How To Setup VLANs With pfsense & UniFi 2023

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

time here for more systems and we're going to talk today about setting up unify controller version 7 which is 7025 is the latest as of april of 2022 and using pf sense to define the networks configure the vlans and how to make sure they play nice essentially and are interoperable with doing this inside unifi the reason for this video we use a lot of pf sense and we use a lot of unify and they do work perfectly fine together and i've talked before about some of the shortcomings of the unifi routing equipment which is why we frequently use psense instead as the firewall with unify for switching and access points this is a video on how to get these two things to work together but to keep it narrower in scope i have a video down below about how to get pfsense generally configured and set up i have my longer video on that i have a shorter video on specifically setting up pf sense for home networks and those videos are linked down below because i'm not going to dive deep into the pf sense firewall rules in this video that we keep it narrower too just to how to configure the vlans everything is time indexed down below so you can jump to the part that's most relevant to you because we will be starting with some fundamentals of defining vlans but i also have other videos linked where i discuss network design and vlans and some other broader topics but before we get into all of this let's first are you an individual or company looking for support on a network engineering storage or virtualization project is your company or internal id team looking for someone to proactively monitor your system security or offer strategic guidance to keep your it systems operating smoothly not only would we love to help consult on your project we also offer fully managed or co-managed it service plans for businesses in need of it administration or it teams in need of additional support with our expert install team we can also assist you with all of your structured cabling and wi-fi planning projects if any of this piques your interest fill out our hire us form at laurentsystems.com so we can start crafting a solution that works for you if you're not interested in hiring us but you're looking for other ways you want to support this channel there's affiliate links down below to get you deals and discounts on products and services we talk about on this channel and now back to our content now the first place i want to start is with this wikipedia article because i want some common language that i'll be using to be in the front of the video here of course you can skip ahead if you want but this is where the troubleshooting is and most frequently people screw up when you're setting up vlans portions of the network that are vlan aware i think is a really important part to highlight here when i say that and as it says here in a wikipedia article when you have your pf sense and your unifi which are both vlan aware devices and software products and hardware products here we're talking about two things that are vlan aware some things are not that may include your hypervisor people have trouble when they virtualize pfsense because the hypervisor adds another layer to your network if your hypervisor does not automatically pass any type of vlan traffic this is one of the first troubleshooting things you'll run into next when you have switches that are not unifi involved so as i said pf sends a unifier vlan aware but other switches in between don't always behave the same way and whether or not they're vlan aware is going to vary by model and make but if it's not vlan aware it will frequently just throw away the vlan tags and not pass that traffic on as going forward so that is a challenge that you run into or i should say we've run into a lot with consulting that we see people that are trying to figure out why they can't get data to traverse the network is going to be portions of the network we're not feeling aware and you haven't have unpredictable behavior next important to understand that not all switches will traverse traffic that's not defined and what happens is if you set up a vlan in pf sense and you put a vlan aware switch in between pfsense in your unifi that switch may not depending on manufacture and settings within it pass along any traffic that is not implicitly defined so if you define a vlan and pf sense but you don't define it in an intermediary switch it may not pass the traffic along the unify now the default behavior of unify is to actually take that data that is coming into it and it doesn't care if you've defined all the vlan so if you create a vlan in pfsense but it is not defined within the unifi switch system unifi software defined networking platform it will still pass that along to the next switch it doesn't know what to do with it but it doesn't do anything bad with it as and throw it away some switches as i said do this i just want to put this here because these are just really common problems people have or problems we run into when we're consulting is the extra switches or switches that require implicit definition of each vlan that you set up now one more thing i want to mention is this little graphic right here this is your frame format now if you do not have this is the optional header the 8021q header the extra information for the vlan tag is just like it sounds it's an extra piece of traffic information that's in there to separate the networks you gotta remember vlans they share bandwidth and they share the physical line really nothing more than an extra tag to help it define where the traffic is