UniFi Switch Uplink Blocked

[Cipher]

Hello everyone,
I'm hoping to get some advice on a strange issue I've been running into since updating OPNsense to version 25.7.
After the update, the uplink port on my UniFi switch that connects to my OPNsense box is showing as "STP Blocked" in the UniFi controller. My network topology hasn't changed, and everything was working fine before the upgrade. The link between the two is a direct cable, and there's no physical loop in the network.
This is causing a major problem, obviously, as my internet connection is now down. I've tried a few basic things like rebooting both the OPNsense machine and the UniFi switch, but the problem persists. The UniFi controller logs show "Port disabled by STP to prevent a network loop."
Has anyone else experienced this after the 25.7 update? I'm looking for guidance on where to start troubleshooting this.
Things I'm considering:
 * Are there new STP settings in OPNsense 25.7 I need to be aware of?
 * Is OPNsense now broadcasting something that UniFi is interpreting as a loop?
 * Are there any settings in UniFi I should check, like STP priority, to force it to prefer the OPNsense uplink?
Any advice on where to look in the logs on either OPNsense or UniFi, or specific commands to run, would be greatly appreciated.
Thanks in advance for any help!

[meyergru]

Do you use mixed tagged and untagged traffic on the same port or any VLANs at all? FreeBSD is not too good at doing that.
Also, the latest beta releases of Unifi switch software have problems with mixing up traffic as do some newer Unifi switch lines - especially when they boot up.

There can also be loops introduced by Unifi APs meshing together.

Did you verify that going back to an older OpnSense release fixes the problem? In that case, there may be driver "fixes" for your network hardware which are the culprit? You did not by any chance, use any type of network offloading?

[hoondi]

I have over a dozen Unifi devices with OPNSense 25.7.2 running 5 VLANs here at home.

I'm using OPNSense's default LAN for management, and running VLANs on top and so I've mixed tagged and untagged as well.

I don't have any of the following activated on any of my 7 switches:
Port Isolation
Storm Control
Loop Protection
Spanning Tree Protocol
Egress Rate Limit
LLDP-MED
Voice VLAN

Not seeing any issues here.

[Cipher]

Do you use mixed tagged and untagged traffic on the same port or any VLANs at all? FreeBSD is not too good at doing that.
Also, the latest beta releases of Unifi switch software have problem with mixing up traffic as do some newer Unifi switch lines - especially when they boot up.

There can also be loops introduced by Unifi APs meshing together.

Did you verify that going back to an older OpnSense release fixes the problem? In that case, there may be driver "fixes" for your network hardware which are the culprit? You did not by any chance, use any type of network offloading?

We are using VLANs, and the Unifi APs untag the traffic. This issue is happening consistently across three different sites (my home, my kids, and my parents), all running the same setup. The only real difference is the OPNsense version — the problems only appear after upgrading.

Environment details:

Switch/AP: UniFi Switch US-24 PoE-250W (firmware 7.2.120)

OPNsense: 25.7.1_1-amd64

Base OS: FreeBSD 14.3-RELEASE-p1

SSL: OpenSSL 3.0.17

On older OPNsense releases, we did not see this problem, so it seems tied to the newer release. No loops are showing from Unifi AP meshing, and configs are otherwise identical across the sites.

Hardware Offloading Settings:

Selected Disable hardware checksum offload

Selected Disable hardware TCP segmentation offload

Selected Disable hardware large receive offload

VLAN hardware filtering: Leave default

Suppress ARP messages: Disabled

Allow IPv6: Disabled

So far, no change in behavior after disabling hardware offloading.

[meyergru]

25.7.1_1 ist not the current release, AFAIR, there is a new kernel coming with the current version, so maybe you should try upgrading (or downgrading, if that helps).

IDK of any specific problems, but STP detection means that there is a network loop somewhere. This can be had with defective setups where WiFi repeaters are used, meshing is in place or the like, see: https://help.ui.com/hc/en-us/articles/24292724428311-Understand-and-Mitigate-Network-Loops-STP

I would still suggest downgrading your Unifi USW software to something below 7.2.120. That version is brand new, probably you did not even notice upgrading to it, because that is sometimes configured to be done automatically.

