense if not ubiquiti will not know what to do with the packets.
- Wireless networks (If applicable) > Create new wireless network > Name the SSID > Enable > Select Security(Recommended) > Set password > select network (GuestNetwork VLAN20) > and click save. This will provision the access points and the SSID should be broadcast shortly after.
- If you are not doing a wireless style network you will have to create switch port profiles for each vlan you are using. This tells the switch ports which vlans are allowed to go through, by default the switch port profiles are set to “all” which is a trunk port.
Thank you for anyone who knows where I’m messing up.
Thank you1
