"
As of today, I'm not completely sure, to be honest but I've read in several places that KEA DHCP is the official replacement for ISC DHCP and is actively being developed. Because of that, I figured it might be safer to move in that direction in case Dnsmasq doesn't receive certain features. My main concern is committing to Dnsmasq now and then having to migrate later once I've built up a lot more configuration. It's really just me worrying about missing out.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / Re: OPNsense VLANs Configuration with Unifi Flex Switch and U6 Pro AP
November 15, 2025, 03:57:46 PM #2
General Discussion / Re: OPNsense VLANs Configuration with Unifi Flex Switch and U6 Pro AP
November 15, 2025, 02:04:03 PM
Boom — I got it working!
Thanks again for taking the time to help. I really appreciate it. My OPNsense configuration only needed a few tweaks. If this helps anyone else, here are the steps I used to get Guest VLAN working in OPNsense 25.7. Then repeated for other VLANs
1.Create the VLAN
Navigate to:
Interfaces → Devices → VLAN → + Add
Result: Creates igb0_vlan100 (visible under Devices)
2: Assign the VLAN as an Interface
Navigate to:
Interfaces → Assignments
Result: A new interface appears (Guest or OPT1 — rename if needed)
3: Configure the Guest Interface
Navigate to:
Interfaces
Click on Guest (or newly created OPT interface)
Result: Interface activates with IP 172.16.100.1
4: Enable & Configure Kea DHCPv4
4.1 Global Settings
Navigate to:
Services → Kea DHCP → Kea DHCPv4 → Settings
4.2 Add Guest Subnet
Navigate to:
Services → Kea DHCP → Kea DHCPv4 → Subnets → + Add
Result: Guest VLAN devices now receive IP, gateway, and DNS correctly.
5: Configure Firewall Rules for Guest VLAN
Navigate to:
Firewall → Rules → Guest
Rule 1 — Allow DNS to Unbound (Port 53)
Action: Pass
Interface: Guest
Direction: In
Protocol: TCP/UDP
Source: Guest net
Destination: This Firewall
Destination Port: 53
Description: Guest → DNS (Unbound)
Rule 2 — Allow Internet but Block LAN
Action: Pass
Interface: Guest
Direction: In
Protocol: any
Source: Guest net
Destination: ! LAN net (invert match)
Description: Guest → Internet (block LAN)
Click Save → Apply Changes for each rule.
6: Unifi Switch Configuration (External / Managed Switch)
6.1 Create Virtual Network
Open Unifi Network Server App version 9.5.21
Navigate to:
Settings > Networks
Click create new virtual network
6.2 Create Wireless Network (SSID)
Navigate to:
Settings > WiFi
Ensure switch tagging matches OPNsense.
7: Testing
a) Connect a device to a SSID Guset_WiFi
The device should receive:
b) Verify functionality:
Thanks again for taking the time to help. I really appreciate it. My OPNsense configuration only needed a few tweaks. If this helps anyone else, here are the steps I used to get Guest VLAN working in OPNsense 25.7. Then repeated for other VLANs
1.Create the VLAN
Navigate to:
Interfaces → Devices → VLAN → + Add
- Device: (leave blank — auto-generated)
- Parent Interface: igb0
- VLAN Tag: 100
- VLAN Priority: Best Effort (0, Default)
- Description: Guest
Result: Creates igb0_vlan100 (visible under Devices)
2: Assign the VLAN as an Interface
Navigate to:
Interfaces → Assignments
- Under Assign a new interface, locate: VLAN 100 on igb0 – Guest
- Set description to: Guest-VLAN100
- Select it → click + Add
Result: A new interface appears (Guest or OPT1 — rename if needed)
3: Configure the Guest Interface
Navigate to:
Interfaces
Click on Guest (or newly created OPT interface)
- Enable: Checked
- Description: Guest-VLAN100
- IPv4 Configuration Type: Static IPv4
- IPv6 Configuration Type: None
- IPv4 Address: 172.16.100.1 /24
- MTU: (default)
Result: Interface activates with IP 172.16.100.1
4: Enable & Configure Kea DHCPv4
4.1 Global Settings
Navigate to:
Services → Kea DHCP → Kea DHCPv4 → Settings
- Enabled: Checked
- Interfaces: LAN, Guest
- Click Save → Apply Changes
4.2 Add Guest Subnet
Navigate to:
Services → Kea DHCP → Kea DHCPv4 → Subnets → + Add
- Subnet: 172.16.100.0/24
- Description: Guest
- Pool: 172.16.100.30 – 172.16.100.230
- Match Client ID: Checked
- Auto Collect Option Data: Unchecked
- Router (Gateway): 172.16.100.1
- DNS Servers: 172.16.99.1 (Unbound on OPNsense)
- Domain Name: (optional: guest.local)
Result: Guest VLAN devices now receive IP, gateway, and DNS correctly.
