OPNsense and Ubiquiti VLAN connectivity issues

[ottokar]

Dear all,

I recently installed an OPNsense Firewall and I'm pretty happy with it.
However, I'm facing an issue with the VLAN configuration and my Ubiquiti Access Points and Switches.
While searching through the Internet I was able to find many potential solutions, but none of them seems to fix my issue.
The problem is that clients connected to a VLAN are not receiving an IP address from my DHCP and are therefore unable to connect to the network.
Even if I configure the clients with a static IP address the network connection is not possible.

Connections from the LAN network (through Switch or Access Point) are working fine. It seems to me that the VLAN tagging isn't working..

FW Setup:

Firewall has the following Interfaces configured:

• WAN - DHCP
• LAN - 192.168.1.1/24

The different VLANs are configured on the LAN interface of the FW.

• VLAN10 - 192.168.10.1/24
• VLAN20 - 192.168.20.1/24
• VLAN30 - 192.168.30.1/24
• VLAN40 - 192.168.40.1/24

My DHCP is configured to serve all the VLANs above with the corresponding IP addresses.
No blocked traffic visible on the FW and I also created an "allow any" rule for testing purposes without any improvement.

Cloud Key, Switch, Access Points are all in the LAN network with a static IP.

Ubiquiti Setup:

• the VLANs are configured as "VLAN only" Network
• on the Switch port for the FW <-> Switch connection the Switch Profile "All" is selected
• on the Switch port for the FW <-> Access Point connection the Switch Profile "All" is selected
• on the Switch ports where a device is connected directly, the corresponding Switch Profile for the VLAN is selected
• the WiFi networks are tagged wit hthe corresponding VLAN ID
• DHCP Snooping and DHCP Guarding is disabled on Ubiquiti

Has anyone a similar setup or did face such issues in the past? Any hints / suggestions regarding this issue?
OPNsense and all Ubiquiti devices are updated to the latest version.


Thanks a lot for your assistance!

Best regards

[marjohn56]

Not with Ubiquiti,  but I do use TPLink EA-235 and DLink managed switches. I have three VLANs, two of which are also set up in the TPLink WAPs to give me separate SSIDs. All works perfectly.


If you connect a PC to what I call the 'trunk' port that feeds your WAPs, you should be able to set the VLAN ID in the PCs adaptor settings, thus you can test that your switches are correctly configured; start by testing on the LAN output of Opnsense.


So to cut a long story short, it should be setup something like this


WAN<>Opnsense-<>.... port carrying all vlans ( trunk ) <> Switch<>...... to other switches <> (trunk in)Switch( trunk out) -> WAP

[ottokar]

Thanks a lot for your reply! Somehow it seems to be that the interface wasn't working as expected and I therefore moved all the VLANs to a new interface that was not in use before - now everything is working perfectly fine.