DHCP Not working on Unifi Switch for MGMT VLAN

[Prkl8r]

I had this all working for a couple weeks but moved the Unifi Network Controller and when I reset the switch to adopt it, lost everything and haven't been able to get this working in a week. Pulling what little hair I have left out!

I am trying to setup a 8 port Lite POE switch. I have a trunk port setup with 4 VLANS. A MGMT(VLAN1), TRUSTED(20), IOT(30), and GUEST(50). DHCP setup on each VLAN and tied to igc0 (port 0). I would expect that plugging port 0 into the switch would come up and give it IPs from the MGMT network (192.168.1.0/24). It will pop up on and off but when it does either is listed as being in the TRUSTED or IOT networks which doesn't make any sense. What makes even less sense is that I'd then expect that the switch would pick up an IP from the Trusted network but it doesn't do that either. I'm new to OPNsense so maybe I have some setting wrong but I did have this working before. Initially I had the MGMT network as VLAN 10, (x.x.10.0/24) but when I was trying to set this up again couldn't get the switch adopted to save my life so went with their default network to move forward.

Any help would be greatly appreciated, happy to grab any logs, screenshots. Thanks!

[patient0]

I have a trunk port setup with 4 VLANS. A MGMT(VLAN1), TRUSTED(20), IOT(30), and GUEST(50).

How have you setup the VLANs in OPNsense and UniFi (screenshots)? Is VLAN 1 also tagged or untagged (called "Native VLAN" in UniFi)?

[meyergru]

I have essentially the same setup running, but you must know this:

Unifi's notion of "VLAN 1" is "untagged", which is usually on the "default" network. If you try to define a network with VLAN 1, you will get an error saying "VLAN ID must be at least 2", so you cannot create a tagged VLAN 1 on Unifi.

Also, on FreeBSD/OpnSense, best pratice says that you should never use mixed tagged and untagged traffic on the same port (i.e., you can have a tagged parent interface, just normally do not use it). This is because of some network drivers having problems with certain functions in that area.

If you follow through, you would set your management network to something other than VLAN 1 and you can actually do that for Unifi under the device settings "IP settings" -> "Network Override". Be careful not to unlink your devices by making sure they can reach their controller first on that VLAN. I verified that to work, but I noted, it is tricky.

That being said, after thinking a bit about it and knowing that I want to adopt new devices from time to time, I decided to go against advice with the "mixed rule" and have my MGMT VLAN untagged (i.e. 1 in Unifi notion). That way, it is easier to (re)adopt devices than by having a reserved untagged MGMT port and connecting Unifi devices first to that port, before actually putting them on the real MGMT VLAN and connecting them to their final trunk ports. That is mainly because Unifi devices look for a controller only on "VLAN 1" in their initial state.

Maybe I am just lucky enough that my network interfaces do not exhibit the tagged/untagged problem, as they are all Intel adapters.

[Prkl8r]

The MGMT network is set as Native (1), the rest are the 20, 30, and 50. https://imgur.com/a/H3YghWU

In OPNsense I have them setup with MGMT VLAN of 1, then 20, 30, 50 etc.
MGMT VLAN with DHCP setup as 192.168.1.1. and the others on their respective subnets.

https://imgur.com/a/v5JAav1

Initially, I had all of the MGMT traffic on VLAN 10 for Switch|APs|Servers but was having a nightmare getting it adopted this second go-around (I must have accidently got it working at first or something :-)

So VLAN1 isn't really a tag of 1 but untagged? I had a LAN Interface initially that I used to setup the Unifi switch on a 192.168.5.0/24 subnet. Once everything seemed to work, I disabled that which I thought was creating my trunk. So it sounds like that's how I got it working. When I had the network controller running on my laptop, that was a bit easier to be switching IPs around as needed but now running on a PI it's more of a pain (as it's a bit of a juggling act to connect to it with the network down). I guess I'd prefer to have the MGMT network as 10, all of my NAS VMs and Servers are setup for that but it seemed like Unifi wasn't going to play nice with that approach.

Really appreciate the help!! Have been super happy with OPNsense so far, like the quality of the Unifi gear but just feels like the OG Nintendo where sometimes you just need to blow in the cartridge to get things working (even if that didn't really do anything). :-)

Side question, is all prosumer networking gear as finnicky about the "controller" as Unifi? It feels like a total chicken-egg where I need to get this controller running to be able to do anything but without a network connection, I can't seem to get it setup. It stopped working on my laptop and even a couple hours with Unifi support they pretty much said to try their new early release option. It's been a frustrating journey to say the least. I would be more than happy setting this up in the CLI but could not find a guide that seemed to match the CLI shell that was on my switch, I could make changes but they didn't seem to take. Anyway, I at least am able to get to settings in the NEtwork Controller for now (until it makes me reset everything for some random reason).

[patient0]

So VLAN1 isn't really a tag of 1 but untagged?

Yes, VLAN 1 means untagged on the ports with 'Default/Native LAN' set (about VLAN1: https://netseccloud.com/what-is-vlan-1-and-how-does-it-work). @meyegru's explains it well.
Having the default VLAN 1 as untagged does make life a lot easier with UniFi. I'd move your VLAN 1 from igc0.1 to igc0.

And in the UniFi Controller, for the Network you would have to set the 'router' to 'Third-party Gatway'

is all prosumer networking gear as finnicky about the "controller" as Unifi?

I haven't used any other software that uses a controller like UniFi. UniFi is unique in what I have used so far.

Code Select Expand

https://imgur.com/a/v5JAav1Could you include the pictures directly in the post?

[julsssark]

I changed my MGMT VLAN in Unifi to 90 and that avoids the whole native/VLAN1 issue.

