OPNsense VLANs Configuration with Unifi Flex Switch and U6 Pro AP

[ebox]

Hi, I'm totally new to OPNsense and just getting started. I got through the basic setup on OPNsense 25.7.7, but I'm stuck trying to get VLANs working. My setup looks like this:

Hardware:
Protectli Vault (OPNSense)
Unifi Flex Mini 2.5g
Unifi U6 pro Access Point

Physical interfaces:
WAN: Igb4
LAN: igb0

Virtual interfaces:
LAN: Assigned to igb0
Mgmt: VLAN20 assigned to igb0
IOT: VLAN50 assigned to igcb0
Guests: VLAN100 assigned to igb0

igb0 --(trunk)---> Flex Mini switch ---> UniFi U6 AP
                                                 

All VLANs need access to the internet.

LAN0 (igb0) interface:
IP: 172.16.99.1/24
DHCP: 172.16.99.31 - 172.16.99.230

Mgmt (VLAN20) interface:
IP: 172.16.20.1/24
DHCP: 172.16.20.31 - 172.16.20.230

IOT (VLAN50) interface:
IP 172.16.50.1/24
DHCP: 172.16.50.30 - 172.16.50.230

Guest (VLAN100) interface:
IP 172.16.100.1/24
DHCP: 172.16.100.30 - 172.16.100.230


Currently, the switch, access point, and any device connected to the AP all receive IP addresses from the LAN DHCP range (I think). However, as soon as I assign a VLAN to a switch port or an SSID on the UniFi device, the client devices won't connect. I'm running the UniFi Network server application on Ubuntu and accessing it through a browser. Everything works correctly on a flat network, but VLANs do not. I first tried configuring a Guest network and created a test firewall rule:

Action: PASS
Interface Guest
Direction: in
TCP: IPv4
Protocol: any
Source: any
Destination: any

Switch Ports:
Port 1 - LAN
Port 2 - LAN
Port 3 - U6 Pro
Port 4 -
Port 5 - Set up PC

I saw somewhere that it's best practice to have a separate management trunk in addition to the LAN connection, but I haven't configured that yet

Can someone point me at what I am doing wrong? Can work out if its the OPNsense config or unifi.

Thanks in advance 

[alfuth]

How are you configuring your ports? For the UniFi switch the "Network" selection cannot be the same as the vlan you are using, I usually use "default". Then under tagged vlan management pick the vlans you want on that port. See articles below for more info:

https://homenetworkguy.com/how-to/beginners-guide-to-set-up-home-network-using-opnsense/
https://help.ui.com/hc/en-us/articles/9761080275607-Creating-Virtual-Networks-VLANs

[ebox]

Port	Anomaly	Name	Connection	Connection IP	Speed	Native VLAN
1	0	Port 1	-	-	2.5Gbe	Default
2	0	Port 2	-	-	2.5Gbe	Default
3	0	Port 3	U6 pro	172.16.99.115	Gbe	Default
4	0	Port 4	-	-	Gbe	Default

[alfuth]

So, it could be a few things. Lets start by checking a few things to make sure they are configured correctly. In OPNsense:
1. Make sure your interfaces are configured (and enabled) and have the appropriate IP address assigned.
2. Make sure you have your firewall configured so that each Vlan can actually get out to the internet. I have mine set up with a firewall alias named privateNetworks with type: network, content: 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16 -> under each vlan firewall interface make sure you have a rule set up with: Action: PASS, quick: x, direction: in, TCP/IP version: IPv4, protocol: any, source: "vlan" net (from dropdown), invert: x, destination: privateNetwork, then make sure you save and hit apply.
3. Go to services->DNSMasq DNS & DCHP -> general-> enabled: x and include all of your vlan interfaces. Then under "DCHP ranges" set up your ranges for each interface. Then what I did is under "hosts" I make static IP's for all of my networking devices (unifi switch, server, etc) on the default network, I think for you that is 172.16.99.## (whatever network your opnsense is on).
4. One other helpful firewall rule is to allow ICMP from your LAN to all networks. To do this, under firewall->rules->LAN interface click add and create a rule with: Action: pass, TCP/IP version: IPv4, protocol: ICMP, source: LAN net, invert: unchecked, destination: any, destination port: any. This will allow you to hardwire into your switch and ping all of your devices to make sure they are connected properly.

On to the unifi server: Under settings->networks, make sure you have each Vlan set up and your VLAN ID matches the same VLAN ID you have in OPNsense.
For any port that you want a single vlan on make sure the "Native VLAN" is set to that vlan and under "tagged vlan management" hit block all. for any port you want all (or some) vlans on (trunked port) click on the port and make the native vlan default, make sure it shows the ip address range you are expecting to the right. Under "tagged vlan management" hit allow all.
If you are planning on setting up multiple wifi ssid's, each one for each vlan, make sure you set those up in settings->wifi set up each wifi ssid with a single vlan under the "network" selection dropdown.

It took me a bit to set up my OPNsense and unifi switch. Its honestly easier to just set up one vlan, getting that working with your LAN and then adding after that. Setting all of them up at once tends to lead to errors and mishaps. Sorry for the long winded response, I hope this helps!

