I'm having trouble setting up a guest network on my OPNsense firewall, which is also running the UniFi console software. My goal is to use UniFi access points (APs) without needing any additional UniFi hardware. However, I'm struggling with VLANs, which seems to be the main issue.
The WiFi network on my main LAN is working perfectly, so the APs are functioning as expected.
Here's a quick overview of my setup:
OPNsense firewall connected to an unmanaged switch.
That switch is connected to other unmanaged switches, which then connect to three UniFi APs.
My basic understanding is that I need to configure a VLAN in OPNsense for the guest network. The APs should then pick up this VLAN and broadcast an SSID associated with it. I've followed some initial steps:
Created a VLAN (vlan01 with tag 20) and assigned it to an interface (Guest_VLAN).
Enabled DHCP on the Guest_VLAN interface.
Verified that the VLAN is properly tagged on the interface connected to my APs.
However, my clients still aren't receiving IP addresses when they connect to the guest network. I suspect this might be due to my limited understanding of VLANs, or perhaps something's missing in my configuration. Since I'm using unmanaged switches, I'm not sure if this setup is correct, and I would greatly appreciate any step-by-step guidance to get this working properly.
System Information
OPNsense 24.7.1-amd64
FreeBSD 14.1-RELEASE-p3
OpenSSL 3.0.14
CPU
Intel(R) Pentium(R) Silver N6005 @ 2.00GHz (4 cores, 4 threads)
(https://i.imgur.com/Og30nLJ.png)
(https://i.imgur.com/UWVc9mm.png)
(https://i.imgur.com/TotYw5z.png)
(https://i.imgur.com/RKx1Oum.png)
(https://i.imgur.com/zJvnFp2.png)
(https://i.imgur.com/MXcQ9x1.png)
(https://i.imgur.com/OWd7PoF.png)
Updated Diagram (8/10)
(https://i.imgur.com/RGuB1Cd.png)
With no idea how those MoCA adapters and unmanaged switches handle 802.1q... good luck. At minimum, I would get a bunch of these - https://store.ui.com/us/en/collections/unifi-switching-utility-mini/products/usw-flex-mini
They have limited VLAN configuration capabilities, but sufficient for the purpose.
The Problem is, that you can not setup VLANs like that, if you have only unmanaged switches, that are not aware of VLANs. They can not handle them. As doktornotor wrote, you need switches that can handle 802.1q.
If your OPNsense was connected to a managed switch, you would tell the switch that the switch port used is a trunk port. Put simply, you would connect the AP to a different port on the managed switch and also define this as a trunk port. The AP could then process the VLAN set in the OPNsense.
BTW. the FW rules for the guest VLAN make no sense.
That's not necessarily true. A lot of "dumb" (unmanaged) switches will pass VLAN-tagged frames just fine. You obviously can't configure some switch ports to act as "trunks" whilst others serve a specific VLAN (tagging and untagging frames as they pass through), but for a guest network like the OP describes, you don't necessarily need that.
That said, it *may* be that the 8-port switch in the OP's diagram is not passing the tagged frames. I assume that there's an error in the network diagram, and the MoCA adapter is connected to that switch, and not to the firewall directly. OR there could be something else going on.
You should be able to ssh into your UniFi APs and run something like tcpdump -nnei eth0 vlan to see if you see any tagged frames, and do the same on your opnsense box (except igc1 instead of eth0). If you see tagged frames leaving one and not arriving on the other, it's likely that the switch is eating them. You could also try filtering by MAC address (of a WiFi client).
(Deleted, talking nonsense as usual)
Quote from: dseven on August 10, 2024, 10:18:16 AM
That said, it *may* be that the 8-port switch in the OP's diagram is not passing the tagged frames. I assume that there's an error in the network diagram, and the MoCA adapter is connected to that switch, and not to the firewall directly. OR there could be something else going on.
You'd be correct that my diagram is incorrect the MoCA adapter is connected to the 8 port switch. Good catch.. not sure that changes much
Quote from: meelokun on August 10, 2024, 01:53:39 PM
You'd be correct that my diagram is incorrect the MoCA adapter is connected to the 8 port switch. Good catch.. not sure that changes much
Well if the diagram was correct, I'd want to know how you got both the switch and the MoCA adapter connected to igc1 at the same time ;D
... but seriously, I think the important point is that the 8-port switch is the common element in the path between the fireall and all of the APs, and MoCA stuff isn't (assuming the problem is manifesting on the "Upstairs (My Bedroom)" AP as well as the others).
Quote from: dseven on August 10, 2024, 02:07:41 PM
Quote from: meelokun on August 10, 2024, 01:53:39 PM
You'd be correct that my diagram is incorrect the MoCA adapter is connected to the 8 port switch. Good catch.. not sure that changes much
Well if the diagram was correct, I'd want to know how you got both the switch and the MoCA adapter connected to igc1 at the same time ;D
... but seriously, I think the important point is that the 8-port switch is the common element in the path between the fireall and all of the APs, and MoCA stuff isn't (assuming the problem is manifesting on the "Upstairs (My Bedroom)" AP as well as the others).