I can only say, that VLAN-wise, there have been multiple reports of problems with the latest betas, some of which have gone into release, see this for example:

https://community.ui.com/releases/UniFi-Switch-7-2-116/fa36e831-cc01-4ba7-8542-c0c297ed3108#comment/18aaa698-d79a-4455-b7c3-1ebc01fdcc3d
https://community.ui.com/releases/UniFi-Switch-7-2-116/fa36e831-cc01-4ba7-8542-c0c297ed3108#comment/547b3d89-4013-476a-9333-faf38d726768
https://community.ui.com/releases/UniFi-Switch-7-2-116/fa36e831-cc01-4ba7-8542-c0c297ed3108#comment/e8225d60-66ed-4612-bb2c-94fe94e0f606

There are lots of similar complaints in the 7.2.116 thread. For me, that version was actually worse than the one before.

Also, there are lots of complaints on their forums about 7.2.120:

https://community.ui.com/releases/UniFi-Switch-7-2-120/13b41926-9f20-465f-ab3e-9b98079f0a46

My impression is that Ubiquiti cannot keep up with their many new product initiatives they pushed in the near past...

[julsssark]

FYI - I am running the USW 48 POE with 7.2.120, OPNsense 25.7.3 and multiple VLANs. I have not had any problems with STP. I do not have any untagged traffic on my trunk. Are you using RSTP or STP? I am using RSTP, and all Unifi options on my ports are off (e.g., storm control, loop protection,  etc.) except for STP.

[meyergru]

The VLAN problems seem to occur on specific models, so you may have been lucky. I had a USW Enterprise 24 PoE, which is an older design with a different chipset. Their newer models, like the USW Pro HD 24 PoE, are indeed affected. I believe that the problem lies with the chipset maker's firmware. You can see this when you ssh into the switch and fiddle a little with the internal commandline. That in turn is controlled by the Unifi software.

There are many differences between those chipsets, e.g. the LAGG hash algorithms would actually allow to include more options than the Unifi software allows, but only on the Enterprise line.

The VLAN problem manifests in two ways for me:

1. When the switch starts up, it "connects" all VLANs, i.e. all VLANs become visible on all interfaces (instead of blocking all traffic until the configuration is loaded). This was confirmed by a few people on the 7.2.116 thread.

2. The other problem is that those new switches cannot use 802.1x, other than advertised: https://community.ui.com/questions/Bug-802-1x-port-security-does-not-work-for-IPv6-on-USW-Pro-HD-24-POE/3280a2d8-43ff-49da-88e0-445af74e203e - this problem has been ackowledged by Ubiquiti, but not fixed even with 7.2.120.

So - there are problems. If you experience them is dependend on your specific model and if you need the affected features.

AFAIR, there were people in the linked threads, who gave even more VLAN-related problem reports than just my two.


That - plus the fact that the OP probably did not even notice that besides the OpnSense update, he also had a Unifi firmware update - is the reason why I recommend trying a downgrade of Unifi first.


P.S.: I also stand behind my claim that Ubiquiti is overwhelmed by the many products they come forward with. If you distribute switches with advertised features like 802.1x that still do not work after months of release and produce problematic products like the U6 Pro (see this video and this for the explanation) and do not even issue a recall, you definetly have some problems. I once was a fan - now, not so much.

[julsssark]

@meyergru, I always learn something from your posts. Thanks for taking the time to elaborate.

I agree that Unifi is spread way too thin. They still haven't even removed the old legacy interface from the Network App.

[aperezva]

Fear about it,

What do oyu recomend, Im using unifi switch new generation, with only two vlan, do we have problems?. Im right now on 25.7.2 and no issues

[meyergru]

Depends on your situation - if you do not notice any problems, you are probably fine. If an update causes problems, go back to the previous version, which is what I would recommend the OP to at least try.

I still use my switch, because I do not strictly need 802.1x and do not reboot the switch often enough to actually cause problems. Mine does correctly differentiate statically configured VLANs once it has finished booting.

That may be different with other models and / or firmware versions.

If you buy a switch new and it does not work as advertised, you can just return it. Looking back, I should have done that - now knowing that Ubiquiti did not fix my reported 802.1x deficiency.

[Cipher]

@meyergru Thank you for your support and for your clear answers — much appreciated.
We have now disabled the auto-update on the site. We were not aware that it was enabled, so it's likely that the latest updates caused the issue, which initially made us think it was related to OPNsense.
We will keep a close eye on this from now on.