Hey guys!
So the setup is:
Physical interfaces:
WAN: re0
LAN0: igb0
LAN1: igb1
Virtual interfaces:
Mgmt: VLAN5 assigned to igb0
WiFi: VLAN100 assigned to igb1
WiFi_IoT: VLAN110 assigned to igb1
igb0 --(trunk)---> Cisco switch --(VLAN5)--> Raspberry Pi with Unifi Network Controller Application
igb1 --> UniFi U6 AP
LAN0 (igb0) interface:
IP: 10.0.0.1/24
DHCP: 10.0.0.10 - 10.0.0.100
LAN1 (igb1) interface:
IP: 10.1.0.1/24
DHCP: 10.1.0.10 - 10.1.0.100
Mgmt (VLAN5) interface:
IP: 10.0.5.1/28
DHCP: 10.0.5.1 - 10.0.5.14
WiFi (VLAN100) interface:
IP 10.1.100.1/24
DHCP: 10.1.100.10 - 10.1.100.100
WiFi_IoT (VLAN110) interface:
IP: 10.1.110.1/24
DHCP: 10.1.110.10 - 10.1.110.100
With this setup - AP gets the IP from WiFi pool but cannot be adopted by Network Controlled App. If I turn off DHCP on WiFi interface - the AP gets IP from LAN1 DHCP range and it simply works.
It is a fresh OPNsense install and every single interface has a rule:
Action: PASS
Interface <the name of the interface this rule is for>
Direction: in
TCP: IPv4
Proto: any
Source <the name of the inface> net
Can someone point me at what I am doing wrong? Why the Access Point with IP of WiFi interface range cannot communicate with RPi that is in VLAN5 (mgmt)?
I think that is because Unifi APs find their controller only via broadcast or via DNS, not routed without any further ado. If you want Unifi APs adopt over routed networks, you have to set the inform url (see https://lazyadmin.nl/home-network/unifi-set-inform/). That way, you can also use network controllers anywhere in the cloud.
Other than that, you can define a DNS entry for "unifi" that points to your controller IP.
However, I do not quite understand why you segment your network in this way when your fiewall rules allow anything across them anyway.
Hey!
Thank you for your reply.
Well yeah - once I reset the AP to factory defaults (and once it gets the IP from DHCP pool) I do log into the AP and enter: set-inform http://the.ip.of.RPi:8080/infom
I've also tried to first adopt the AP when it's on LAN1 DHCP pool so it could appear on UniFi Network App, then I've enabled DHCP on WiFi interface (belongs to LAN1) and after few minutes UniFi Network App loses connectivity to AP.
I don't know where should I focus on right now to find what's the problem of it.
I've even tried to "embrace" WiFi DHCP pool. I mean:
LAN1 DHCP: 10.1.0.1/16
WiFi DHCP: 10.1.100.1/24
It seems like it's OPNsense configuration that I'm missing but... Where? :)
And last but not least. I did enable logging of FW rules. Every ICMP/TCP/UDP traffic (ping, nmap, telnet) that comes from LAN0 (behind Cisco switch) is green on FW Live View.
On one of the websites (don't ask me for the address - I viewed like a thousand of them so far) I've read that this setup:
OPNsense (LAN0) ----> Switch ----> AP
Will work and this setup:
OPNsense (LAN1) ----> AP
Will not as for some reason OPNsense would need some intermediate device to handle VLAN traffic and then trunk it into physical port cause having my setup which is:
1. Physical igb2 assigned as LAN1
2. VLAN100 assigned as WiFi with igb1 as parent iface
will simply not work.
No one explained why.
- Tried with VLAN-only-iface - unassigned (deleted) LAN1 interface to igb1 as HomeNetworkGuy suggested (https://homenetworkguy.com/how-to/create-vlan-only-interface-opnsense/)
- Tried with LAN1 mask (and DHCP pool) embracing WiFi's DHCP pool (LAN1 had 10.1.0.1/16, WiFi had 10.1.100.1/24)
- Tried to do similar to my Mgmt VLAN5 which has mask of 10.0.5.0/28 whilst my LAN0 has 10.0.0.1/22 (pool ends at 10.0.3.254 which not overlaps with VLAN5)
Still stuck with having only DHCP enabled at physical interface and disabled DHCP on WiFi VLAN or deleted WiFi assignment.
Any of the OPNsense gurus knows anything about it?
EDIT:
After experimenting once again with VLAN-only-interface solution from HomeNetworkGuy.com I had to create a dummy physical interface assignment (called OPT2) but I did not enable it. Then I've noticed that the AP connected to the igb1 (named directly WiFi this time) attempts to send DHCP packets:
https://imgur.com/a/5WcZony
Why I know that this is AP. Cause UniFi APs have 192.168.1.20 by default:
https://imgur.com/a/xhzj0nd
The problem is... That since it's a VLAN only interface and it's not enabled - I cannot assign rules on it
https://imgur.com/a/E04DnzA
EDIT2:
Enabled the OPT2 temporary. Added any-any rules to test it out. Still nothing.
And when DHCP got enabled on OPT2 - it did it again. It simply gave an IP to the AP from its own pool and VLAN100 interface that has parent igb0 (like OPT2 has) didn't even move a finger.
So after days of testing here's what I achieved and I consider this as a
mission completed! ;D.