5: Configure Firewall Rules for Guest VLAN
Navigate to:
Firewall → Rules → Guest
Rule 1 — Allow DNS to Unbound (Port 53)
Action: Pass
Interface: Guest
Direction: In
Protocol: TCP/UDP
Source: Guest net
Destination: This Firewall
Destination Port: 53
Description: Guest → DNS (Unbound)
Rule 2 — Allow Internet but Block LAN
Action: Pass
Interface: Guest
Direction: In
Protocol: any
Source: Guest net
Destination: ! LAN net (invert match)
Description: Guest → Internet (block LAN)
Click Save → Apply Changes for each rule.
6: Unifi Switch Configuration (External / Managed Switch)
6.1 Create Virtual Network
Open Unifi Network Server App version 9.5.21
Navigate to:
Settings > Networks
Click create new virtual network
- Name: Guest
- Router: third Party Gateway
- VLAN ID: 100
- IGMP snooping: Unchecked
- DHCP Guarding: unchecked
6.2 Create Wireless Network (SSID)
Navigate to:
Settings > WiFi
- Click create new
- Name: Guest_WiFi
- Password: <enter strong password>
- Network: Guest
- Broadcating Aps: All
- Advanced: Auto
Ensure switch tagging matches OPNsense.
7: Testing
a) Connect a device to a SSID Guset_WiFi
The device should receive:
- IP: 172.16.100.x
- Gateway: 172.16.100.1
- DNS: 172.16.99.1
b) Verify functionality:
- ping 172.16.100.1 → success
- nslookup google.com → resolves via Unbound
- Internet access works
- ping 172.16.99.10 (LAN device) → blocked (correct behavior)
#3
General Discussion / Re: OPNsense VLANs Configuration with Unifi Flex Switch and U6 Pro AP
November 15, 2025, 09:45:00 AM
Thanks for taking the time to respond. I really appreciate it. Your reply gave me a lot to work with. FYI - I migrated from Dnsmaqs to KEA DHCP about a week ago using these steps:
1. Configure Kea DHCPv4
Navigate to:
Services → Kea DHCP → Kea DHCPv4
Settings tab:
Enabled: unchecked
Interfaces: LAN
Click Save
(Do not apply yet)
Subnets tab:
Click Add/Plus icon
Return to the Settings tab:
Enabled: checked
Click Save and then Apply
2. Disable Dnsmasq DHCP
Go to:
Services → Dnsmasq DNS & DHCP → General
Enabled: unchecked
Click Save, then Apply
3. Release / Renew IP Address
Ubuntu Terminal:
sudo dhclient -r
sudo dhclient
Windows PowerShell:
ipconfig /release
ipconfig /renew
4. Validate Kea DHCP in OPNsense
Go to:
Lobby → Dashboard
In the Services panel, locate Kea DHCP — it should show a play/triangle icon on the right to indicate it's running.
1. Configure Kea DHCPv4
Navigate to:
Services → Kea DHCP → Kea DHCPv4
Settings tab:
Enabled: unchecked
Interfaces: LAN
Click Save
(Do not apply yet)
Subnets tab:
Click Add/Plus icon
- Subnet: 172.16.99.0/24
- Description: LAN
- Pool: 172.16.99.30 – 172.16.99.230
- Match Client ID: checked
- Auto Collect Option Data: unchecked
- Router (Gateway): 172.16.99.1
- DNS Servers: 172.16.99.1
Return to the Settings tab:
Enabled: checked
Click Save and then Apply
2. Disable Dnsmasq DHCP
Go to:
Services → Dnsmasq DNS & DHCP → General
Enabled: unchecked
Click Save, then Apply
3. Release / Renew IP Address
Ubuntu Terminal:
sudo dhclient -r
sudo dhclient
Windows PowerShell:
ipconfig /release
ipconfig /renew
4. Validate Kea DHCP in OPNsense
Go to:
Lobby → Dashboard
In the Services panel, locate Kea DHCP — it should show a play/triangle icon on the right to indicate it's running.
