VLANs with pfsense, Unifi AP and Procurve switch, wifi clients cannot get IP from router
by lpallard from LinuxQuestions.org on (#4S2CN)
Hoping this is the right place on LQs to post this kind of question... I tried posting the very same topic on pfsense's forums, got lots of views but very little replies. Probably the folks over there are concerned with more complicated issues or pfsense centric topics, not sure...
Basically, I am trying to use VLAN's with a Unifi AP and a pfsense router and except the Unifi, everything works as intended. Lots of reading and research, but I managed to get most of it running smoothly. Quick summary of the entire setup:
pfsense is configured with three VLANs (100, 200 & 300) which use em0 as their underlying physical interface. This interface is then connected to port 1 of a 24-port HP procurve managed switch on which port 1 & 2 are setup as the TRUNK port (I am not sure why procurve insist in having a minimum of 2 ports per trunk...)
Then ports 3-18 are configured as VLAN100, ports 19-22 as VLAN200 and finally ports 23-24 as VLAN300. See attached config file from the switch. If I connect a device to any port of VLAN100, it gets an IP in the VLAN100 subnet from pfsense, all works. Same for the other VLAN's. The Unifi AP is connected to port 14 (VLAN100) and therefore gets an IP from pfsense under subnet of VLAN100 and the Unifi controller software sees it without issues.
On the Unifi, I have configured two SSID's (SEG for trusted devices, and DMZ for guests) (see attached screenshot). I want devices connecting to the SEG SSID to be connected to VLAN200 and get an IP from pfsense as such, and untrusted devices to DMZ and also get an IP under VLAN300 from pfsense.
I then created two networks in Unifi, one as SEG with same subnet as in pfsense, and another as DMZ similarly configured. I added their respective VLANs (see attached screenshot).
The issue is that wifi clients see the SSID's but cant get an IP from pfsense. I believe this is because the Unifi AP tags the packets right at the AP so they reach the switch already tagged, and the AP being connected to a VLAN, the traffic gets tagged once more (if that's possible...)
Following this logic, I tried connecting the AP to the switch ports 3 or 4 which are NOT attached to any VLANs (just VLAN1 for management purposes). No success.
Then I tried connecting the AP to port 2 which belongs to the TRUNK port, same result as above.
What do I do?
Really looking for positive replies, I am using Wifi at home for work telecommute...
Thanks!
Attached Thumbnails
Attached Files
Basically, I am trying to use VLAN's with a Unifi AP and a pfsense router and except the Unifi, everything works as intended. Lots of reading and research, but I managed to get most of it running smoothly. Quick summary of the entire setup:
pfsense is configured with three VLANs (100, 200 & 300) which use em0 as their underlying physical interface. This interface is then connected to port 1 of a 24-port HP procurve managed switch on which port 1 & 2 are setup as the TRUNK port (I am not sure why procurve insist in having a minimum of 2 ports per trunk...)
Then ports 3-18 are configured as VLAN100, ports 19-22 as VLAN200 and finally ports 23-24 as VLAN300. See attached config file from the switch. If I connect a device to any port of VLAN100, it gets an IP in the VLAN100 subnet from pfsense, all works. Same for the other VLAN's. The Unifi AP is connected to port 14 (VLAN100) and therefore gets an IP from pfsense under subnet of VLAN100 and the Unifi controller software sees it without issues.
On the Unifi, I have configured two SSID's (SEG for trusted devices, and DMZ for guests) (see attached screenshot). I want devices connecting to the SEG SSID to be connected to VLAN200 and get an IP from pfsense as such, and untrusted devices to DMZ and also get an IP under VLAN300 from pfsense.
I then created two networks in Unifi, one as SEG with same subnet as in pfsense, and another as DMZ similarly configured. I added their respective VLANs (see attached screenshot).
The issue is that wifi clients see the SSID's but cant get an IP from pfsense. I believe this is because the Unifi AP tags the packets right at the AP so they reach the switch already tagged, and the AP being connected to a VLAN, the traffic gets tagged once more (if that's possible...)
Following this logic, I tried connecting the AP to the switch ports 3 or 4 which are NOT attached to any VLANs (just VLAN1 for management purposes). No success.
Then I tried connecting the AP to port 2 which belongs to the TRUNK port, same result as above.
What do I do?
Really looking for positive replies, I am using Wifi at home for work telecommute...
Thanks!
Attached Thumbnails
 | switchvlan-1.txt (6.2 KB) |