The pfSense Store

Author Topic: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP  (Read 1183 times)

0 Members and 1 Guest are viewing this topic.

Offline chrisp87

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Hi,
 
We have a virtual machine running pfSense acting as a DHCP server, DNS server, firewall, etc. The modem is connceted to port em0 (WAN) and the UniFi switch (US-8-150W) is connected to port em1 (LAN). Various computers and the UniFi AP (UAP-AC-PRO) are connected to the UniFi switch. The IP address of interface LAN is 10.0.0.1.
 
I've attempted to configure a VLAN in pfSense and the UniFi contoller to enable a guest wireless network. I created VLAN 2 and interface OPT1 (assigned to VLAN 2) in pfSense. The IP address of interface OPT1 is 192.168.1.1 and I enabled the DHCP server on this interface. In the UniFi contoller, I created a wireless network named Guest and selected "Use VLAN with VLAN ID 2".

I've looked through forums and followed tutorials, and this appears to be the correct way of setting up a Guest wireless network. However, I am unable to connect to the wireless network Guest. What is missing from this configuration?
 
Thanks.

Offline AR15USR

  • Full Member
  • ***
  • Posts: 266
  • Karma: +10/-0
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #1 on: May 14, 2017, 08:55:43 am »
Did you create a Pass rule on OPT1?
_________________________

Release: pfSense 2.3.4

Offline chrisp87

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #2 on: May 14, 2017, 09:46:22 am »
Thanks for the reply.

I haven't created any firewall rules for OPT1 yet. To narrow down the problem, I wanted to figure out why I'm unable to connect to the Guest wireless network before configuring the firewall.

Offline Chrismallia

  • Full Member
  • ***
  • Posts: 250
  • Karma: +19/-4
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #3 on: May 15, 2017, 01:18:24 am »
You have to create a firewall rule to pass DHCP,and internet connection, so start with creating a Any rule, without this rule you will never connect

Offline BlueKobold

  • Hero Member
  • *****
  • Posts: 2317
  • Karma: +183/-103
  • pfSense rocks!
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #4 on: May 15, 2017, 04:42:24 am »
The VLAN1 is mostly and often used by nearly all vendors as the default VLAN and this could be used by the admin as the
admin VLAN too, because all devices are inside of this so called default VLAN, changing or suing it in another direction or
for other things could cause later problems that canīt really solved out or plain identified.
I would create three VLANs more then;
- for the various PCs connected to that small switch
VLAN10-computers-192.168.1.0/24 (255.255.255.0) LAN and internet connection
- for the private wireless devices secured with FreeRadius Server using certificates
VLAN20-private_wifi-192.168.2.0/24 LAN and internet connection
- for the external wireless devices (guests)
VLAN30-guest_wifi-192.168.3.0/24 enabled client isolation and internet connection only

Quote
I've attempted to configure a VLAN in pfSense and the UniFi contoller to enable a guest wireless network.
Could be also matching well and running to your case for sure. But please think about that pfSense is offering also a large
amount of security options easy to install, activate and use for that entire use case like you are trying to set up.
- OpenLDAP Server fpr the wired computers
- FreeRadius Server for the private wireless (internal) devices
- Captive Portal with vouchers system for the guest wireless (external) devices

Greetings from Germany
Frank

Offline chrisp87

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #5 on: May 19, 2017, 12:06:37 pm »
Thanks for the replies.

There are two rules for the LAN interface by default, and I created these same rules for the OPT1 interface. However, I am unable to connect to the Guest wireless network.

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 321
  • Karma: +24/-0
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #6 on: May 19, 2017, 01:04:07 pm »
As your not seeing any packets that hit the allow rule I think it's an issue with the trunk port that the ap's connected to.

Try a packet capture and have a look in Wireshark

Do you get an IP address when connected to a switch via ethernet thats set to vlan 2 ?

Also rename the opt1 interface to Guest and block access to the local subnets when it's working :)

« Last Edit: May 19, 2017, 01:12:02 pm by NogBadTheBad »

Offline chrisp87

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #7 on: May 19, 2017, 01:10:14 pm »
No, I'm not getting an IP address when I try to connect to the Guest wireless network. Computers are unable to connect to the wireless network (see the attached screenshot). This makes me think the issue lies in the VLAN configuration on the Ubiquiti equipment (either the switch, access point, or both).

Does anyone here have experience with VLANs and multiple SSIDs with pfSense and Ubiquiti equipment?

