OPNsense VLANs Configuration with Unifi Flex Switch and U6 Pro AP

Started by ebox, Today at 01:01:57 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 01:01:57 AM Last Edit: Today at 01:21:55 AM by ebox
Hi, I'm totally new to OPNsense and just getting started. I got through the basic setup on OPNsense 25.7.7, but I'm stuck trying to get VLANs working. My setup looks like this:

Hardware:
Protectli Vault (OPNSense)
Unifi Flex Mini 2.5g
Unifi U6 pro Access Point
Dell PC (Ubuntu Media Server)

Physical interfaces:
WAN: Igb4
LAN: igb0

Virtual interfaces:
Mgmt: VLAN99 assigned to igb0
IOT: VLAN20 assigned to igcb0
Media: VLAN50 assigned to igb0
Guests: VLAN100 assigned to igb0

igb0 --(trunk)---> Flex Mini switch ---> UniFi U6 AP
                                                   |
                                                     --> Media Server

All VLANs need access to the internet, and the IoT VLAN needs access to the Media VLAN. I don't mind connecting the media server directly to the OPNsense firewall if it simplifies\hardens the configuration.

LAN0 (igb0) interface:
IP: 172.16.99.1/24
DHCP: 172.16.99.31 - 172.16.99.230

Mgmt (VLAN20) interface:
IP: 172.16.20.1/24
DHCP: 172.16.20.31 - 172.16.20.230

Media (VLAN50) interface:
IP 172.16.50.1/24
DHCP: 172.16.50.30 - 172.16.50.230

Guest (VLAN100) interface:
IP 172.16.100.1/24
DHCP: 172.16.100.30 - 172.16.100.230


Currently, the switch, access point, and any device connected to the AP all receive IP addresses from the LAN DHCP range (I think). However, as soon as I assign a VLAN to a switch port or an SSID on the UniFi device, the client devices won't connect. I'm running the UniFi Network server application on Ubuntu and accessing it through a browser. Everything works correctly on a flat network, but VLANs do not. I first tried configuring a Guest network and created a test firewall rule:

Action: PASS
Interface Guest
Direction: in
TCP: IPv4
Protocol: any
Source: any
Destination: any

Switch Ports:
Port 1 - LAN
Port 2 - LAN
Port 3 - U6 Pro
Port 4 - Media Server
Port 5 - Set PC

I saw somewhere that it's best practice to have a separate management trunk in addition to the LAN connection, but I haven't configured that yet

Can someone point me at what I am doing wrong? Can work out if its the OPNsense config or unifi.

Thanks in advance 
Today at 02:39:57 AM #1
How are you configuring your ports? For the UniFi switch the "Network" selection cannot be the same as the vlan you are using, I usually use "default". Then under tagged vlan management pick the vlans you want on that port. See articles below for more info:

https://homenetworkguy.com/how-to/beginners-guide-to-set-up-home-network-using-opnsense/
https://help.ui.com/hc/en-us/articles/9761080275607-Creating-Virtual-Networks-VLANs
Today at 03:11:54 AM #2 Last Edit: Today at 03:13:54 AM by ebox
PortAnomalyNameConnectionConnection IPSpeedNative VLAN
10Port 1--2.5GbeDefault
20Port 2--2.5GbeDefault
30Port 3U6 pro172.16.99.115GbeDefault
40Port 4--GbeDefault
Today at 04:53:52 AM #3
So, it could be a few things. Lets start by checking a few things to make sure they are configured correctly. In OPNsense:
1. Make sure your interfaces are configured (and enabled) and have the appropriate IP address assigned.
2. Make sure you have your firewall configured so that each Vlan can actually get out to the internet. I have mine set up with a firewall alias named privateNetworks with type: network, content: 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16 -> under each vlan firewall interface make sure you have a rule set up with: Action: PASS, quick: x, direction: in, TCP/IP version: IPv4, protocol: any, source: "vlan" net (from dropdown), invert: x, destination: privateNetwork, then make sure you save and hit apply.
3. Go to services->DNSMasq DNS & DCHP -> general-> enabled: x and include all of your vlan interfaces. Then under "DCHP ranges" set up your ranges for each interface. Then what I did is under "hosts" I make static IP's for all of my networking devices (unifi switch, server, etc) on the default network, I think for you that is 172.16.99.## (whatever network your opnsense is on).
4. One other helpful firewall rule is to allow ICMP from your LAN to all networks. To do this, under firewall->rules->LAN interface click add and create a rule with: Action: pass, TCP/IP version: IPv4, protocol: ICMP, source: LAN net, invert: unchecked, destination: any, destination port: any. This will allow you to hardwire into your switch and ping all of your devices to make sure they are connected properly.

On to the unifi server: Under settings->networks, make sure you have each Vlan set up and your VLAN ID matches the same VLAN ID you have in OPNsense.
For any port that you want a single vlan on make sure the "Native VLAN" is set to that vlan and under "tagged vlan management" hit block all. for any port you want all (or some) vlans on (trunked port) click on the port and make the native vlan default, make sure it shows the ip address range you are expecting to the right. Under "tagged vlan management" hit allow all.
If you are planning on setting up multiple wifi ssid's, each one for each vlan, make sure you set those up in settings->wifi set up each wifi ssid with a single vlan under the "network" selection dropdown.

It took me a bit to set up my OPNsense and unifi switch. Its honestly easier to just set up one vlan, getting that working with your LAN and then adding after that. Setting all of them up at once tends to lead to errors and mishaps. Sorry for the long winded response, I hope this helps!
Today at 09:45:00 AM #4 Last Edit: Today at 09:46:31 AM by ebox
Thanks for taking the time to respond. I really appreciate it. Your reply gave me a lot to work with. FYI - I migrated from Dnsmaqs to KEA DHCP about a week ago using these steps:

1. Configure Kea DHCPv4
Navigate to:
Services → Kea DHCP → Kea DHCPv4
Settings tab:
Enabled: unchecked
Interfaces: LAN
Click Save
(Do not apply yet)

Subnets tab:
  • Subnet: 172.16.99.1/24
  • Description: LAN
  • Pool: 172.16.99.30 – 172.16.99.230
  • Match Client ID: checked
  • Auto Collect Option Data: unchecked
  • Router (Gateway): 172.16.99.1
  • DNS Servers: 172.16.99.1
Click Save

Return to the Settings tab:
Enabled: checked
Click Save and then Apply

2. Disable Dnsmasq DHCP
Go to:
Services → Dnsmasq DNS & DHCP → General
Enabled: unchecked
Click Save, then Apply

3. Release / Renew IP Address
Ubuntu Terminal:
sudo dhclient -r
sudo dhclient

Windows PowerShell:
ipconfig /release
ipconfig /renew

4. Validate Kea DHCP in OPNsense
Go to:
Lobby → Dashboard
In the Services panel, locate Kea DHCP — it should show a play/triangle icon on the right to indicate it's running.
Print
Go Up Pages1
User actions