OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: Want2Lean91 on October 20, 2022, 02:52:42 am
-
I've followed the below guides to try and setup a guest network (isolated from my internal network) using OPNSense as my DHCP server (my internal network uses a window DHCP server) and my Unifi switches/APs to broadcast the guest network:
https://potatoforinter.net/345/unifi-guest-network-with-pfsense/
https://homenetworkguy.com/how-to/configure-vlans-opnsense/
The issue I'm facing is that when I join my iPhone to the guest network it never acquires an IP address. If I manually assign an IP address to my phone, disable cellular data, and try to load a website nothing happens.
Any ideas where I'm going wrong?
Let me know if there's any screenshots needed; I'd be happy to provide them.
Thanks!
-
Yeah, no one is gonna be able to help you without knowing what you did. Just because you say "I followed the guide..." doesn't mean you did it right.
Post pics.
-
Agreed with comment above, more info needed. This could be a relay issue on L3 or FW rules on the VLAN or both, unknown where/what without more info.
I have a similar setup with Unifi Switches and APs and it works perfect, just using opnsense for DHCP instead of another device.
-
I've done this many times. Feel free. to reach out to me if you need help.
-
A mistake I made waaay early on with unify is I didn't set my trunk port that goes to my firewall to "all" so that it'll trunk all your vlans. Secondly go into the live log on the firewall and filter by interface and see if maybe the traffic is getting filtered, maybe you forgot a dhcp rule?
Sent from my Pixel 6 Pro using Tapatalk
-
Yeah, no one is gonna be able to help you without knowing what you did. Just because you say "I followed the guide..." doesn't mean you did it right.
Post pics.
Sure thing, and sorry about that! What pics would you like?
Here's the FW rules for that VLAN
(https://i.imgur.com/eTKdpwW.png)
-
Agreed with comment above, more info needed. This could be a relay issue on L3 or FW rules on the VLAN or both, unknown where/what without more info.
I have a similar setup with Unifi Switches and APs and it works perfect, just using opnsense for DHCP instead of another device.
Fair response - I posed my FW rules below. If there's any other screenshots you'd like please let me know :-)
Thank you!
-
I've done this many times. Feel free. to reach out to me if you need help.
I just might.
Sorry to any and all for slow responses; I'm doing this while juggling a newborn. :-)
-
A mistake I made waaay early on with unify is I didn't set my trunk port that goes to my firewall to "all" so that it'll trunk all your vlans.
Is there a guide on how to do that?
-
Sorry all - somehow I did not have notifications turned on for replies. I've since fixed that and should be more responsive in the future.
Thanks again.
-
Enable logging for those VLAN fw rules and check the live log (filter on the vlan interface if you like) while connecting your mobile to the guest wifi network. Perhaps it will show you the issue already.
If you don't find anything obvious there, then I would run a tcpdump on the opnsense box to see if the DHCP traffic even reaches it. If not then there must be a config issue on either your switches or AP's.
In that case I would check if the switchport where the AP is connected to allows the guest VLAN to pass through
-
Agreed with comment above, more info needed. This could be a relay issue on L3 or FW rules on the VLAN or both, unknown where/what without more info.
I have a similar setup with Unifi Switches and APs and it works perfect, just using opnsense for DHCP instead of another device.
Fair response - I posed my FW rules below. If there's any other screenshots you'd like please let me know :-)
Thank you!
I forget if DNS is an automatically created rule but I don't think it is, so blocking "this firewall" will block DNS.
Add a rule to allow DNS above that rule.
Make sure your switchports are set correctly. The port connected to your router will need to be tagged with the vlan id of the guest network.
Then the port your AP is plugged into needs to be tagged with the same vlan ID also.
-
I did manually add two DNS servers to the DHCPv4 pool for the guest network
(https://i.imgur.com/XfcyJmD.jpg)
How do I check the switchports? I **think** unifi passes all VLAN information to all ports - I briefly checked this but couldn't find anywhere to set it.
I can create the DNS rule, however, wouldn't me not obtaining an IP address from the pool be a larger issue?
Thanks!
-
From what I can see it looks like the port on my switch that OPNSense is plugged in to is passing all VLAN traffic:
(https://i.imgur.com/IQRJ8OY.jpg)
-
Yes, DHCP is the issue, I was just pointing out that you still won't have internet with the rules as they were.
What about the port the AP is plugged into?
-
(https://i.imgur.com/f5Nht1t.jpg)
(https://i.imgur.com/cjWQr7f.jpg)
-
And the guest network is setup as vlan only with correct vlan id?
-
I believe so:
(https://i.imgur.com/DgCONWZ.jpg)
(https://i.imgur.com/7DnIGt9.jpg)
-
And the guest network is setup as vlan only with correct vlan id?