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 321
  • Karma: +24/-0
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #8 on: May 19, 2017, 01:19:36 pm »
Set up a port untagged ( access ) in vlan 2 and connect a pc via ethernet, if that doesn't work check out the port the router connects to.

Nope but here's how my Linksys switch is set up :-

VLAN ID   VLAN
2          USER
3          GUEST
4          IOT
5          DMZ
6          VOICE
4093        Default

Unifi controller in GE3, ap in GE2 & router in GE1

GE1   Trunk   4093   Admit All   Enabled   2T, 3T, 4T, 5T, 6T, 4093UP
GE2   Trunk   4093   Admit All   Enabled   2T, 3T, 4T, 4093UP
GE3   Access   4093   Admit All   Enabled   4093UP

T = Tagged
U = Untagged

https://www.youtube.com/watch?v=zoK8N7uB6ho
« Last Edit: May 19, 2017, 01:34:28 pm by NogBadTheBad »

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 321
  • Karma: +24/-0
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #9 on: May 19, 2017, 01:43:54 pm »
You can also do a tcpdump from the ap,  interface eth0.X X=vlan ID

mac-pro:~ andyk$ ssh admin@ap-1
admin@ap-1's password:


BusyBox v1.19.4 (2017-04-13 16:15:06 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

BZ.v3.7.55# ifconfig -a
ath0      Link encap:Ethernet  HWaddr 80:2A:A8:97:9D:8C 
          inet6 addr: fe80::822a:a8ff:fe97:9d8c/64 Scope:Link
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:213887 errors:6 dropped:6 overruns:0 frame:0
          TX packets:1348980 errors:0 dropped:3280934 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:41600604 (39.6 MiB)  TX bytes:1234013163 (1.1 GiB)

ath1      Link encap:Ethernet  HWaddr 82:2A:A8:97:9D:8C 
          inet6 addr: fe80::802a:a8ff:fe97:9d8c/64 Scope:Link
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:34585 errors:3 dropped:3 overruns:0 frame:0
          TX packets:51198 errors:0 dropped:57986 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:38302015 (36.5 MiB)  TX bytes:70419182 (67.1 MiB)

ath2      Link encap:Ethernet  HWaddr 92:2A:A8:97:9D:8C 
          inet6 addr: fe80::902a:a8ff:fe97:9d8c/64 Scope:Link
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:135587 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4722276 errors:0 dropped:103 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:25571266 (24.3 MiB)  TX bytes:3736547134 (3.4 GiB)

ath3      Link encap:Ethernet  HWaddr 80:2A:A8:98:9D:8C 
          BROADCAST PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ath3.2    Link encap:Ethernet  HWaddr 80:2A:A8:98:9D:8C 
          BROADCAST ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ath3.3    Link encap:Ethernet  HWaddr 80:2A:A8:98:9D:8C 
          BROADCAST ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ath3.4    Link encap:Ethernet  HWaddr 80:2A:A8:98:9D:8C 
          BROADCAST ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ath4      Link encap:Ethernet  HWaddr 82:2A:A8:98:9D:8C 
          inet6 addr: fe80::802a:a8ff:fe98:9d8c/64 Scope:Link
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:3884367 errors:3059 dropped:3059 overruns:0 frame:0
          TX packets:8445514 errors:20775 dropped:1311 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1141510972 (1.0 GiB)  TX bytes:2623914446 (2.4 GiB)

ath5      Link encap:Ethernet  HWaddr 92:2A:A8:98:9D:8C 
          inet6 addr: fe80::902a:a8ff:fe98:9d8c/64 Scope:Link
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:150 errors:0 dropped:0 overruns:0 frame:0
          TX packets:109 errors:5 dropped:58062 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:26326 (25.7 KiB)  TX bytes:55143 (53.8 KiB)

ath6      Link encap:Ethernet  HWaddr A2:2A:A8:98:9D:8C 
          inet6 addr: fe80::a02a:a8ff:fe98:9d8c/64 Scope:Link
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:1369623 errors:17 dropped:17 overruns:0 frame:0
          TX packets:2075569 errors:9959 dropped:815 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:192941660 (184.0 MiB)  TX bytes:3002466372 (2.7 GiB)

br0       Link encap:Ethernet  HWaddr 80:2A:A8:96:9D:8C 
          inet addr:172.16.1.11  Bcast:172.16.1.255  Mask:255.255.255.0
          inet6 addr: fe80::822a:a8ff:fe96:9d8c/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:992831 errors:0 dropped:544 overruns:0 frame:0
          TX packets:505813 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:93349951 (89.0 MiB)  TX bytes:280369726 (267.3 MiB)

