Unifi VLANs with new OPNsense install (Can't get internet access)

Started by Yosh1, March 02, 2026, 10:02:23 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
Today at 08:54:35 PM #15
Unifi's "native" intra-vlan L3 routing for switches is handled on vlan 4040, with the default addressing for that vlan as 10.255.253.0/24.  If no devices exist on that subnet when you enable a native Unifi vlan it will assign whatever device that is handling the routing the address 10.255.253.1.

I had been using opnsense as the gateway for all my vlans, but now I'm working through the process to try and migrate the vlan gateways to the Unifi environment.  opnsense needs to first have a vlan device tagged to vlan 4040 on one of your interfaces and configured with the IP address 10.255.253.1.  When you enable the native VLANs on the Unifi switch the switch will automatically create the interface on the Unifi device with the IP 10.255.253.2.  This becomes the transit interface for L3 routing from the Unifi switch to the opnsense firewall.

There are pros and cons here - the main pro being lower latency for LAN traffic.  The con is that ACLs on the Unifi switch are stateless so you don't get as much visibility and control of traffic between VLANs.  If you have IoT or other less trusted VLANs this might require a hybrid configuration where the gateway for more trusted VLANs like home wireless is the Unifi switch while less trusted like IoT use the opnsense firewall as the gateway to allow for stateful rules to manage traffic.

There are some oddities that I am still working through.  My management interface for the Unifi switches is on vlan 1 (untagged) and I am currently seeing lower latency but extremely slow HTTPS traffic with what looks like state errors coming back from the Internet routing in a weird direction.  kea also isn't properly assigning DHCP addresses; I haven't tried with dnsmasq yet.  The solution seems to be moving the management interface on all Unifi devices (as well as the Unifi OS/Unifi network server) to a tagged VLAN managed by the Unifi switch.  It may also require the use of sloppy states, but I haven't gotten that far yet.

Not sure if anyone else (meyergru?) has a Unifi setup where they could experiment with this design.

Today at 09:12:52 PM #16 Last Edit: Today at 09:17:28 PM by meyergru
I do not use L3 routing on my switches, even if they had it. I did not even know how Unifi does that. With their consumer-level switches, they do not offer it, also, with smaller networks, I prefer to have all routing controlled by OpnSense itself.

L3 switching is something that IMHO is relevant only for enterprise-grade installations. Everything I depicted here is strictly L2 on the switches.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages 1 2
User actions