HI folks,

I'm having some issues getting everything set up correctly and am hoping someone can assist.

My intent is to create 3 VLANs - 1 default plus 2 additional. The additional ones should selectively (based on VLAN tag and firewalling) be allowed to access to the LAN, where trusted devices live. I essentially want random devices on the network (e.g. IoT & guest devices) to not get access to my servers.

Here's the physical device setup:

WAN -> pfSense

  pfSense -> Port 1 on TL-SG108E

    TL-SG108E ->

      Port 2 -> Unifi 6 Lite AP

      Port 3 -> trusted server

      Port 6 -> untrusted wired client

      Port 7 -> untrusted IoT client

      Port 8 -> untrusted IoT client

I have pfSense on a VM with IP 192.168.10.1. In it, I've set up various VLANs, and networks to match:

VLAN 1 - default LAN - 192.168.10.1/24 (DHCP enabled)

VLAN 10 - trusted - 192.168.20.1/24 (DHCP enabled)

VLAN 7 - untrusted guest - 192.168.200.1/24 (DHCP enabled)

On the Unifi 6 Lite AP I created networks and wireless networks, mirroring those above:

Network: trustednet, VLAN 10 (DHCP relay to pfSense)

Network: guest, VLAN 7 (DHCP relay to pfSense)

The problem is, when wireless clients connect to networks provided by the Unifi, they associate but do not receive an IP address. Similarly, when I plug wired clients into ports 6, 7, and 8, they do not get IP addresses. I'm certain this is something to do with the VLAN setup as initially I had a simple port-based VLAN, which worked for the Unifi (but did not work on the wired clients). I then changed it to 802.1Q VLAN as follows:

This was per:

https://www.tp-link.com/us/support/faq/788/

https://superuser.com/questions/1140071/tp-link-tl-sg108e-vlans-to-separate-one-device-from-all-others

I also tried the config from the first answer here, which also did not work:

https://community.tp-link.com/en/business/forum/topic/76663

Would really appreciate any suggestions, I'm about at my wits' end.