br0.2     Link encap:Ethernet  HWaddr 80:2A:A8:96:9D:8C 
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:4249931 errors:0 dropped:1108 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2957666172 (2.7 GiB)  TX bytes:0 (0.0 B)

br0.3     Link encap:Ethernet  HWaddr 80:2A:A8:96:9D:8C 
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:58082 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10662123 (10.1 MiB)  TX bytes:0 (0.0 B)

br0.4     Link encap:Ethernet  HWaddr 80:2A:A8:96:9D:8C 
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:4439648 errors:0 dropped:8 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3255456016 (3.0 GiB)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 80:2A:A8:96:9D:8C 
          inet6 addr: fe80::822a:a8ff:fe96:9d8c/64 Scope:Link
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:20503846 errors:0 dropped:24098 overruns:0 frame:0
          TX packets:6143133 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4182787280 (3.8 GiB)  TX bytes:1734278600 (1.6 GiB)
          Interrupt:4

eth0.2    Link encap:Ethernet  HWaddr 80:2A:A8:96:9D:8C 
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:12819546 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4097401 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:14406471951 (13.4 GiB)  TX bytes:1178268853 (1.0 GiB)

eth0.3    Link encap:Ethernet  HWaddr 80:2A:A8:96:9D:8C 
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:118131 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34732 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:78603267 (74.9 MiB)  TX bytes:37566793 (35.8 MiB)

eth0.4    Link encap:Ethernet  HWaddr 80:2A:A8:96:9D:8C 
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:6549050 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1505181 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:6415384228 (5.9 GiB)  TX bytes:215523504 (205.5 MiB)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:268 errors:0 dropped:0 overruns:0 frame:0
          TX packets:268 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10568 (10.3 KiB)  TX bytes:10568 (10.3 KiB)

wifi0     Link encap:UNSPEC  HWaddr 80-2A-A8-97-9D-8C-00-00-00-00-00-00-00-00-00-00 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:26921498 errors:1294525 dropped:0 overruns:0 frame:1294525
          TX packets:54708715 errors:203086 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:4095
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:47 Memory:b8100000-b8120000

wifi1     Link encap:UNSPEC  HWaddr 80-2A-A8-98-9D-8C-00-00-00-00-00-00-00-00-00-00 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:4095
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:40 Memory:b2000000-b2200000

BZ.v3.7.55# tcpdump -i eth0.3
tcpdump: WARNING: eth0.3: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.3, link-type EN10MB (Ethernet), capture size 65535 bytes
19:39:43.408947 IP6 fe80::208:a2ff:fe0a:9dcb > ff02::1: ICMP6, router advertisement, length 144
19:39:48.960463 IP6 fe80::208:a2ff:fe0a:9dcb > ff02::1: ICMP6, router advertisement, length 144
19:40:00.968894 IP6 fe80::208:a2ff:fe0a:9dcb > ff02::1: ICMP6, router advertisement, length 144

Offline chrisp87

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #10 on: May 19, 2017, 04:15:46 pm »
Thank you for the details.

I added a "Network/VLAN" to port 1 (UniFi access point) and port 10 (pfSense router) in the UniFi controller. I only took screenshots of the port 1 configuration since port 10 has the same configuration. The Guest Network/VLAN now appears to be tagged on these ports. However, there is no trunk mode option in the configuration, and I am still unable to connect to the Guest wireless network. I understand that the VLAN configuration may be slightly different for Ubiquiti equipment, but does this configuration appear correct?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 8858
  • Karma: +1016/-302
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #11 on: May 19, 2017, 04:28:29 pm »
This is not ubnt support, right?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline chrisp87

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #12 on: May 19, 2017, 04:34:03 pm »
I understand that this is not Ubiquiti support. I initially posted the question on https://community.ubnt.com, but it has been a week and nobody has replied to my post. VLANs, and networking in general, is similar regardless of the equipment manufacturer, and since I'm running pfSense as my router, I figured I would ask here. I've already learned a lot more and received more support on this forum than the Ubiquiti community.

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 321
  • Karma: +24/-0
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #13 on: May 19, 2017, 04:37:24 pm »
Think it looks right but I'm viewing this from my phone.

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 321
  • Karma: +24/-0
    • View Profile
Re: Guest Wireless Network with pfSense, UniFi Switch, and UniFi AP
« Reply #14 on: May 19, 2017, 04:59:52 pm »
Try on the ap :-

tcpdump -n -i eth0 -e | grep vlan

You'll see lines scrolling past with vlan numbers if the switch is tagging packets.