Moving pfsense->OPNSense with Unifi VLANs

[BigSnicker]

This may be a stupid question, but for the life of me I can't figure out how to solve this in the OPNSense world.

So I had a pfsense router that used 802.11 tagged VLANs to route traffic across different SSIDs.

I've migrated this to OPNSense and have it *almost* entirely working, except that I can't seem to get the VLAN tagged traffic routed.

I have rules defined that should all all traffic to be routed everywhere, and it's working fine for untagged traffic coming from the Unifi AP.

So, for example,

Working

WAN <-> OPNSense <-> Uniifi AP (but untagged traffic)

Not working

WAN <-> OPNSense <-> Unifii AP SSID indicated with tagged VLAN

Strangely, all of the devices on VLANs are able to get correct IP addresses allocated from the VLAN subnet address range from the OPNSense DHCP server, but they even can't ping their own subnet gateway, much less get routed to the internet.

I think pfsense got around this by having a section where you had to tag traffic as "0,2t", but I don't know how to do this in OPNSense.

Any suggestions appreciated.

[marjohn56]

Using VLANs here with no problems at all. I'm using EA225 TP link WAPs but the principle is the same, the WAP tags each SSID with the VLAN ID and onto the trunk.


I suspect it might be an issue with the firewall rules as dhcp is working. Here are my orimary VLAN rules, this VLAN is  allowed to talk to the other VLANs, however they cannot talk to it but they can connect to the internet. I've expanded the auto rules so you can see them too.

[BigSnicker]

Yes, it seems like the failure should be at the Firewall rules level, but I think I've ruled that out.

As I'm doing my first ever OPNSense set-up and am just trying to get connectivity established, my Firewall rules are wide open for everyone except WAN.

Using your network example, it would be:

QPVLAN IPv4 * *
QPVLAN IPv6 * *

Basically, it's 'any to any' for all protocols.

So is there anything about VLAN tagging that prevents it from reaching layer 3 rules??

[marjohn56]

Not that I'm aware, as I said my system is working fine.


Rather odd that you cannot ping the gateway of the VLAN if you are sat on it.


Ignoring the wifi, if you connect a PC to the VLAN can that connect and if so what's coming up in ipconfig?

[BigSnicker]

Well, it was suddenly fixed after I did a lot of fiddling... if I figure out what did it, I'll report back, but I basically did the following:

1. Disabled hardware handing of VPNs
2. Opened up firewall rules to change everything from NETWORKNAME net *, to , * *
3. Replaced automatic NAT with hybrid NAT and adding manual NAT rules for all subnets to WAN

I'll eventually undo most of those and see if it breaks again.

[marjohn56]

OK, well welcome to Opnsense. Lots of us here have come from the the darkside.

[ruggerio]

i have also a opnsense, with 2 switches and 2 ap's from ubiquity. I installed my own controller. Everything works fine, even with the vlan's.

I left nat as-is (not hybrid), but copied the default rules from lan-interface to the vlans. Most important rule at the end of each vlan (depends on how paranoid you are) for me was the outgoing rule on each interface, from vlan-network to any (Blocked rules apply before).

Important is, that networks in opnsense are configured in the unifi-controller the same way.

[BigSnicker]

I think I discovered the problem.

I had "enable Static ARP" on, which I interpreted as "Sure, I'd like to also use Static ARP in the future".

But it seems that that means only static ARP, and so none of my traffic was going anywhere.

Everything going MUCH more smoothly now, and in fact I found the overall configuration process was more intuitive than pfsense. 

[marjohn56]

It is a friendlier option full stop. Jumped ship must be three years ago now and never regretted it. Opnsense has come a long way in those three years.