this is also important to remember that the native vlan the default port when it's missing that traffic becomes what may be referred to as vlan 1 in some places but essentially your native traffic versus your tag traffic but all that traffic is traversing down the same line so there's always that potential if someone's on the native network depending on configuration if that data passes through them they would be able to pull those tags and you can actually capture all the packets on that particular line not just the native vlan but any vlan tags separated out and this would be an example if you're doing a packet capture with wireshark everything that traverses that whole line right there that may or may not be what you're looking for but it's just something to be aware of that all the data goes through that one pipe all right now let's get to the functional part of setting this up now this configuration is based on the video about securing and setting up good pfsense firewall rules for your home video that is linked down below so as i said i won't be diving deep into the rules but these are actually the same networks i have to find the internet comes in and goes into wan and then for well clarification i've labeled it igb2 it's also called lts underscore tom inside of pf sense because you can give practical names to it but the interface is igb2 it's important to understand that you'll see when we set up the vlans inside of pf sets so for scope of this particular part of the video we're only talking about two networks 172 16 16 0 is the native i put vlan 1 but it's also native vlan so we understand that's the same thing no vlan tag on it that's your default traffic that's going to come out of this then we have added 192 168 60.0 24 as vlan 60. physically they come out of a single wire from igb2 and they go into port 24 on my unifi switch now couple important notes the default settings and i put the settings for the ports we're talking about on here but unless you've changed things the default settings for unify is all as in let all traffic in and pass all traffic to the next device that means if you have another unifi switch you want the settings between the two switches to be all all on the outgoing switch all on the incoming switch between the connectivity this allows all vlan traffic to head over to the next switch that way as we define it on a specific port we will be able to do that on any switch within the network provided they're all connected with the all in between them this also goes for the unifi access points they are vlan aware if you're dealing with a non-unified access point that is not vlan aware then yes you would take and set something other than all to the port that would be out of scope of this particular video but we're assuming you're using a vlan aware or specifically a unify one then with the unifi you want to all which is port 24 and then port 16 where this is plugged in the access point to be set to all the unify access point itself as you define an ssid has the option to look at the vlan tags so all the different traffic and even though it's only one vlan we can have many vlans attached to this one igb2 port we actually have more than one you'll see later in the video but they all come to the access point and then the function of the access point says all right you've defined these vlans which one do i send by default it's going to send the native but when we set up a ssid we have the option of choosing any of the defined vlans within p within the unifi controller to tag those and assign those to the ssid so that's what we're going to do next to show you how that part of the system works where we define them in pf sense and define them in unify and eventually define them in an ssid now first let's talk about defining mpf sense right here under vlans we have vlan 60 and we have this other extra vlan that i have on here a little otoscope but we'll have that one defined as well if you wanted to find a vlan the first problem and mistake many people make is looking at the parent interface choose the proper parent interface that's why i label them like this because when you're looking at them from this aspect inside of pfsense you see the parent interface number igb2 for example and then you would set the tag just type in whatever the tag you want you can define them if you're using any va lan priority out of scope of this video but that is an extra piece of information that's within there refer back to that wikipedia article give it a description this vlan is for something whatever you want to put in there maybe smell something right always important so that's how you define them pretty simple when we're going to go over to the interface assignments this is where they have more common names you see igb2 is called the easier to remember lts tom name right here and but then here's that vlan 1337 and the one that we're talking about for this video vlan 60 and you can see they're attached to these interfaces of igb2 this means physically that port is going to have all that extra traffic for these two vlans on it we're only using one of them for this particular part of the demonstration but you get the idea that you'll assign these as interfaces and that's covered in my other pfsense videos now let's go over to unifying to find them there now we're going to click on the gear icon for settings we're going to go to networks now for networks you have your default and i do not have a unifi routing device in here so none of these settings really affect much but this is where you can set your default one you don't actually have to unify doesn't care because we're not using any