Good idea - i could tell my Unifi Console to pass the Guest Network SSID onto the AP in my bedroom only, and then another AP and then compare to see if the VLAN Tags are terminating after the main switch.
I'll try your suggestion to SSH into the UniFi APs and use tcpdump -nnei eth0 vlan to check for tagged frames. I'll do the same on the OPNsense box (igc1) and see if there's any difference between the frames being sent and received.
If I find that the frames are being dropped by the switch, I might look into replacing it with a managed one
Regarding to MoCA Adapters... According to goCoax's FAQs
QuoteCan your MoCA devices bridge 802.1q VLAN tagged packets?
Yes, some MoCA devices can bridge 802.1q VLAN tagged packets. However, it is important to check the specifications of the specific MoCA device you are using to ensure that it supports VLAN tagging. Some MoCA devices may not support VLAN tagging, or may require specific configuration settings to enable this feature.
Quote from: dseven on August 10, 2024, 10:18:16 AM
You should be able to ssh into your UniFi APs and run something like tcpdump -nnei eth0 vlan to see if you see any tagged frames, and do the same on your opnsense box (except igc1 instead of eth0). If you see tagged frames leaving one and not arriving on the other, it's likely that the switch is eating them. You could also try filtering by MAC address (of a WiFi client).
heres the result on my firewall
root@OPNsense:~ # tcpdump -nnei igc1 vlan
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on igc1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
0 packets captured
26878 packets received by filter
0 packets dropped by kernelresults from unifi AP in my bedroom connected to the switch
U6E-Room-BZ.6.6.73# tcpdump -nnei eth0 vlan
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
6 packets dropped by interfaceThe results suggest the UniFi AP isn't capturing any VLAN-tagged packets on its eth0 interface
I'll try connecting the UniFi AP in my bedroom directly to the OPNsense firewall, bypassing the switch, to see if VLAN-tagged packets start appearing. If they do, the switch might be the issue.
Update: Confirmed, the main switch is the issue - i directly connected my bedrooms AP to the Firewall, and the Guest Network worked immediately - Got an IP and everything... Fantastic
For anyone thats curious my current switch is a TRENDnet TEG-S380 (Version v1.xR). Gonna try a TP-Link TL-SG108-M2 - as there are reports of people not having issues with that switch and passing VLAN tagged traffic... Will report back once I receive it
Alright ended up with a NICGIGA Managed 8 Switch (S25-0801-M), and figured out how my ports should be tagged
(https://i.imgur.com/1Yo3DsO.png)
Guests are able to connect and get an IP Address.
NEW PROBLEM
I'm running UniFi Network Application 8.2.93 on my OPNsense firewall and trying to use UniFi's built-in captive portal instead of OPNsense's. Clients on the guest network (VLAN 20) are getting IP addresses and correct gateway/DNS info (10.0.20.1), but they can't access the internet or see the captive portal.
VLAN 20 is properly configured on the firewall, switch, and AP. The DHCP server is working fine. I've verified that UniFi's captive portal uses ports 8880 and 8843. I'm not sure if my firewall is allowing traffic to the necessary ports. DNS is properly configured and reachable. I temporarily disabled block rules, but the issue persists.
What might I be missing?
(https://i.imgur.com/K39E9RO.png)
(https://i.imgur.com/ivlusju.png)
Destination needs to be the unifi controller, not "This firewall".
Quote from: doktornotor on August 12, 2024, 08:29:36 PM
Destination needs to be the unifi controller, not "This firewall".
The Unifi console software is running on the firewall (via plugin - from mimugmail repo) - there is no seperate piece of hardware.
Well, yikes...
Can your NAS or NUC access the WAN? I assume your NAS and NUC are on VLAN1.
Quote from: julsssark on August 12, 2024, 09:13:26 PM
Can your NAS or NUC access the WAN? I assume your NAS and NUC are on VLAN1.
Yes - All other Main LAN devices (VLAN1) Wifi/Wired are functioning as expected without issue.
LAN - 10.0.1.0/24 Subnet
VLAN20 - 10.0.20.0/24 Subnet
LAN Firewall Rules
(https://i.imgur.com/6eSBD90.png)
I am not familiar with your switch so I don't know how it handles tagged and untagged networks on the same port. Can you please try taking ports 1 and 4 off of VLAN 1 (remove them from untagged or put them as tagged on vlan1)?
Quote from: julsssark on August 12, 2024, 09:24:03 PM
I am not familiar with your switch so I don't know how it handles tagged and untagged networks on the same port. Can you please try taking ports 1 and 4 off of VLAN 1 (remove them from untagged or put them as tagged on vlan1)?
