pfSense + TL-SG108E + Unifi AP - VLAN issue?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

pfSense + TL-SG108E + Unifi AP - VLAN issue?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
pfSense + TL-SG108E + Unifi AP - VLAN issue?
pfSense + TL-SG108E + Unifi AP - VLAN issue?
2021-09-14 13:46:15 - last edited 2021-09-15 04:48:15
Model: TL-SG108E  
Hardware Version: V5
Firmware Version: 1.0.0 Build 20191021 Rel.53360

HI folks,

 

I'm having some issues getting everything set up correctly and am hoping someone can assist.

 

My intent is to create 3 VLANs - 1 default plus 2 additional. The additional ones should selectively (based on VLAN tag and firewalling) be allowed to access to the LAN, where trusted devices live. I essentially want random devices on the network (e.g. IoT & guest devices) to not get access to my servers.

 

Here's the physical device setup:

WAN -> pfSense

  pfSense -> Port 1 on TL-SG108E

    TL-SG108E ->

      Port 2 -> Unifi 6 Lite AP

      Port 3 -> trusted server

      Port 6 -> untrusted wired client

      Port 7 -> untrusted IoT client

      Port 8 -> untrusted IoT client

 

I have pfSense on a VM with IP 192.168.10.1. In it, I've set up various VLANs, and networks to match:

VLAN 1 - default LAN - 192.168.10.1/24 (DHCP enabled)

VLAN 10 - trusted - 192.168.20.1/24 (DHCP enabled)

VLAN 7 - untrusted guest - 192.168.200.1/24 (DHCP enabled)

 

 

 

On the Unifi 6 Lite AP I created networks and wireless networks, mirroring those above:

Network: trustednet, VLAN 10 (DHCP relay to pfSense)

Network: guest, VLAN 7 (DHCP relay to pfSense)

 

The problem is, when wireless clients connect to networks provided by the Unifi, they associate but do not receive an IP address. Similarly, when I plug wired clients into ports 6, 7, and 8, they do not get IP addresses. I'm certain this is something to do with the VLAN setup as initially I had a simple port-based VLAN, which worked for the Unifi (but did not work on the wired clients). I then changed it to 802.1Q VLAN as follows:

 

 

 

This was per:

https://www.tp-link.com/us/support/faq/788/

https://superuser.com/questions/1140071/tp-link-tl-sg108e-vlans-to-separate-one-device-from-all-others

 

I also tried the config from the first answer here, which also did not work:

https://community.tp-link.com/en/business/forum/topic/76663

 

Would really appreciate any suggestions, I'm about at my wits' end.

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:pfSense + TL-SG108E + Unifi AP - VLAN issue?-Solution
2021-09-15 03:24:32 - last edited 2021-09-15 04:48:15

Dear @cioozd,

 

cioozd wrote

My intent is to create 3 VLANs - 1 default plus 2 additional. The additional ones should selectively (based on VLAN tag and firewalling) be allowed to access to the LAN, where trusted devices live. I essentially want random devices on the network (e.g. IoT & guest devices) to not get access to my servers.

 

Here's the physical device setup:

WAN -> pfSense

  pfSense -> Port 1 on TL-SG108E

    TL-SG108E ->

      Port 2 -> Unifi 6 Lite AP

      Port 3 -> trusted server

      Port 6 -> untrusted wired client

      Port 7 -> untrusted IoT client

      Port 8 -> untrusted IoT client

 

I have pfSense on a VM with IP 192.168.10.1. In it, I've set up various VLANs, and networks to match:

VLAN 1 - default LAN - 192.168.10.1/24 (DHCP enabled)

VLAN 10 - trusted - 192.168.20.1/24 (DHCP enabled)

VLAN 7 - untrusted guest - 192.168.200.1/24 (DHCP enabled)

 

On the Unifi 6 Lite AP I created networks and wireless networks, mirroring those above:

Network: trustednet, VLAN 10 (DHCP relay to pfSense)

Network: guest, VLAN 7 (DHCP relay to pfSense)

 

The problem is, when wireless clients connect to networks provided by the Unifi, they associate but do not receive an IP address. Similarly, when I plug wired clients into ports 6, 7, and 8, they do not get IP addresses.