of this but this does allow you to set the ip address even when you don't have a network defined within here if you want to set up what they refer to as the main network the default lan 1 network but it's really not in use because i don't have a unified routing device but you can see i do we have these vlan only vlan only and vlan only so let's go ahead and create a network and if you do this and we'll just call it test select router there's no router in here and we actually want vlan only if you're not using any of the unifi routing equipment you can check the vlan only and then you can define it obviously if you're using your infrared equipment this gets a little bit more complicated and yes it defines it on the routing equipment at the same time but the vlan only means we're only defining vlans on unified access points and switches no routing equipment involved in this so we picked the tag we already got vlan 60 created and one let me create it again but whatever the tag number you come up with is you put that in here and away you go there's a couple other options you can do on a per network basis out of scope of this we'll just say set the vlan tag so if we go back and look at these networks and we look at this one right here we see vlan only vlan id 60 matches what's in pfsense that's incredibly important because following standards you can't have different numbers or it won't work because it won't know what tag to look for then we're going to go over here to wi-fi and show you how that's done right here is the cam lab the camera network and when i click on this you can see that vlan only you can choose the pull down and i can choose if i wanted different options whether it's the lts tom native network the lts one three through seven or this other one i've defined we'll cover later in the video but that's it that's all you have to do when you're creating and we can even go back over to wi-fi here if you hit create new network you can see the pull down works the same way this is how you define it and as long as you have the port setting going to this device set to all on the switch great it's going to send all the traffic but then the defining part inside the access point is defined right here to say only poll this particular vlan and create an ssid with it this is how you get the different networks all segmented out inside of here now let's actually look at the switch settings themselves so if we go back here to unified devices and we want to leave here i don't want to make any changes and we'll look at the ports on here now i have a lot of cameras plugged in so cam lan 60 is an ideal place for where we want these cameras so if we look and i mentioned port 24 the up link is set to all but we want to go into look at these ports here you notice it says profile cam lan on it make this a little bit bigger and the way you do this is really simple you go to the ports and look at the port right here and then we're going to go in the port profiles this is something that i think unifi should fix they used to have the pull down go down further and this is overlooked frequently of going i don't know where my networks are i'm just rolling down with a mouse to see him right here and i can change any of these ports to be on different networks i want this port assigned to cam lan so we just go down here we choose cam lan and now this particular port is attached to that vlan 60 tag and the data coming out of that port because if it was set to all all vlans would come out of the port when we narrow it down to say cam lan like we do here or any one of these other defined vlans you've now narrowed it in scope so it becomes what comes out of that port native no other traffic from the other vlans comes out of that port it becomes the native traffic now for cam lan and that's it that's how you define the vlans that's how you get them to work on any individual port or an ssid now i want to go into a slightly more advanced scenario that you may run into because well there's sometimes some unique networks you get set up or how i've got my network set up here now if your use case was exactly what i showed in the last diagram stop there don't confuse yourself with this one here but this is to answer the question about a slightly common use case and a little bit more advanced of the way you want to set things up and also another way to think about how vlans work on here now we have vlan 60 defined inside of pf sense but you may have noticed we don't have vlan 10 defined inside of pf sense that's because 192 168 1.0 24 comes out of port igb1 natively it comes natively out of that port which means the port setting and that happens to go into port 18 we set the port to vlan 10. this setting allows for all the other ports that are set to vlan 10 because we're going to define vlan 10 inside of unify only any port set to vlan 10 you can think of as its own switching network so even though the switches in multiple switches remember between two switches we still want all set between them but all the ports that we set to vlan tag 10 act as a specialized switch essentially so it's just a switch but it's always native there's no other vlan traffic going in there this is allows me to instead of having all the traffic shared between one physical interface to take this other interface this is a common setup you'll find in a lot of networks where you don't necessarily need everything defined inside of or tied to a single interface because well there's bandwidth limitations because you're sharing physical media but now each one of these ports has full one gig access to the network and lots of traffic can be traversing back