DHCP Not working on Unifi Switch for MGMT VLAN

[meyergru]

AFAIK, you cannot set a tagged VLAN 1 at all with Unifi, I did not investigate if VLAN 1 would be passed on a trunk port, but guessing from what I see, this ain't possible, either:

You cannot view this attachment.

Note the "VLAN 1" default - I doubt that you can set both untagged and tagged VLAN 1 - although some of the more recent problems with Unifi switch firmware might indicate otherwise. At least you have to set a default (V)LAN that is untagged - and also, you cannot delete the default (1) VLAN (I just renamed it from "Default" to "Untagged" to make clear what it does.

Reportedly, there are many Unifi switch models that now expose a (security) flaw: During the first seconds after turning them on, they pass traffic on all VLANs at once, that is, it seems like they strip incoming VLAN tags on all ports and pass these on as untagged on all others.

This could indicate, that they aim to be able to adopt new devices on any VLAN... but this should never be done on an otherwise configured switch.

[Patrick M. Hausen]

OK, whatever 🤷�♂️

Thanks! At work I connected a dedicated interface to VLAN 1. And at home I run Mikrotik 😉

[OPNenthu]

It sounds like you both prefer VLAN 1 for management in UniFi, so I think I'll stick with the same since it just works and gives the possibility to recover easily.

@meyergru Are you able to expand the list marked "Native VLAN / Network"?  On mine there is a possibility to select "None" there (it's at the bottom).

Once that is done, I am able to select "Default (1)" to be tagged under "Tagged VLAN Management" using the "Custom" radio button.


@Patrick I am torn on whether or not to keep a native/untagged network in OPNsense at all, as a fallback.  Presently I have LAN dedicated for this purpose on igc0, so I can just put any unmanaged switch there and get access to the 192.168.1.0/24 (example) network regardless of my UniFi network being online or not.  If I instead remove this native network and carry VLAN 1 tagged on the trunk as before, what will happen in case I connect an unmanaged switch to that?  Will VLAN 1 act as native on the "dumb" switch and still give me access to 192.168.1.0/24 and the other tags will be dropped?

EDIT: asking also a different way: is the reason why you tag VLAN 1 in order to save an interface/port or is it because untagged presents a security risk?

[Patrick M. Hausen]

The reason is that mixing tagged and untagged on a single interface can lead to unpredictable results in FreeBSD like e.g. DHCP leaking. Then there's the issue of accounting. And netflow.

[Thorium]

Sorry to revive this thread, but I just setup OPnsense and have a Unifi switch incoming.

I will make the untagged/VLAN 1 my management VLAN.

But I'm not wrapping my head around the best way to implement the links between OPNsense and Unifi switch, given the warnings out there around mixing untagged/tagged on same interface. And I'm not a networking guy so apologies.

My OPNsense is a Proxmox VM running on a device with 6 physical network interfaces:
(4) Intel I226 2.5gbe, (2) 10gb Intel X710.

I initially set up the VM with two virtual NIC:
Eth0 (physical NIC 1 - 2.5gbe) = vtnet0 = WAN
Eth4 (physical NIC 5 - 10gbe) = vtnet1 = LAN



Since I have plenty of NIC what's the best plan for this homelab setup?

1) Ignore the mixing tagged/untagged warnings, use the "LAN" interface for the untagged mgmt VLAN and all my device VLANs children of LAN?

Or

2) somehow use a separate NIC in Opnsense configured to only do the untagged network, and another for only the tagged VLANs?


If #2 I need some pointers on exactly how to do this since the initial OPnsense configuration is working like #1.

Thanks for your expertise.

[meyergru]

Well, despite the warnings I use it mixed as well. But I also do not use any IDS that works with netmap.

[OPNenthu]

In case you did decide to not mix and go with option 2) then the links are not complicated.  On the OPNsense side you would set up the LAN as a native network (the default) and move all the VLANs to the other parent interface (your 3rd NIC, e.g. vtnet2).

Code Select Expand

vtnet0: WAN
vtnet1: LAN   --> portX (UniFi), untagged: Native, tagged: None
vtnet2: VLANs --> portY (UniFi), untagged: None, tagged: All


On the UniFi side you dedicate one port as Native (untagged) on the "Default" network, which corresponds to your OPNsense LAN.  Disable all Tagged VLANs on it.  Then for the VLAN trunk port, it's the opposite.  Disable any Native network (set to "None") and either "Allow All" Tagged VLANs, or choose specific ones if you are splitting your VLANs across multiple ports (in that case be careful not to overlap them and of course also use separate parent interfaces in OPNsense).

If you have a limited number of switch ports it's fine to put LAN on a slower link.  It won't be doing much, unless you plan to also use it for client traffic.  In my case it's only used for network management and for server web UIs.

You have to also think about how you want to access the LAN for configuration changes.  You can expose it over a WiFi SSID (very bad).  You can give some trusted clients access to management ports on LAN via firewall policy (less bad).  You can keep 1-2 available switch ports on the native access port profile for plugging in your laptop and/or provisioning new devices (better, if you have physical security) and you can optionally secure those ports with 802.1X (best, but this is still broken in UniFi as reported by @meyergru).

[Thorium]

Thanks resident experts!
I think this thread serves as the definitive "OPnsense router with Unifi switches" need to know.

[meyergru]

you can optionally secure those ports with 802.1X (best, but this is still broken in UniFi as reported by @meyergru).

Matter-of-fact, I got a beta version these days that ought to fix the 802.1x problem. It still does not, but reintroduced the "all VLANs are visible during bootstrap" problem. But at least it seems Ubiquiti is on it.

[OPNenthu]

resident experts

There are actual experts in the thread but I'm a hobbyist still struggling to overcome the Dunning Kruger curve ;-)  I'm still dangerous!

But at least it seems Ubiquiti is on it.

Thanks for staying on top of them.  After almost a year I would have given up.

[julsssark]

Another option is to make your management VLAN something other than 1. Then you can use all VLANs and have no untagged traffic. All of my WAPs and switches are in the mgmt VLAN. I have a DNS entry for unifi that points to my controller and I have firewall rules in place to allow the devices to talk to the controller (that's in a server VLAN). As discussed earlier in this thread, you would need to have a second switch to avoid a scenario where you can't adopt a replacement switch.

[OPNenthu]

Another option is to make your management VLAN something other than 1.

Well, the Native VLAN / network is "something other than 1." :)

There is no VLAN 1 on my network.  It's not defined in OPNsense so for all intent and purpose it doesn't exist, whatever the UniFi UI thinks about it.

(Note: I'm not using any routing functions on my switch but instead forcing inter-VLAN traffic up to OPNsense, so the enforcement happens there)

I think the only potential issue is that if something gets tagged as 1, then my switch will untag it and put it on the native router port.  But if there are no clients with VLAN 1, so how might that happen?

In any case if anyone knows how to disassociate the default VLAN (1) from the Native VLAN on UniFi switches, I'd like to know.  I haven't found an option for it.  Is it necessary?

Edit: I think the more correct question is, can we change the default VLAN in UniFi to another number besides 1?  Does it even matter, if it's not used anywhere outside of the UniFi devices?