pfSense + TL-SG108E + Unifi AP - VLAN issue?
HI folks,
I'm having some issues getting everything set up correctly and am hoping someone can assist.
My intent is to create 3 VLANs - 1 default plus 2 additional. The additional ones should selectively (based on VLAN tag and firewalling) be allowed to access to the LAN, where trusted devices live. I essentially want random devices on the network (e.g. IoT & guest devices) to not get access to my servers.
Here's the physical device setup:
WAN -> pfSense
pfSense -> Port 1 on TL-SG108E
TL-SG108E ->
Port 2 -> Unifi 6 Lite AP
Port 3 -> trusted server
Port 6 -> untrusted wired client
Port 7 -> untrusted IoT client
Port 8 -> untrusted IoT client
I have pfSense on a VM with IP 192.168.10.1. In it, I've set up various VLANs, and networks to match:
VLAN 1 - default LAN - 192.168.10.1/24 (DHCP enabled)
VLAN 10 - trusted - 192.168.20.1/24 (DHCP enabled)
VLAN 7 - untrusted guest - 192.168.200.1/24 (DHCP enabled)
On the Unifi 6 Lite AP I created networks and wireless networks, mirroring those above:
Network: trustednet, VLAN 10 (DHCP relay to pfSense)
Network: guest, VLAN 7 (DHCP relay to pfSense)
The problem is, when wireless clients connect to networks provided by the Unifi, they associate but do not receive an IP address. Similarly, when I plug wired clients into ports 6, 7, and 8, they do not get IP addresses. I'm certain this is something to do with the VLAN setup as initially I had a simple port-based VLAN, which worked for the Unifi (but did not work on the wired clients). I then changed it to 802.1Q VLAN as follows:
This was per:
https://www.tp-link.com/us/support/faq/788/
https://superuser.com/questions/1140071/tp-link-tl-sg108e-vlans-to-separate-one-device-from-all-others
I also tried the config from the first answer here, which also did not work:
https://community.tp-link.com/en/business/forum/topic/76663
Would really appreciate any suggestions, I'm about at my wits' end.