 

The ports connecting to the pfSense and Unifi AP should be selected as Tagged ports.

So please select Port1 and Port 2 as Tagged ports in all VLANs.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  1  
  1  
#2
Options
3 Reply
Re:pfSense + TL-SG108E + Unifi AP - VLAN issue?-Solution
2021-09-15 03:24:32 - last edited 2021-09-15 04:48:15

Dear @cioozd,

 

cioozd wrote

My intent is to create 3 VLANs - 1 default plus 2 additional. The additional ones should selectively (based on VLAN tag and firewalling) be allowed to access to the LAN, where trusted devices live. I essentially want random devices on the network (e.g. IoT & guest devices) to not get access to my servers.

 

Here's the physical device setup:

WAN -> pfSense

  pfSense -> Port 1 on TL-SG108E

    TL-SG108E ->

      Port 2 -> Unifi 6 Lite AP

      Port 3 -> trusted server

      Port 6 -> untrusted wired client

      Port 7 -> untrusted IoT client

      Port 8 -> untrusted IoT client

 

I have pfSense on a VM with IP 192.168.10.1. In it, I've set up various VLANs, and networks to match:

VLAN 1 - default LAN - 192.168.10.1/24 (DHCP enabled)

VLAN 10 - trusted - 192.168.20.1/24 (DHCP enabled)

VLAN 7 - untrusted guest - 192.168.200.1/24 (DHCP enabled)

 

On the Unifi 6 Lite AP I created networks and wireless networks, mirroring those above:

Network: trustednet, VLAN 10 (DHCP relay to pfSense)

Network: guest, VLAN 7 (DHCP relay to pfSense)

 

The problem is, when wireless clients connect to networks provided by the Unifi, they associate but do not receive an IP address. Similarly, when I plug wired clients into ports 6, 7, and 8, they do not get IP addresses.

 

The ports connecting to the pfSense and Unifi AP should be selected as Tagged ports.

So please select Port1 and Port 2 as Tagged ports in all VLANs.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  1  
  1  
#2
Options
Re:pfSense + TL-SG108E + Unifi AP - VLAN issue?
2021-09-15 05:06:47 - last edited 2021-09-15 05:12:33

@Fae amazing, this mostly worked! Thank you!!

 

Only remaining issue is TRUSTED (VLAN 10) -> LAN (VLAN 1) communication. In pfSense, I do have firewall rules that allow this (e.g. PASS if source is TRUSTED network and destination is LAN network), and I'm seeing firewall logs with traffic being allowed matching this rule, just nothing ever happens - pings get 100% packet loss, pages never load, etc.

 

I suspect this is still VLAN related, though uncertain what it could be. All of my servers are on a Proxmox box attached to TL-SG108E port 3, and I tried that port both tagged and untagged in VLAN 1, but neither seem to work.

 

Any further help would be greatly appreciated.

 

Edit: if I go from pfSense LAN -> another (unmanaged) switch, then hook 1 port of that unmanaged switch up to a wireless router's and another port to TL-SG108E port 1, I'm able to connect to the servers again. I suspect this is because the wireless router is handing out 192.168.10.x range IP addresses.

  0  
  0  
#3
Options
Re:pfSense + TL-SG108E + Unifi AP - VLAN issue?
2021-09-15 06:18:32

Dear @cioozd,

 

cioozd wrote

Only remaining issue is TRUSTED (VLAN 10) -> LAN (VLAN 1) communication. In pfSense, I do have firewall rules that allow this (e.g. PASS if source is TRUSTED network and destination is LAN network), and I'm seeing firewall logs with traffic being allowed matching this rule, just nothing ever happens - pings get 100% packet loss, pages never load, etc.

 

I suspect this is still VLAN related, though uncertain what it could be. All of my servers are on a Proxmox box attached to TL-SG108E port 3, and I tried that port both tagged and untagged in VLAN 1, but neither seem to work.

 

If you want to make the devices connected in TRUSTED VLAN10 be able to communicate with the server connected to Port3 (VLAN1), I think you need to add the Port3 to VLAN10, Untagged Port, and configure the PVID of Port3 as 10.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options