Netgate SG-1000 microFirewall

Author Topic: Managed switch: Unifi Conroller & pfSense GUI & Switch GUI only interface?  (Read 496 times)

0 Members and 1 Guest are viewing this topic.

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 228
  • Karma: +11/-0
    • View Profile
I am trying to simplify and secure the administration of my Unifi AP Pro Controller, My Switch Admin access(Dlink DGS1100-05) and my pfSense GUI. Wish list would be this is via the same Ethernet connection only. I would not want any internet access on this admin interface.

Is this possible? Is this a secure setup?

Wan-> pfSense ->Managed Switch-> Unifi AP ->Client

Switch:
Port 1 - Eth1,2,4 Untagged
66 VLAN - Eth1&2 Tagged
44 VLAN - Eth1&2 Tagged
55 VLAN - Eth1&2 Tagged
Port 5 - Switch admin only

pfSense with 4 Ethernet ports
WAN, Switch trunk, random IOT device(Not VLAN capable nor wireless) and an admin interface for pfSense

Unifi AP
Currently 3 VLANs with SSID
No Controller access :(

I have my VLANs working thru my switch and Unifi AP but have 2 outstanding questions:

1) How do I create/organize and manage my admins GUIs with out plugging in/out my ethernet or changing wireless networks?
2) I have a wired device that has its own interface and would like to have it be a part of VLAN 66...is this possible with a managed switch now?

I am working towards further securing my network with the Radius server package that comes with pfSense.

Any help or pointers would be surely appreciated... 

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 502
  • Karma: +45/-0
    • View Profile
It's just a matter of placing the devices in the correct vlan and applying firewall rules to suit whats required on the pfsense interface.

I have the following subnets / vlans :-

LAN      172.16.1.1      2a02:xxxx:xxxx:1::1      Untagged used for LAN MGT devices ONLY
USER   172.16.2.1      2a02:xxxx:xxxx:2::1      2
GUEST   172.16.3.1      2a02:xxxx:xxxx:3::1      3
IOT      172.16.4.1      2a02:xxxx:xxxx:4::1      4
DMZ      172.16.5.1      2a02:xxxx:xxxx:5::1      5
VOICE   172.16.6.1      2a02:xxxx:xxxx:6::1      6

Attached a diagram of my home network and a screenshot of switch-1, UP = untagged T = tagged

My Hue bridge doesn't support vlans, just change the vlan on the switch port and make it untagged if it currently isn't.
« Last Edit: January 19, 2018, 05:48:32 am by NogBadTheBad »

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 228
  • Karma: +11/-0
    • View Profile
Thanks NogBadTheBad for sharing really appreciate the guide...I aspire to that setup.

I have VLAN62, 72, 82,92 running thru my Unifi AP and working.

Where I am struggling is trying to get a unified Adminx(My Admin interface for Unifi, Cwitch and pfSense GUI) setup...I have to change my networks to access each one...haven't even tried to get into my Unifi AP yet!

Any suggestions? The answer lies with Tagging, Untagging and PVID I am sure...

Truly appreciate any help.

V
(Sorry for the super crappy image)

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 502
  • Karma: +45/-0
    • View Profile
What port connects between the switch and the router, you need to trunk all the vlans on this port, I don't think you've set up a port with every vlan on.

BTW I'm no Dlink expert.

Check out how I've set my GE1, GE2 and GE3.

The AP and Cloud Key need to be in the same untagged VLAN and the AP needs to be in a trunk with the additional vlans tagged.

Post a screenshot from the router from Interfaces -> Interface Assignments
« Last Edit: January 19, 2018, 01:38:41 pm by NogBadTheBad »

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 228
  • Karma: +11/-0
    • View Profile
A couple of notes:

1) I managed to be able to access my pfSense GUI and Switch GUI...so not going up and down stairs! However I have to switch my Ethernet Network connections on my PC. Not sure how to access the switch with out a manual entry into IPv4 settings/Gateway
2) I don't have a Unifi Cloud Key...thought I could do this with a smart switch only

To answer your question I am not sure either wether the trunk, tag, untag, PVID is set correctly...still trying all options. My trunk is on port #1, Unifi AP is on port 2 and my "admin-access-to-be"(maybe) is on port 5 of the switch.

Open to suggestions...I can't believe this setup is that unique.


« Last Edit: January 20, 2018, 09:00:42 am by V3lcr0 »

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 502
  • Karma: +45/-0
    • View Profile
You can install the UniFi software on pc if your struggling.

Once you’ve set up the dlink switch you shouldn’t need to touch it again.

Maybe you should be posting on the ubiquity and dlink forums, your issues aren’t related to pfSense.

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 228
  • Karma: +11/-0
    • View Profile
Thanks again NogBad...fair push back on keeping this pfSense related.

Question on your set up: Your "VLAN 4093" that you do not tag on your switches, is this an actual VLAN in pfSense? Do you even use your LAN directly(not sure thats the right term) for anything other then "Carrying" your VLANs i.e. you simply have VLANs that you manage that run within your LAN interface. Can I ask why you do that? Is this related to the term "Untagged" VLANs that is sometimes used?

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 502
  • Karma: +45/-0
    • View Profile
VLAN 4093 is the untagged vlan AKA native VLAN on my switches that im using for the management interfaces.

It's the LAN interface on my router that is the parent interface for the other VLANs.

It's not defined my router as packets from the LAN interface exit without being tagged from the LAN interface.
« Last Edit: January 21, 2018, 03:27:57 am by NogBadTheBad »

Offline Modesty

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Hi!


What you has solved i struggle to solve....

Do you mind take a look at my post and maybe give me some feedback?

https://forum.pfsense.org/index.php?topic=140788.msg778408#msg778408


Thanks
Everything can be rebuilt!

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 228
  • Karma: +11/-0
    • View Profile
I am totally open to feedback from the community if this is setup correctly but here is what I did:

I did manage to get my set up to work....my DLink switch configuration is as Follows:

Ethernet 1 -> Trunk to pfSense/LAN Later Edit:  (eth 1 & 5 untagged and eth 2 & 3 tagged)

Ethernet 2 -> Unifi AP
VLAN10  (eth 1 & 2 tagged) - Nothing untagged
VLAN20  (eth 1 & 2 tagged) - Nothing untagged
VLAN30  (eth 1 & 2 tagged) - Nothing untagged

Ethernet 3 -
VLAN40/AppleTV(not Vlan capable) (eth1 tagged and eth 3 untagged)

Ethernet 5 -> Management Computer
VLAN 4093 (eth 2 untagged and 5 tagged Later edit: eth 1, 2, 4 &5 untagged, 3 not a member ) - I thought this would connect to a VLAN 4093 on my pfSense box I created but it doesn't, it gets an IP for the LAN interface on my pfSense box.

I think this is OK as it allows me to be on the same L2 as my Unifi AP. I was able to have the Unifi AP adopt my computer with this setup.

Does this look right?

(Modesty...I'll comment on your post and do what I can to help!)
« Last Edit: January 31, 2018, 09:51:22 am by V3lcr0 »