OPNSense VLAN and Unifi Switch/AP

Started by Want2Lean91, October 20, 2022, 02:52:42 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
October 20, 2022, 02:52:42 AM
I've followed the below guides to try and setup a guest network (isolated from my internal network) using OPNSense as my DHCP server (my internal network uses a window DHCP server) and my Unifi switches/APs to broadcast the guest network:

https://potatoforinter.net/345/unifi-guest-network-with-pfsense/

https://homenetworkguy.com/how-to/configure-vlans-opnsense/

The issue I'm facing is that when I join my iPhone to the guest network it never acquires an IP address. If I manually assign an IP address to my phone, disable cellular data, and try to load a website nothing happens.

Any ideas where I'm going wrong?

Let me know if there's any screenshots needed; I'd be happy to provide them.

Thanks!
October 20, 2022, 12:53:15 PM #1
Yeah, no one is gonna be able to help you without knowing what you did. Just because you say "I followed the guide..." doesn't mean you did it right.
Post pics.
October 20, 2022, 03:19:47 PM #2
Agreed with comment above, more info needed. This could be a relay issue on L3 or FW rules on the VLAN or both, unknown where/what without more info.

I have a similar setup with Unifi Switches and APs and it works perfect, just using opnsense for DHCP instead of another device.
October 20, 2022, 05:18:56 PM #3
I've done this many times. Feel free. to reach out to me if you need help.
AMD Ryzen 3 1200
GA-A320M-S2H
8GB DDR4
Intel X550-T2 10GB
32GB Industrial SSD

Shuttle SZ270R8
Intel i5-6500
8gb ram
120gb ssd
Intel x540-t2 10gb nic
October 20, 2022, 07:55:25 PM #4
A mistake I made waaay early on with unify is I didn't set my trunk port that goes to my firewall to "all" so that it'll trunk all your vlans.  Secondly go into the live log on the firewall and filter by interface and see if maybe the traffic is getting filtered, maybe you forgot a dhcp rule?

Sent from my Pixel 6 Pro using Tapatalk

October 22, 2022, 08:25:45 PM #5
Quote from: Demusman on October 20, 2022, 12:53:15 PM
Yeah, no one is gonna be able to help you without knowing what you did. Just because you say "I followed the guide..." doesn't mean you did it right.
Post pics.

Sure thing, and sorry about that! What pics would you like?

Here's the FW rules for that VLAN

October 22, 2022, 08:29:54 PM #6
Quote from: danderson on October 20, 2022, 03:19:47 PM
Agreed with comment above, more info needed. This could be a relay issue on L3 or FW rules on the VLAN or both, unknown where/what without more info.

I have a similar setup with Unifi Switches and APs and it works perfect, just using opnsense for DHCP instead of another device.

Fair response - I posed my FW rules below. If there's any other screenshots you'd like please let me know :-)

Thank you!
October 24, 2022, 03:34:01 AM #7
Quote from: va176thunderbolt on October 20, 2022, 05:18:56 PM
I've done this many times. Feel free. to reach out to me if you need help.

I just might.

Sorry to any and all for slow responses; I'm doing this while juggling a newborn. :-)
October 24, 2022, 03:34:42 AM #8
Quote from: FullyBorked on October 20, 2022, 07:55:25 PM
A mistake I made waaay early on with unify is I didn't set my trunk port that goes to my firewall to "all" so that it'll trunk all your vlans. 

Is there a guide on how to do that?
October 24, 2022, 03:42:00 AM #9
Sorry all - somehow I did not have notifications turned on for replies. I've since fixed that and should be more responsive in the future.

Thanks again.
October 24, 2022, 10:28:30 AM #10
Enable logging for those VLAN fw rules and check the live log (filter on the vlan interface if you like) while connecting your mobile to the guest wifi network. Perhaps it will show you the issue already.

If you don't find anything obvious there, then I would run a tcpdump on the opnsense box to see if the DHCP traffic even reaches it. If not then there must be a config issue on either your switches or AP's.

In that case I would check if the switchport where the AP is connected to allows the guest VLAN to pass through
October 24, 2022, 01:56:10 PM #11
Quote from: Want2Lean91 on October 22, 2022, 08:29:54 PM
Quote from: danderson on October 20, 2022, 03:19:47 PM
Agreed with comment above, more info needed. This could be a relay issue on L3 or FW rules on the VLAN or both, unknown where/what without more info.

I have a similar setup with Unifi Switches and APs and it works perfect, just using opnsense for DHCP instead of another device.

Fair response - I posed my FW rules below. If there's any other screenshots you'd like please let me know :-)

Thank you!

I forget if DNS is an automatically created rule but I don't think it is, so blocking "this firewall" will block DNS.
Add a rule to allow DNS above that rule.

Make sure your switchports are set correctly. The port connected to your router will need to be tagged with the vlan id of the guest network.
Then the port your AP is plugged into needs to be tagged with the same vlan ID also.
October 24, 2022, 04:10:43 PM #12
I did manually add two DNS servers to the DHCPv4 pool for the guest network




How do I check the switchports? I **think** unifi passes all VLAN information to all ports - I briefly checked this but couldn't find anywhere to set it.

I can create the DNS rule, however, wouldn't me not obtaining an IP address from the pool be a larger issue?

Thanks!
October 24, 2022, 04:17:08 PM #13
From what I can see it looks like the port on my switch that OPNSense is plugged in to is passing all VLAN traffic:

October 24, 2022, 04:25:04 PM #14
Yes, DHCP is the issue, I was just pointing out that you still won't have internet with the rules as they were.

What about the port the AP is plugged into?
Print
Go Up Pages1 2 3
User actions