(https://i.imgur.com/uOH9XdB.png)
(https://i.imgur.com/qjLlNAI.jpg)
99% certain I've got the right network port chosen for the VLAN.
OPNSense is running in an Hyper-V instance with a dedicated dual NIC (one NIC for WAN and one NIC for LAN).
-
(https://i.imgur.com/Y3NsiYI.jpg)
-
Nope.
See where it says "Vlan Only" in your last pic?
You would only set the IP in ubiquiti if you're using their whole ecosystem. You aren't since opnsense is your router.
You need to set the guest network as vlan only.
-
This makes sense and I though it was weird (in one of the guides) that they said to use "Guest".
I can connect to the wireless network but I'm not getting an IP address. My ultimate goal would (eventually) be to have my Windows DHCP server act as the DHCP server for this network - would setting this up be any easier or just add an unneeded layer of complexity at this point. I'm happy to continue on with trying to get OPNSense setup as my DHCP server.
(https://i.imgur.com/5muy2Dm.jpg)
(https://i.imgur.com/fEc51YN.jpg)
-
Are you sure you enabled the dhcp server?
Honestly, I would set a port on the switch to that vlan and plug in a pc to test it, then move to the wireless.
-
What screenshot(s) would you like re: the DHCP server. I'm pretty sure I enabled it.
-
99% certain I've got the right network port chosen for the VLAN.
OPNSense is running in an Hyper-V instance with a dedicated dual NIC (one NIC for WAN and one NIC for LAN).
And there I see the problem. Are you sure that Hyper-V is supporting to set the VLAN inside of a virtual machine? I always hat issues with VLANs inside of a virtualized environment. I created them in the hypervisor to get them working. And if I remember correctly there was a thread where someone run into the maximum number of networks for OPNsense inside a Hyper-V VM because it only worked if the VLANs were created in Hyper-V.
Try to create a VLAN in Hyper-V and assign it as a interface in the OPNsense VM.
KH
-
And there I see the problem. Are you sure that Hyper-V is supporting to set the VLAN inside of a virtual machine? I always had issues with VLANs inside of a virtualized environment. I created them in the hypervisor to get them working. And if I remember correctly there was a thread where someone run into the maximum number of networks for OPNsense inside a Hyper-V VM because it only worked if the VLANs were created in Hyper-V.
Try to create a VLAN in Hyper-V and assign it as a interface in the OPNsense VM.
KH
No, I'm not sure. I know enough Hyper-V to manage things but start to get lost when it comes to VLANS/Tagging/etc. I'm not completely clueless, but I'm also no guru.
I created a 3rd NIC and added it to the Hyper-V guest running OPNSense.
(https://i.imgur.com/0Z4BdMz.jpg)
Here's my virtual switch manager (note, I can't create another switch with the teamed NICs as they're already in a virtual switch)
(https://i.imgur.com/xWrLm8k.jpg)
I realize that I'm (probably) rapidly approaching what this fourm can do to help - I'm grateful for any info/advice/etc. that anyone has to give.
Thanks!
-
Would this mean, then, that I need another physical NIC connected to it's own virtual switch and everything tagged with the VLAN?
-
Would this mean, then, that I need another physical NIC connected to it's own virtual switch and everything tagged with the VLAN?
No, you just need to set the VLAN on top of the LAN in Hyper-V. As my experience with Hyper-V is from a long time ago, I can only describe the concept, but not the steps. I believe you need to add a Hyper-V Switch on top of the LAN NIC. And then assign a Virtual NIC to the OPNsense as LAN. And also assign then the Virtual NIC with the VLAN to the same Hyper-V Switch.
Hope that helps.
KH
-
KH,
It does, but it seems like everything has to be tagged with that VLAN. If that's the case (and I understand if it is) then I need another physical NIC in the system to allocate to OPNSense.
I have 4 NICs; 1 is from the WAN to OPNSense, 1 is from OPNSense to the LAN, and 2 are in a NIC team for the other VMs on my Hyper-V instance.
I can't create a new Hyper-V switch with a VLAN tag and pull any of the above NICs as they're already in another Hyper-V switch.
At least that's what it seems.
-
All,
I never did get this working, though I suspect I would have had to add another physical NIC to the system so that all traffic on that NIC could be tagged with the VLAN ID.
Instead, I went with the Unifi Security Gateway which, sadly, means that my time with OPNSense has come to an end. Love the software and hope to use it again sometime soon - I just wish things like these were easier (overall - this isn't OPNSense's fault).
-
It works for me. There is no settings for that in GUI, experiment with powershell command (in my case):
Set-VMNetworkAdapterVlan -VMName vmname -Trunk -AllowedVlanIdList "30,40" -NativeVlanId 0
Put correct numbers for allowed and native VLANs.
-
Would this be without adding an additional physical NIC to the system?