and forth between the vlan 10 network and it's not going to interfere or be in competition with the bandwidth that i'm using for ports tied to the other native network so a little bit more advanced config but it still works the same way so let's go ahead and dive into the details on this one and first as i mentioned it's not defined at all in the vlans in pfsense it is defined though because we is important to understand what interface this is we refer to this as the nsfw lan same as from that video i referenced earlier and it's on igb1 physical port igb1 which now connects to and this is where we'll switch over to the unify we go over to the unify here and we go to the settings and we want to look at the networks and igb1 is the port but inside here we want it tied to specifically nsfw net with vlan 10. this is arbitrary you can assign it whatever because we're defining it only inside of here then let's go back over and look at the connections and if we go over to the unify switch again we go to the settings we want to look at the port right here and if we look at port 18 i have it labeled pfsense nsfw network device uplink so it comes physically out of port igb1 goes into port 18 but because we're not using any vlan tags or if i were to change this right here we've got it set to vlan tag here but we're not tagging anything in the pf sense we want it coming into natively nsfw net if i were to change this port to all i would now mix the traffic and cause a mess it would bring both interfaces into the switch and they were both native in the same area therefore you would get random dhcp requests and overlapping networks and a headache to deal with so because we've narrowed this in scope and we say nope treat this right here with nsfw net pull this in and only share it to any other ports that you have defined with nsfwnet so we go back over here and we look at something like port 23. i don't want my son's computer on my lts tom network i consider his gaming computer something that i want an nsfw net so i've defined each device such as my son's computer over to the nsfwnet that way anything that's plugged into there always is on that same network as i said all the ports together because because you're defining the vlan within the unified controller but not in pf sense so all these ports being set to nsfw net act as a switch even though they may be across multiple devices they all act together as if you're plugging them into the same network because they're not dealing with any vlans from the pf sense it's all just different devices connected to all these same switch ports all marked this way this also applies to ssids so when you go over here to the settings and we look at the wi-fi networks and you look at this one right here referred to as beer you'll notice beer is tied to this as well now once again all is a setting going to feed the access point and then it realizes that in the definition of the ssid and how we defined it in the software defined controller here it's going to peel off the nsfw net and it knows that that's connected to that uplink port it says all right we share everything on this as a switch and it extends over to the ssid therefore this doesn't allow any of the mixing the traffic and now we have all of the traffic information that we want only for that particular network going out only on this ssid you're not mixing or completing any of the other networks together now these couple scenarios i just covered are pretty basic still but i wanted people to start to get the hang of some of the vlans i always like reading what questions and comments come from this because i do plan in the future to do another small office network setup video this year that will really break down things like lldp and a few other features that are beyond the scope of this particular video but there's still a lot more you can do when it comes to tagging with vlans setting different ports and defining different things such as phone networks and stuff like that with the lldp there's there's still a lot more that i didn't cover i wanted to keep this narrow in scope but i will do some future videos and of course i'm always reading the comments and the forums and listen to feedback to see what aspects people maybe need a little more help with a little better definition of so we can get more people understanding how these networks work because that's really the goal of a lot of these videos is getting people a better understanding of how these networks work i think unifi has done a great job compared to some of the other switch manufacturers of generally making vlans easier to manage that being said you're still dealing with a little bit more complicated topic of networking when you think about tagging and having it lots of traffic be parsed by different switches but hey nonetheless i think it's interesting and it's all part of the learning process and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you'd like to hire a sure project head over to laurentsystems.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you you

Info

Channel: Lawrence Systems

Views: 147,327

Rating: undefined out of 5

Keywords: LawrenceSystems, pfsense setup, pfsense vlan, pfsense router, unifi switch, access point, pfsense and unifi controller, pfsense unifi vlan, pfsense unifi vlan setup, pfsense unifi vlan dhcp not working, pfsense unifi ap vlan, ubiquiti networks, pfsense setup vlan, pfsense vlans setup, pfsense vlan firewall rules, pfsense vlan tagging, pfsense vlan trunk, pfsense router setup, vlan port assignment

Id: WMyz7SVlrgc

Channel Id: undefined

Length: 21min 57sec (1317 seconds)

Published: Mon Apr 04 2022