#4
General Discussion / Re: OPNsense VLANs Configuration with Unifi Flex Switch and U6 Pro AP
November 15, 2025, 03:11:54 AM| Port | Anomaly | Name | Connection | Connection IP | Speed | Native VLAN |
| 1 | 0 | Port 1 | - | - | 2.5Gbe | Default |
| 2 | 0 | Port 2 | - | - | 2.5Gbe | Default |
| 3 | 0 | Port 3 | U6 pro | 172.16.99.115 | Gbe | Default |
| 4 | 0 | Port 4 | - | - | Gbe | Default |
#5
General Discussion / OPNsense VLANs Configuration with Unifi Flex Switch and U6 Pro AP
November 15, 2025, 01:01:57 AM
Hi, I'm totally new to OPNsense and just getting started. I got through the basic setup on OPNsense 25.7.7, but I'm stuck trying to get VLANs working. My setup looks like this:
Hardware:
Protectli Vault (OPNSense)
Unifi Flex Mini 2.5g
Unifi U6 pro Access Point
Physical interfaces:
WAN: Igb4
LAN: igb0
Virtual interfaces:
LAN: Assigned to igb0
Mgmt: VLAN20 assigned to igb0
IOT: VLAN50 assigned to igcb0
Guests: VLAN100 assigned to igb0
igb0 --(trunk)---> Flex Mini switch ---> UniFi U6 AP
All VLANs need access to the internet.
LAN0 (igb0) interface:
IP: 172.16.99.1/24
DHCP: 172.16.99.31 - 172.16.99.230
Mgmt (VLAN20) interface:
IP: 172.16.20.1/24
DHCP: 172.16.20.31 - 172.16.20.230
IOT (VLAN50) interface:
IP 172.16.50.1/24
DHCP: 172.16.50.30 - 172.16.50.230
Guest (VLAN100) interface:
IP 172.16.100.1/24
DHCP: 172.16.100.30 - 172.16.100.230
Currently, the switch, access point, and any device connected to the AP all receive IP addresses from the LAN DHCP range (I think). However, as soon as I assign a VLAN to a switch port or an SSID on the UniFi device, the client devices won't connect. I'm running the UniFi Network server application on Ubuntu and accessing it through a browser. Everything works correctly on a flat network, but VLANs do not. I first tried configuring a Guest network and created a test firewall rule:
Action: PASS
Interface Guest
Direction: in
TCP: IPv4
Protocol: any
Source: any
Destination: any
Switch Ports:
Port 1 - LAN
Port 2 - LAN
Port 3 - U6 Pro
Port 4 -
Port 5 - Set up PC
I saw somewhere that it's best practice to have a separate management trunk in addition to the LAN connection, but I haven't configured that yet
Can someone point me at what I am doing wrong? Can work out if its the OPNsense config or unifi.
Thanks in advance
Hardware:
Protectli Vault (OPNSense)
Unifi Flex Mini 2.5g
Unifi U6 pro Access Point
Physical interfaces:
WAN: Igb4
LAN: igb0
Virtual interfaces:
LAN: Assigned to igb0
Mgmt: VLAN20 assigned to igb0
IOT: VLAN50 assigned to igcb0
Guests: VLAN100 assigned to igb0
igb0 --(trunk)---> Flex Mini switch ---> UniFi U6 AP
All VLANs need access to the internet.
LAN0 (igb0) interface:
IP: 172.16.99.1/24
DHCP: 172.16.99.31 - 172.16.99.230
Mgmt (VLAN20) interface:
IP: 172.16.20.1/24
DHCP: 172.16.20.31 - 172.16.20.230
IOT (VLAN50) interface:
IP 172.16.50.1/24
DHCP: 172.16.50.30 - 172.16.50.230
Guest (VLAN100) interface:
IP 172.16.100.1/24
DHCP: 172.16.100.30 - 172.16.100.230
Currently, the switch, access point, and any device connected to the AP all receive IP addresses from the LAN DHCP range (I think). However, as soon as I assign a VLAN to a switch port or an SSID on the UniFi device, the client devices won't connect. I'm running the UniFi Network server application on Ubuntu and accessing it through a browser. Everything works correctly on a flat network, but VLANs do not. I first tried configuring a Guest network and created a test firewall rule:
Action: PASS
Interface Guest
Direction: in
TCP: IPv4
Protocol: any
Source: any
Destination: any
Switch Ports:
Port 1 - LAN
Port 2 - LAN
Port 3 - U6 Pro
Port 4 -
Port 5 - Set up PC
I saw somewhere that it's best practice to have a separate management trunk in addition to the LAN connection, but I haven't configured that yet
Can someone point me at what I am doing wrong? Can work out if its the OPNsense config or unifi.
Thanks in advance
Pages1