[ebox]

Thanks for taking the time to respond. I really appreciate it. Your reply gave me a lot to work with. FYI - I migrated from Dnsmaqs to KEA DHCP about a week ago using these steps:

1. Configure Kea DHCPv4
Navigate to:
Services → Kea DHCP → Kea DHCPv4
Settings tab:
Enabled: unchecked
Interfaces: LAN
Click Save
(Do not apply yet)

Subnets tab:
Click Add/Plus icon

• Subnet: 172.16.99.0/24
• Description: LAN
• Pool: 172.16.99.30 – 172.16.99.230
• Match Client ID: checked
• Auto Collect Option Data: unchecked
• Router (Gateway): 172.16.99.1
• DNS Servers: 172.16.99.1

Click Save

Return to the Settings tab:
Enabled: checked
Click Save and then Apply

2. Disable Dnsmasq DHCP
Go to:
Services → Dnsmasq DNS & DHCP → General
Enabled: unchecked
Click Save, then Apply

3. Release / Renew IP Address
Ubuntu Terminal:
sudo dhclient -r
sudo dhclient

Windows PowerShell:
ipconfig /release
ipconfig /renew

4. Validate Kea DHCP in OPNsense
Go to:
Lobby → Dashboard
In the Services panel, locate Kea DHCP — it should show a play/triangle icon on the right to indicate it's running.

[ebox]

Boom — I got it working!

Thanks again for taking the time to help. I really appreciate it. My OPNsense configuration only needed a few tweaks. If this helps anyone else, here are the steps I used to get Guest VLAN working in OPNsense 25.7. Then repeated for other VLANs

1.Create the VLAN
Navigate to:
Interfaces → Devices → VLAN → + Add

• Device:   (leave blank — auto-generated)
• Parent Interface: igb0
• VLAN Tag: 100
• VLAN Priority: Best Effort (0, Default)
• Description: Guest

Click Save → Apply Changes

Result: Creates igb0_vlan100 (visible under Devices)

2: Assign the VLAN as an Interface
Navigate to:
Interfaces → Assignments

• Under Assign a new interface, locate: VLAN 100 on igb0 – Guest
• Set description to: Guest-VLAN100
• Select it → click + Add

Click Save →

Result: A new interface appears (Guest or OPT1 — rename if needed)

3: Configure the Guest Interface
Navigate to:
Interfaces
Click on Guest (or newly created OPT interface)

• Enable:   Checked
• Description: Guest-VLAN100
• IPv4 Configuration Type: Static IPv4
• IPv6 Configuration Type: None
• IPv4 Address: 172.16.100.1 /24
• MTU: (default)

Click Save → Apply Changes

Result: Interface activates with IP 172.16.100.1

4: Enable & Configure Kea DHCPv4

4.1 Global Settings
Navigate to:
Services → Kea DHCP → Kea DHCPv4 → Settings

• Enabled: Checked
• Interfaces: LAN, Guest
• Click Save → Apply Changes

4.2 Add Guest Subnet
Navigate to:
Services → Kea DHCP → Kea DHCPv4 → Subnets → + Add

• Subnet:   172.16.100.0/24
• Description: Guest
• Pool: 172.16.100.30 – 172.16.100.230
• Match Client ID: Checked
• Auto Collect Option Data: Unchecked
• Router (Gateway): 172.16.100.1
• DNS Servers: 172.16.99.1 (Unbound on OPNsense)
• Domain Name:   (optional: guest.local)

Click Save → Apply Changes

Result: Guest VLAN devices now receive IP, gateway, and DNS correctly.

5: Configure Firewall Rules for Guest VLAN
Navigate to:
Firewall → Rules → Guest

Rule 1 — Allow DNS to Unbound (Port 53)
Action: Pass
Interface: Guest
Direction: In
Protocol: TCP/UDP
Source: Guest net
Destination: This Firewall
Destination Port: 53
Description: Guest → DNS (Unbound)


Rule 2 — Allow Internet but Block LAN
Action: Pass
Interface: Guest
Direction: In
Protocol: any
Source: Guest net
Destination: ! LAN net (invert match)
Description: Guest → Internet (block LAN)

Click Save → Apply Changes for each rule.

6: Unifi Switch Configuration (External / Managed Switch)

6.1 Create Virtual Network
Open Unifi Network Server App version 9.5.21

Navigate to:
Settings > Networks
Click create new virtual network

• Name: Guest
• Router: third Party Gateway
• VLAN ID: 100
• IGMP snooping: Unchecked
• DHCP Guarding: unchecked

6.2 Create Wireless Network (SSID)
Navigate to:
Settings > WiFi

• Click create new
• Name: Guest_WiFi
• Password: <enter strong password>
• Network: Guest
• Broadcating Aps: All
• Advanced: Auto

Ensure switch tagging matches OPNsense.

7: Testing

a) Connect a device to a SSID Guset_WiFi
     The device should receive:
     

• IP: 172.16.100.x
•       Gateway: 172.16.100.1
•       DNS: 172.16.99.1

b) Verify functionality:

• ping 172.16.100.1 → success
• nslookup google.com → resolves via Unbound
• Internet access works
• ping 172.16.99.10 (LAN device) → blocked (correct behavior)

[alfuth]

Glad you got it working!

What's the advantage of KEA over DNSmasq?

[ebox]

As of today, I'm not completely sure, to be honest but I've read in several places that KEA DHCP is the official replacement for ISC DHCP and is actively being developed. Because of that, I figured it might be safer to move in that direction in case Dnsmasq doesn't receive certain features. My main concern is committing to Dnsmasq now and then having to migrate later once I've built up a lot more configuration. It's really just me worrying about missing out.

[Patrick M. Hausen]

Dnsmasq is essentially a one person project. Also it tries to do way too many things simultaneously, IMHO. Doesn't even have a Github repo, it's hosted on a private server.

Kea is the official successor to DHCPd by ISC or the "Internet Software Consortium". They also gave us BIND. Founded by a certain Paul Vixie, you might have heard of him.

I know on which I am placing my bets.