Messages

Picked up a unifi switch today. Since I already had the guest VLAN setup for the wifi, it was pretty quick to configure. It seems like it has cleared up the guest network leak.

Thanks for everyone's help!

Tagged an untagged is a property of a link between two devices, not your entire network. You can have e.g.

...

Thus you get the "do not mix tagged and untagged" for OPNsense - all other devices simply do not need to care.

Right, this is essentially how I have it now after reading the suggestions in this thread. My firewall has one port WAN, one for LAN (untagged), and another port as a VLAN tagged trunk, but that only consists of the guest VLAN.

Actually, that is not a strict requirement...

I'm already using the client isolation feature on the guest WLAN already, but I suppose I wanted to get myself into trouble using VLANs. But also, I was thinking about the option to hardwire "guest" clients. I was doing that for a little while with my work laptop though an old router running openwrt, but decided to just connect it to the guest WLAN and simplify my office setup.

The problem with splitting up the networks physically is that the access point has two SSIDs, one for the guest network and one for the main lan network. Making VLAN tagging pretty much required. Unless I want to get a second access point, but then I'd be dealing with a whole set of different issues I'm sure.

OK I see. I think that would work, but switch A goes out to a bunch of other rooms (with switches of their own) throughout the house, switch C being one of them. I would like them all on the same main subnet, except the guest traffic.

Are you suggesting to split the network to try to isolate the leak? In that case, would it be best to put switch C, with the access point on the separate port? Then that would have the guest subnet, and a sort of secondary lan subnet?

You want me to bridge switches A and C through 2 ports on the firewall?

I've power cycled the windows machine and when it first comes up it gets an IPv6 address from the main untagged network right away, but after a minute it will get an address for the guest network. And you are right, the rule did nothing to help.

I think I'm going to need a managed switch to keep the guest network from leaking. Since the traffic for the guest network is only between the unifi access point and firewall, it should be simple.

I gave it a shot. Unfortunately it seems like one of the switches is the culprit leaking the guest network into the lan network. As my windows PC is still getting a guest net IPv6 address. Looks like I'll have to invest in a larger managed switch to replace the three unmanaged switches in my network closet.

On the bright side, I'll have something new to tinker with.

@OPNethu, I already had a rule for the guest network to block any traffic heading to the lan network, but not the other way. Could adding a rule blocking lan from reaching the guest network prevent lan devices from getting guest addresses? I'll give it a try.

So the main issue is that I'm mixing my untagged main network and tagged guest on the same interface on my firewall. Which is probably causing my IPv6 router advertisements to leak into the main network.

My firewall has 4 NICs, of which only 2 are in use as WAN and LAN (which includes the tagged guest network). Does that mean instead of parenting my guest network to the same NIC as the main LAN network, I could use one of the unused NICs on the firewall exclusively for the tagged guest network, and then plug it into one unmanaged switches and hope for the best?

I suppose it would be worth a shot, since it wouldn't cost me anything, besides one more ethernet cable. Even if I do get a managed switch this would probably be the preferable configuration since it would avoid mixing untagged and tagged networks on one interface at the firewall, correct?

Of course nothing can be simple! I was poking around the unifi software and did notice there was no option to change the VLAN for the management (default) network, so I starting to wonder about that.

The only guest network clients will be connected to the unifi access point, and my plan was to connect it to the unifi managed switch. Do you think I would be OK leaving the network configured as is (with an untagged lan network and vlan tagged network) and rely on the managed switch to keep the guest network contained? I assume I would have to set the access point's port for both untagged and guest vlan tagged packets.

My opnsense firewall is connected to a tplink 2.5gb switch we'll call switch A. Connected to switch A, is a netgear 1gb PoE switch (switch B) to which the unifi AP is connected.

My windows pc is connected to another tplink 2.5gb switch (switch C), which is also connected to switch A.

The firewall and switches A and B are in a network closet with the modem, along with a bundle of ethernet cables that go throughout the house. There are a number of other unmanaged switches connected to switch A in other rooms, but switches A, B, and C cover the relevant devices.


I'm thinking of replacing the threes switches in the network closet (there is a third non-PoE 1gb switch in there as well. I know, it's a mess) with a 16 port managed switch. I was looking at the Ubiquiti USW-Pro-Max-16-PoE, which should cover my needs, and I'm already running the Unifi Network Application in a VM for the access point, but I'm certainly open to suggestions.

Hello all! I'm looking for some guidance on my current home network setup. It consists of an opnsense firewall, a slew of unmanaged switched, and a unifi access point. For the most part everything works great, but I love to tinker with my setup, and that of course leads to self-inflicted issues.

Originally, my main LAN subnet was all untagged traffic, and I added a Guest VLAN for use with the unifi AP, this worked perfectly fine for months, as I originally setup my guest subnet to only use IPv4. A few weeks ago, I started actually digging into IPv6, and I learned that I could request a smaller IPv6 prefix from my ISP and assign different prefixes to each of my networks. I was able to enable IPv6 for my guests. Nice!

Recently, I was using my main windows PC and happened to check my network info and noticed, along with the IPv6 addresses from the main LAN network, it was getting an IPv6 address from my guest network as well. This is not the behavior I expected, so I began looking into the cause.

It's my understanding that the reason my windows PC was getting an IPv6 address for my guest network, is the mixing of an untagged main network and a vlan tagged guest network has allowed the guest router advertisement to leak into the main network. Not ideal!

I'm trying to find the best way to prevent this leak. Do I need to create another VLAN for the main network? If the unifi AP is still tagging the guest network, will that traffic get retagged as the main network? Do I need a managed switch for the AP so I can configure a trunk port?

Thanks in advance!