This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
Setup VLAN on GS724Tv3 with pfsense and Unifi AP:s
In an effort to try to increase my home network security I wanted to introduce separate VLAN:s for some IoT devices and further on also a separate VLAN for gaming consoles and similar units. I think I have read about every thread there is her on the forums regarding VLAN setup, but still not able to get it working.
My setup is a small server running pfsense (virtual in ESXI, but that should not matter I think), a Netgear GS724Tv3 switch and 4 Unifi Access Points. I'm attaching some screenshots on the confuguration and describing it in more detail below.
I have configured the extra VLAN (VLANId 50) on the current LAN interface in pfsense and also enabled the DHCP server to serve on the 192.16.50.0/24 network. The firewall rules is deny for the other LAN networks and allow all originating from this VLAN.
The UNIFI AP:s all have the different SSID:s on them. The "normal" wifi net is working without problems and the separate Guest net as well. I could setup another guest net, but since UNIFI the has client isolation I wouldn't be able to communicate with the devices I do want to be able to reach from my normal net.
The AP:s are connected to ports 5,19, 20 and 21 and the router is connected to port 1.
I have tried different combinations of tagged, untagged for those ports but so far no luck. I have used port 22 as a test port to try to get a laptop to get an IP address in the 192.168.50.x-range but no luck, it is still getting one from the 192.168.1 range.
Re: Setup VLAN on GS724Tv3 with pfsense and Unifi AP:s
Hint: Learn and test step by step, start about here:
Create the VLAN on all switches, eg. VLAN ID 50.
For the ports creating the link between the router and the switch, and later for the ports where the access points will be connected, add the VLAN 50 as [T]agged to both ports (on top of the VLAN 1 and PVID 1) - this does create the trunk for router<->switch and switch<->access point.
Then create a test port for the VLAN 50 - change one port on the switch to VLAN 50 [U]ntagged, PVID 50 - this does create an access port for the VLAN 50.
On this test access port, connect a compute, and figure out if it can get a network config from this network with the VLAN 50, and see if the communication to the outside world works, being Internet access, being communication wit the other networks and IP subnetworks.
Repeat the same with every other new network and VLAN you are going to add.
This is what we can help you with in the Netgear community. Your firewall interface and rules config, your UniFi access points (we know the base network is untagged, and all other networks are tagged), are up to you.
I have tried different combinations of tagged, untagged for those ports but so far no luck. I have used port 22 as a test port to try to get a laptop to get an IP address in the 192.168.50.x-range but no luck, it is still getting one from the 192.168.1 range.
Using a test port is fine, but trying is a bad approach. To easy to miss the essentials here. Both ends of the link must be set-up the same logical way - being for a trunk port, being for an access port. Could be the the switch config, the port configs are wrong or incomplete. Could be your virtual security appliance are wrong, could be your wireless access point configs are wrong ... Start exactly with the hints above. It's easy like 1-2-3.
PS. In-line images are under mandatory moderation, a Netgear moderator must clear all in-line images before these will become visible to the other community members, and the world.
Re: Setup VLAN on GS724Tv3 with pfsense and Unifi AP:s
I was away during the Easter holiday, so haven't been able to try before, but tried some today.
On my Netgear Switch I have port 1 (the port connected to my pfsense router) as a tagged (T) member of VLAN 50. Port 22 on the switch is set as an untagged (U) memeber of VLAN 50 and port 22 also has PVID set to 50. I have an old laptop running Windows 7 connected to switch port 22, but it's not getting any IP at all.
I have watched a ton of guides on youtube, so I am fairly confident my pfsense setup is correct, so I should get an IP adress in the 192.168.50 range, but still don't get one.
If I untag the ports I can get an IP address from my "normal" range without problems. So I'm not really sure where to look next?
Re: Setup VLAN on GS724Tv3 with pfsense and Unifi AP:s
Yes, I have double checked that all the VLANs have an enabled DHCP server.
I also allow all traffic in the firewall for now. It should work, I have more or less followed what multiple guides tell how to configure everything. I haven't yet tried to assign a static IP address on my laptop to the VLAN 50 range. Will do that and see if I get internet access.