Just to remind you all - this is what my current setup is:
(https://i.imgur.com/FwPX9Um.png)
OPNsense device:1x re0 (built in NIC that acts as my WAN iface)
4x igb{0..3} (Intel I350-T4 NIC)
Interface ID: WANAssignment: re0
IP: DHCP
Connected to: My ISP router in modem mode
Interface ID: LAN0Assignment: igb0
IP: 10.0.0.1/24
DHCP pool: 10.0.0.1 - 10.0.0.254
Connected to: Cisco switch
Interface ID: LAN1Assignment: igb1
IP: 10.1.0.1/24
DHCP pool: 10.1.0.1 - 10.1.0.254
Connected to: UniFi AP U6-LR
igb2: not assigned
igb3: not assigned
Interface ID: MgmtAssignment: VLAN01
IP: 10.0.5.1/28
DHCP pool: 10.0.5.1/28
Interface ID: WiFiAssignment: VLAN010
IP: 10.1.100.1/24
Interface ID: WiFi_IoTAssignment: VLAN011
IP: 10.1.110.1/24
VLANS:VLAN ID: MgmtParent: igb0
tag: 5
Device name: vlan01
VLAN ID: WiFiParent: igb1
tag: 100
Device name: vlan010
VLAN ID: WiFi_IoTParent: igb1
tag: 110
Device name: vlan011
For those that prefer to see screens:
(https://i.imgur.com/o2jrzKh.jpg)
UniFi config:SSID: WiFiNetwork: VLAN100_Network
SSID: WiFi_IoTNetwork: VLAN110_Network
Network: VLAN100_NetworkRouter: Third-party Gateway
VLAN ID: 100
Network: VLAN110_NetworkRouter: Third-party Gateway
VLAN ID: 110
Desired scenario:Have AP to get IP from WiFi pool (static lease 10.1.100.2/24) whilst serving two SSIDs that are tagged with separate VLAN IDs so I can separate clients based on their VLAN IDs.
Key takeaways:Understand that:
- AP is indeed connecting to LAN1 physical interface and it expects the IP from LAN1 DHCP pool as it doesn't communicate using any VLANs. It's a trunk after all. AP will need to have a static IP that is in LAN1's subnet or LAN1 will have to have DHCP enabled in order to assign one.
- Once client is connected to AP's SSID the SSID looks into UniFi Network configuration and if Network has a VLAN tagging every traffic that comes from this client connected to this particular SSID will be wrapped in a VLAN tag.
- If client traffic is wrapped in a VLAN tag then it gets IP from DHCP pool of tat VLAN interface configured on OPNsense and therefore it can be isolated/routed/NATed/whatever on OPNsense level.
And here's the result of it:
https://imgur.com/a/HgfbC7U
Quote from: seki on May 01, 2023, 04:21:53 PM
Key takeaways:
Understand that:
- AP is indeed connecting to LAN1 physical interface and it expects the IP from LAN1 DHCP pool as it doesn't communicate using any VLANs. It's a trunk after all. AP will need to have a static IP that is in LAN1's subnet or LAN1 will have to have DHCP enabled in order to assign one.
- Once client is connected to AP's SSID the SSID looks into UniFi Network configuration and if Network has a VLAN tagging every traffic that comes from this client connected to this particular SSID will be wrapped in a VLAN tag.
- If client traffic is wrapped in a VLAN tag then it gets IP from DHCP pool of tat VLAN interface configured on OPNsense and therefore it can be isolated/routed/NATed/whatever on OPNsense level.
Point 1 is not quite correct: Unifi APs are perfectly capable of having their management on a VLAN, there is a setting for that in the Unifi controller - I use it, so I know that to be working. It is difficult however, to set this. You first have to adopt the AP, then change the management VLAN and afterwards move the controller to that VLAN.
Thus, for most people, it is best to leave the management LAN untagged. This makes it easier to add additional APs or switches later on. However, it is more secure to have the untagged LAN unused in case someone just unplugs an AP (which has to be on a trunked port in order to support multiple separate WLANs) and is then on the management LAN. With a tagged management VLAN, he has to jump another hurdle.
Thank you for clarification, Meyergru
However like you said - it requires a trick to get it done anyway. And even if it works - it is kind of non standard solution. Not saying it's bad. It just needs some expertise in the area and time to test it out.
I'm happy though that you left a comment explaining this. Thank you once again! :)
Where i`ve got stuck in that specific solution is, what`s the purpose of the TRUNK going to Cisco ?
As I unterstand, the VLANs 110 and 100 are going to the Unify only or does the Cisco also know something about them ?
Or does the Cisco only connect the management LAN ?
Sorry, but that`s were i`ve ended for now. For any help I will be very happy.
Thank you also for the very helpful post and solution :-)
Usually, you would connect switches to your APs and routers as trunk in order to have all VLANs available on these devices. Imagine you wanted to use one of the VLANs on some ethernet ports, too.
In order to do this, you would normally have a 1:1 mapping of WiFi SSIDs to VLANs, such that the physical connection becomes irrelevant.
The network diagram above is a little special in that it shows two LAN interfaces, which could be replace by only one if the AP was connected to the switch. And in that case, you would have what I described.
Such as it is, the two LAN ports are obviously configured as one bridge device. I would avoid this for simplicity reasons.