[meyergru]

Yes, as I wrote: at the expense of potential problem whens adopting new Unifi devices.

Having the default VLAN 1 as untagged does make life a lot easier with UniFi. I'd move your VLAN 1 from igc0.1 to igc0.

To be clear: That is not an option - if you want your MGMT VLAN untagged, you have to set it as igc0 instead of igc0.1 - OpnSense actually can have a VLAN 1 and that is not how Unifi wants its (namely: untagged).

[Prkl8r]

Ok. I created a new interface igc0 for MGMT. Migrated my firewall rules over and deleted my Management VLAN. The other VLANS still tied to igc0, so sounds like this isn't best practice but typically works? Otherwise I'd need to run another cable as the VLAN trunk for non-MGMT traffic? Anything else to consider for right now?

Will test with the Internet connection moved back from its temporary nighthawk workaround this weekend.  Aside from learning VLAN quirks between Unifi and OPNsense the other takeaway is don't tinker with the network during the work week.

Thanks so much and will update after I test. Again, thanks so so much!!

[OPNenthu]

If the switch isn't finding its controller you can try the set-inform command in SSH: https://lazyadmin.nl/home-network/unifi-set-inform/

This worked for me recently as I had locked myself out while migrating.

As for VLAN1, I was until now using a tags-only trunk in OPNsense with VLAN1 tagged on it and this was working.  Unless I'm mistaken the switch can automatically map VLAN1 tags to its default native network on VLAN ID 1, and this also keeps OPNsense happy as it doesn't see "untagged" frames on the trunk, technically.  It's not good in practice I guess because the switch blindly sends all untagged traffic to this VLAN.

Having said that I also want to stop using VLAN1 and move to a dedicated MGMT VLAN.  I *think* the best way to do this requires at least 3 total router ports.  (Maybe some setups can get away with 2 if they have WAN trunked also, in a router-on-a-stick situation.)

You cannot view this attachment.

In this setup you need a separate, small unmanaged switch like a Netgear GS105 for bootstrapping new or factory reset network devices prior to moving them to the MGMT VLAN.  The bootstrap/provisioning network maps to "LAN" in OPNsense, on the default network, on a dedicated physical port (e.g. igc0).  After provisioning you can move the device to the MGMT VLAN and then disable (or not use) the LAN interface.  It's only needed for device bring-up.

The trick will be that you have to make the UniFi controller always available on the 192.168.1.0/24 network, maybe even multi-homed with the MGMT VLAN.  I don't like the idea of keeping sensitive things on this default "bootstrapping" network so I'm not sure how to solve this from a security standpoint. Somehow it should always be available there in case of a total disaster where the main switch needs to be reset and adopted from scratch.

[meyergru]

Been there - done that. I thought I had this prepared very carefully with all the necessary steps in order to switch all devices, Unifi controller and ports one after another to make it work - and still failed first.

The set-inform will not help you a bit, because the maximum it can do is to tell a device an IP and a port, but no VLAN. The latter is set per device from the Unifi controller.

This turned out to be the problem: I use Unifi switches, too, and you will have to fiddle with port configurations and the switch MGMT VLAN at the same time, which is not easy. Somehow, I got it working after a few hours of restoring configurations from scratch with my network not running and my wife complaining. Two days later, I rolled everything back for the reasons mentioned.

But I wish you the best of luck! ;-)

[julsssark]

Why is a native network needed for Unifi gear? I have VLAN 90 set as my management VLAN. My Unifi switch and APs are all in VLAN 90. The UniFi Network Application is sitting in a server VLAN. When I provision a new Unifi AP, I set the new AP's port on the switch to tagged VLAN 90. This gets the new AP on the network with an IP in VLAN 90. I then adopt the AP, set the management VLAN to 90 in the device's settings and then change the switch port to a "trunk" (all VLANs without a native).

[OPNenthu]

@julsssark - If something happens to your switch and it gets factory reset with no ability to restore configs, how will you get it adopted again?  It doesn't know about VLAN90 in its initial state.

@meyergru - I'm already experiencing the pain of accidental lockouts :)  I was hoping I was just doing something wrong, but it sounds like a separate MGMT network is an idea prone to error and disaster in UniFi (at least without one of their gateways).

[meyergru]

@julssark: OPNenthu nails it: Try imagining bootstrapping your network in case your switch fails... the replacement switch cannot even talk to your Unifi controller to be adopted, the latter you cannot access, either, since you need the switch for that. So, unless you have a large installation or at least a replacement switch that is already configured correctly, you ("Münchhausen") will have a really hard time doing so.

I was unwilling to write down a disaster recovery plan (nor did I have the faith to believe in it) and also print it (because I would not be able to access it without a running network) - that is why I rolled back to VLAN 1 (aka untagged).

@OPNenthu: Told you so :-D   Just DONT!  A Unifi gateway might help, but only if you can access it without an additional switch and can configure a free port. Some of their smaller offerings only have one LAN port, though.

[julsssark]

@meyergru and @OPNenthu - thank you for educating me. I always learn new things from this forum. I didn't consider the dependency on the native port in the case of a switch failure. Fortunately, I keep an old 8 port Unifi switch around as a cold spare for my main switch. In the event of my switch failing, I can at least get my 4 APs back online. I should be able to provision a new switch by setting one of the ports to a full trunk. Like @meyergru, I never experienced a problem when I had my OPNsense router (Protectli with Intel NICs) plugged into a full trunk port.

[Patrick M. Hausen]

@meyergru in the case of OPNsense/FreeBSD and Unifi infrastructure, can't you set VLAN 1 as tagged just for the trunk port or LACP bundle connected to OPNsense?