Setup Guest Network with Unifi APs

[meelokun]

I'm having trouble setting up a guest network on my OPNsense firewall, which is also running the UniFi console software. My goal is to use UniFi access points (APs) without needing any additional UniFi hardware. However, I’m struggling with VLANs, which seems to be the main issue.

The WiFi network on my main LAN is working perfectly, so the APs are functioning as expected.

Here’s a quick overview of my setup:

OPNsense firewall connected to an unmanaged switch.
That switch is connected to other unmanaged switches, which then connect to three UniFi APs.
My basic understanding is that I need to configure a VLAN in OPNsense for the guest network. The APs should then pick up this VLAN and broadcast an SSID associated with it. I’ve followed some initial steps:

Created a VLAN (vlan01 with tag 20) and assigned it to an interface (Guest_VLAN).
Enabled DHCP on the Guest_VLAN interface.
Verified that the VLAN is properly tagged on the interface connected to my APs.
However, my clients still aren't receiving IP addresses when they connect to the guest network. I suspect this might be due to my limited understanding of VLANs, or perhaps something’s missing in my configuration. Since I’m using unmanaged switches, I’m not sure if this setup is correct, and I would greatly appreciate any step-by-step guidance to get this working properly.

System Information
OPNsense 24.7.1-amd64
FreeBSD 14.1-RELEASE-p3
OpenSSL 3.0.14

CPU
Intel(R) Pentium(R) Silver N6005 @ 2.00GHz (4 cores, 4 threads)















Updated Diagram (8/10)

[doktornotor]

With no idea how those MoCA adapters and unmanaged switches handle 802.1q... good luck. At minimum, I would get a bunch of these - https://store.ui.com/us/en/collections/unifi-switching-utility-mini/products/usw-flex-mini

They have limited VLAN configuration capabilities, but sufficient for the purpose.

[Baender]

The Problem is, that you can not setup VLANs like that, if you have only unmanaged switches, that are not aware of VLANs. They can not handle them. As doktornotor wrote, you need switches that can handle 802.1q.

If your OPNsense was connected to a managed switch, you would tell the switch that the switch port used is a trunk port. Put simply, you would connect the AP to a different port on the managed switch and also define this as a trunk port. The AP could then process the VLAN set in the OPNsense.

BTW. the FW rules for the guest VLAN make no sense.

[dseven]

That's not necessarily true. A lot of "dumb" (unmanaged) switches will pass VLAN-tagged frames just fine. You obviously can't configure some switch ports to act as "trunks" whilst others serve a specific VLAN (tagging and untagging frames as they pass through), but for a guest network like the OP describes, you don't necessarily need that.

That said, it *may* be that the 8-port switch in the OP's diagram is not passing the tagged frames. I assume that there's an error in the network diagram, and the MoCA adapter is connected to that switch, and not to the firewall directly. OR there could be something else going on.

You should be able to ssh into your UniFi APs and run something like tcpdump -nnei eth0 vlan to see if you see any tagged frames, and do the same on your opnsense box (except igc1 instead of eth0). If you see tagged frames leaving one and not arriving on the other, it's likely that the switch is eating them. You could also try filtering by MAC address (of a WiFi client).

[jonm]

(Deleted, talking nonsense as usual)

[meelokun]

That said, it *may* be that the 8-port switch in the OP's diagram is not passing the tagged frames. I assume that there's an error in the network diagram, and the MoCA adapter is connected to that switch, and not to the firewall directly. OR there could be something else going on.

You'd be correct that my diagram is incorrect the MoCA adapter is connected to the 8 port switch. Good catch.. not sure that changes much

[dseven]

You'd be correct that my diagram is incorrect the MoCA adapter is connected to the 8 port switch. Good catch.. not sure that changes much

Well if the diagram was correct, I'd want to know how you got both the switch and the MoCA adapter connected to igc1 at the same time

... but seriously, I think the important point is that the 8-port switch is the common element in the path between the fireall and all of the APs, and MoCA stuff isn't (assuming the problem is manifesting on the "Upstairs (My Bedroom)" AP as well as the others).