When I marked ports 1 and 4 as tagged for VLAN1 and VLAN20 - all devices connected to the AP on port 4 lost internet - i reverted it back to VLAN1 all ports as untagged.
Suggested ApproachPort 1 (Connected to Firewall):
VLAN 1: Should remain untagged because this is typically the default/native VLAN, and most devices expect the default VLAN to be untagged.
VLAN 20: Should be tagged so that the firewall can send out tagged traffic for the guest network.
Port 4 (Connected to AP):
VLAN 1: Should remain untagged if the AP or devices on VLAN 1 expect untagged traffic.
VLAN 20: Should be tagged so that the AP can properly segregate the traffic and route VLAN 20 traffic to the appropriate SSID or port.
When I tagged VLAN 1 on port 4, all the traffic that used to be untagged (and thus understood as part of VLAN 1) became tagged. So any devices on VLAN 1, expecting untagged traffic, could no longer correctly process the traffic. Hence why they lost internet.
I still suspect it is something to do with your VLAN configuration and using VLAN1/LAN interface subnet. I have a similar configuration with Unifi APs and switches but I don't use VLAN1. My wired and wireless clients all connect to VLAN10, 20, 30 etc., and nothing connects to the LAN interface's subnet except for brand new trunk devices that need to be configured. My LAN interface subnet does not have a corresponding wireless network and I have a management VLAN that I use for administration of the Unifi devices.
Have you tried looking at Firewall->Log Files->Live View and watching for traffic from a guest network device trying to access the Internet? You can set the source filter to the IP of the network device. If you don't see traffic there, it's not a firewall/rules problem.
How did you confirm your DNS service is "reachable" on VLAN 20? Did you set a PVID on your switch for port 1 and 4 (I'm not sure how your switch handles native traffic)?
Quote from: julsssark on August 13, 2024, 04:01:50 AM
I still suspect it is something to do with your VLAN configuration and using VLAN1/LAN interface subnet. I have a similar configuration with Unifi APs and switches but I don't use VLAN1. My wired and wireless clients all connect to VLAN10, 20, 30 etc., and nothing connects to the LAN interface's subnet except for brand new trunk devices that need to be configured. My LAN interface subnet does not have a corresponding wireless network and I have a management VLAN that I use for administration of the Unifi devices.
Interesting approach.. I'll make note of your configuration approach as i work through all of this.
Quote
Have you tried looking at Firewall->Log Files->Live View and watching for traffic from a guest network device trying to access the Internet? You can set the source filter to the IP of the network device. If you don't see traffic there, it's not a firewall/rules problem.
I have not - I'll investigate soon, but leaving for a trip, and wont be back for some time.
Quote from: julsssark on August 14, 2024, 02:53:51 PM
How did you confirm your DNS service is "reachable" on VLAN 20? Did you set a PVID on your switch for port 1 and 4 (I'm not sure how your switch handles native traffic)?
For simplicity sake - I disabled the captive portal option in Unifi Console, and Clients are able to connect to the Guest Wifi - get an IP and connect to the internet - which makes me suspect DNS is reachable heh.
I'm told that my PVID settings are correct. Given that my Access Point (AP) on port 4 should be broadcasting SSIDs for both the primary LAN (likely untagged, VLAN 1) and the guest network (VLAN 20), PVID of 1 for Port 4 is correct if I want the untagged traffic from the AP to be associated with VLAN 1.
And since Accepted Frame Type is set to All, the switch is accepting both untagged (for the primary LAN) and tagged traffic (for VLAN 20).
(https://i.imgur.com/R1wTEWw.png)
Thanks for the additional information. I didn't realize that everything was working correctly when you disable the captive portal in Unifi. Nice work getting it this far. It makes sense that you would not have access to the WAN from the guest network when you can't reach the captive portal. I've never used the captive portal but it would seem like a pre-authorization allowance is needed in the Unifi settings to access the OPNsense router/Unifi plugin itself. Otherwise the WAPs won't allow their clients to get an IP address/DNS/display the portal login. Assuming that works, you may want to remove the post-authorization restrictions and enforce them in the firewall (e.g., you may want to allow access to local printers or airplay/chromecast to local TVs, etc.). For example, if you want to restrict the guest VLAN to just WAN access, you can create a firewall alias that contains local subnets and then add an inverted firewall rule (i.e., allow if destination address is not your local subnet alias).
VLANs are super cool and open up a lot of possibilities. My core network VLAN uses AdGuard for DNS to block ads and WPA3 for security, my Guest VLAN uses Cloudflare DNS (shows ads) and uses WPA2 (compatible with older devices), and my IP cameras are on a VLAN with no Internet access.
This is a great guide to configuring OPNsense with VLANs (ignore the VPN steps if you don't need that): https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/#access (https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/#access)