Access Point with VLANs best practice

The question: If I have a unifi AP using VLANs for a few different SSIDs, and those VLANs are being used by a 16 port switch and pfSense box, is it better to:
a) Use a pfSense physical interface just for the Unifi AP and then use rules for SSID/VLAN segregation
b) plug Unifi AP into 16 port switch and assign and trunk VLANs where necessary?

I currently have it in the latter, “B” but after a power outage made by an APC not prevented by an APC, my network is wonky. Only thing that makes sense is:
a) restoring the corrupted pfSense settings isn’t so “restored” (though reviewing the DHCP settings, firewall rules etc it looks restored)
b) 16 port switch all these things are plugged into didn’t have its settings saved and so lost some recent changes when it lost power.

Currently reviewing the 16 port switch (the VPN aware “smart” switches from TP link that are not that intuitive to setup) as some of my SSIDs can’t get internet despite me blowing the rules wide open on pfSense, reviewing gateway settings in advanced etc. But it has me thinking, maybe I should use one of the interfaces of the pfSense a dedicated wifi AP port to ensure routing and rules are working as desired.

I’m thinking my band-aid jacked up previous setup that had weird nuances was always hindered by some VLAN misconfigurations on the switch and Layer 2 was allowing me connections, bypassing pfSense which was why a lot of my rules were not working as intended and now worse-off after a switch power cycle.

B

That said, I don’t know what’s up with all the other stuff you describe. I know $$, but keeping AP and switch in the same vendor will make your life easier.

2 Likes

Yep.

Could Unifi and TPlink VLAN tags be outside of some standard? I went to TP links monitor and saw pretty much every VLAN tagged port had a lot of bad packets except the two that are members of VLANs but untagged/PVID

image

No, a VLAN is a very specific layer 2 thing. They would be absolutely insane to go out of standard with plain old VLANs.

Time to start using tcpdump and/or wireshark.

1 Like

well… that is not quite the entire story. VLANS are a standard, and they are compatible across vendors. that does not mean the implementation is standard. Cisco trunk ports are handled BASS ACKWARDS compared to most vendors. HP Procurve is like a 100% by the book standard implementation.

my point here is that actually unifi implements VLANS in a way that makes them easy to set up across unify stuff, but causes extra steps to be required if mixing vendors.

1 Like

I use Unifi switches and AP’s with a virtual PFsense router/fw. Never had any issues with vlans and PFsens + unifi. Something is wrong with your configs somewhere. I think that taking the switch back to basics and checking it’s configs is a great step in the right direction.

4 Likes

I just meant that 802.1q formatting of a frame should always be consistent (afaik). If you’re relying on other features that leverage or expand on that or expect the configuration interface to be intuitive, then you might be in for a bad time.

1 Like

Im about to go scorched Earth and start fresh, new image of pfsense,with no config loaded and nuke all vlans on the 4 TP Links, go flat network and then maybe slowly build some segmentation back in, a little at a time.