Setup Guest Network with Unifi APs

[julsssark]

I am not familiar with your switch so I don't know how it handles tagged and untagged networks on the same port. Can you please try taking ports 1 and 4 off of VLAN 1 (remove them from untagged or put them as tagged on vlan1)?

[meelokun]

I am not familiar with your switch so I don't know how it handles tagged and untagged networks on the same port. Can you please try taking ports 1 and 4 off of VLAN 1 (remove them from untagged or put them as tagged on vlan1)?

When I marked ports 1 and 4 as tagged for VLAN1 and VLAN20 - all devices connected to the AP on port 4 lost internet - i reverted it back to VLAN1 all ports as untagged.

Suggested Approach
Port 1 (Connected to Firewall):
VLAN 1: Should remain untagged because this is typically the default/native VLAN, and most devices expect the default VLAN to be untagged.
VLAN 20: Should be tagged so that the firewall can send out tagged traffic for the guest network.

Port 4 (Connected to AP):
VLAN 1: Should remain untagged if the AP or devices on VLAN 1 expect untagged traffic.
VLAN 20: Should be tagged so that the AP can properly segregate the traffic and route VLAN 20 traffic to the appropriate SSID or port.

When I tagged VLAN 1 on port 4, all the traffic that used to be untagged (and thus understood as part of VLAN 1) became tagged. So any devices on VLAN 1, expecting untagged traffic, could no longer correctly process the traffic. Hence why they lost internet.

[julsssark]

I still suspect it is something to do with your VLAN configuration and using VLAN1/LAN interface subnet. I have a similar configuration with Unifi APs and switches but I don't use VLAN1. My wired and wireless clients all connect to VLAN10, 20, 30 etc., and nothing connects to the LAN interface's subnet except for brand new trunk devices that need to be configured. My LAN interface subnet does not have a corresponding wireless network and I have a management VLAN that I use for administration of the Unifi devices.

Have you tried looking at Firewall->Log Files->Live View and watching for traffic from a guest network device trying to access the Internet? You can set the source filter to the IP of the network device. If you don't see traffic there, it's not a firewall/rules problem.

[julsssark]

How did you confirm your DNS service is "reachable" on VLAN 20? Did you set a PVID on your switch for port 1 and 4 (I'm not sure how your switch handles native traffic)?

[meelokun]

I still suspect it is something to do with your VLAN configuration and using VLAN1/LAN interface subnet. I have a similar configuration with Unifi APs and switches but I don't use VLAN1. My wired and wireless clients all connect to VLAN10, 20, 30 etc., and nothing connects to the LAN interface's subnet except for brand new trunk devices that need to be configured. My LAN interface subnet does not have a corresponding wireless network and I have a management VLAN that I use for administration of the Unifi devices.

Interesting approach.. I'll make note of your configuration approach as i work through all of this.

Have you tried looking at Firewall->Log Files->Live View and watching for traffic from a guest network device trying to access the Internet? You can set the source filter to the IP of the network device. If you don't see traffic there, it's not a firewall/rules problem.

I have not - I'll investigate soon, but leaving for a trip, and wont be back for some time.

How did you confirm your DNS service is "reachable" on VLAN 20? Did you set a PVID on your switch for port 1 and 4 (I'm not sure how your switch handles native traffic)?

For simplicity sake - I disabled the captive portal option in Unifi Console, and Clients are able to connect to the Guest Wifi - get an IP and connect to the internet - which makes me suspect DNS is reachable heh. 

I'm told that my PVID settings are correct. Given that my Access Point (AP) on port 4 should be broadcasting SSIDs for both the primary LAN (likely untagged, VLAN 1) and the guest network (VLAN 20), PVID of 1 for Port 4 is correct if I want the untagged traffic from the AP to be associated with VLAN 1.

And since Accepted Frame Type is set to All, the switch is accepting both untagged (for the primary LAN) and tagged traffic (for VLAN 20).

[julsssark]

Thanks for the additional information. I didn't realize that everything was working correctly when you disable the captive portal in Unifi. Nice work getting it this far. It makes sense that you would not have access to the WAN from the guest network when you can't reach the captive portal. I've never used the captive portal but it would seem like a pre-authorization allowance is needed in the Unifi settings to access the OPNsense router/Unifi plugin itself. Otherwise the WAPs won't allow their clients to get an IP address/DNS/display the portal login. Assuming that works, you may want to remove the post-authorization restrictions and enforce them in the firewall (e.g., you may want to allow access to local printers or airplay/chromecast to local TVs, etc.). For example, if you want to restrict the guest VLAN to just WAN access, you can create a firewall alias that contains local subnets and then add an inverted firewall rule (i.e., allow if destination address is not your local subnet alias).

VLANs are super cool and open up a lot of possibilities. My core network VLAN uses AdGuard for DNS to block ads and WPA3 for security, my Guest VLAN uses Cloudflare DNS (shows ads) and uses WPA2 (compatible with older devices), and my IP cameras are on a VLAN with no Internet access.

This is a great guide to configuring OPNsense with VLANs (ignore the VPN steps if you don't need that): https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/#access