[meelokun]

You'd be correct that my diagram is incorrect the MoCA adapter is connected to the 8 port switch. Good catch.. not sure that changes much

Well if the diagram was correct, I'd want to know how you got both the switch and the MoCA adapter connected to igc1 at the same time

... but seriously, I think the important point is that the 8-port switch is the common element in the path between the fireall and all of the APs, and MoCA stuff isn't (assuming the problem is manifesting on the "Upstairs (My Bedroom)" AP as well as the others).

Good idea - i could tell my Unifi Console to pass the Guest Network SSID onto the AP in my bedroom only, and then another AP and then compare to see if the VLAN Tags are terminating after the main switch.

I'll try your suggestion to SSH into the UniFi APs and use tcpdump -nnei eth0 vlan to check for tagged frames. I’ll do the same on the OPNsense box (igc1) and see if there’s any difference between the frames being sent and received.

If I find that the frames are being dropped by the switch, I might look into replacing it with a managed one

Regarding to MoCA Adapters... According to goCoax's FAQs

Can your MoCA devices bridge 802.1q VLAN tagged packets?
Yes, some MoCA devices can bridge 802.1q VLAN tagged packets. However, it is important to check the specifications of the specific MoCA device you are using to ensure that it supports VLAN tagging. Some MoCA devices may not support VLAN tagging, or may require specific configuration settings to enable this feature.

[meelokun]

You should be able to ssh into your UniFi APs and run something like tcpdump -nnei eth0 vlan to see if you see any tagged frames, and do the same on your opnsense box (except igc1 instead of eth0). If you see tagged frames leaving one and not arriving on the other, it's likely that the switch is eating them. You could also try filtering by MAC address (of a WiFi client).

heres the result on my firewall

Code: [Select]

root@OPNsense:~ # tcpdump -nnei igc1 vlan
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on igc1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
0 packets captured
26878 packets received by filter
0 packets dropped by kernel
results from unifi AP in my bedroom connected to the switch

Code: [Select]

U6E-Room-BZ.6.6.73# tcpdump -nnei eth0 vlan
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
6 packets dropped by interface
The results suggest the UniFi AP isn't capturing any VLAN-tagged packets on its eth0 interface

I'll try connecting the UniFi AP in my bedroom directly to the OPNsense firewall, bypassing the switch, to see if VLAN-tagged packets start appearing. If they do, the switch might be the issue.

Update: Confirmed, the main switch is the issue - i directly connected my bedrooms AP to the Firewall, and the Guest Network worked immediately - Got an IP and everything... Fantastic

For anyone thats curious my current switch is a TRENDnet TEG-S380 (Version v1.xR). Gonna try a TP-Link TL-SG108-M2 - as there are reports of people not having issues with that switch and passing VLAN tagged traffic... Will report back once I receive it

[meelokun]

Alright ended up with a NICGIGA Managed 8 Switch (S25-0801-M), and figured out how my ports should be tagged



Guests are able to connect and get an IP Address.

NEW PROBLEM
I'm running UniFi Network Application 8.2.93 on my OPNsense firewall and trying to use UniFi's built-in captive portal instead of OPNsense's. Clients on the guest network (VLAN 20) are getting IP addresses and correct gateway/DNS info (10.0.20.1), but they can't access the internet or see the captive portal.

VLAN 20 is properly configured on the firewall, switch, and AP. The DHCP server is working fine. I've verified that UniFi’s captive portal uses ports 8880 and 8843. I'm not sure if my firewall is allowing traffic to the necessary ports. DNS is properly configured and reachable. I temporarily disabled block rules, but the issue persists.

What might I be missing?

[doktornotor]

Destination needs to be the unifi controller, not "This firewall".

[meelokun]

Destination needs to be the unifi controller, not "This firewall".

The Unifi console software is running on the firewall (via plugin - from mimugmail repo) - there is no seperate piece of hardware.

[doktornotor]

Well, yikes...

[julsssark]

Can your NAS or NUC access the WAN? I assume your NAS and NUC are on VLAN1.

[meelokun]

Can your NAS or NUC access the WAN? I assume your NAS and NUC are on VLAN1.

Yes - All other Main LAN devices (VLAN1) Wifi/Wired are functioning as expected without issue.

LAN - 10.0.1.0/24 Subnet
VLAN20 - 10.0.20.0/24 Subnet

LAN Firewall Rules