Fantastic video, and channel! Lots of information regarding UniFi’s L3 switching that I could only find here. I’m having a hard time wrapping my head around the interface creation in pfSense. What do I want my IP configuration to be and how does that fit into the rest of the setup? Thanks!
@@hz777 sorry, I’m quite new and still learning. I’m just not sure at all how your interface is configured. When I’m typically configuring VLANs for control by pfSense, under interfaces I use static as the configuration type and input an IP address for that VLAN under IPv4 address. I’m just not sure what to put in these interface settings for VLAN 4040 to allow me to continue with gateway configuration. I’m sure the answer is simple but I don’t quite follow.
Thanks for explaining the question so well. Basically you create a normal VLAN 4040, then assign the VLAN to a normal interface on LAN, with static IP address. The only thing to pay attention is the static IP address: it needs to be in the same subnet as the UniFi’s L3 internal gateway IP address. In my case, I set it to 10.255.253.1
What an excellent video, I have a ton of planning to do in order to convert our current flat network to a Layer3 network, much more than I thought other than just purchasing the equipment. A bit overwhelming if I am honest. Going to be difficult to implement in a production environment within Active Directory.
What if you have an already established LAN network that it's DHCP server is thru the domain controller, how to convert the Layer 2 network to this Layer 3 setup? We are using Sophos XG instead of pfSense but similar I think.
there were discussions about dhcp relay when I made this video, but it’s not supported yet at that time. Not sure whether situation is changed or not now.
thanks for a useful video. question: do Pfsense see all the devices on both VLans? if so, is it possible to perform policy based routing in Pfsense FW for the WAN traffic?
I don’t have the environment for the video for now, but what I remember is pfSense was not aware of the two VLAN’s which were managed by the L3 switch, so it could not see the devices under those VLAN’s.
@@hz777 thanks, wonder if such setup is possible in PFSense. if so, it would be the perfect setup. let USW handle the inter Vlan traffic and PfSense to handle all the policies for the WAN traffic. to bad you don’t have the environment setup. i need to upgrade to an USW pro and find out 😊
@@djdeepcrash I just did a simple testing with another L3 switch. Yes, because of the static routing in pfSense, pfSense is able to ping the device in the VLAN managed by L3 switch. And from the device in the VLAN, internet access is available, just without domain name resolving due to lack of name services. So without doing anything extra, the WAN access is already supported. As I know, plicy based routing is applied when you have multiple WAN's, but in this case yes there are multiple gateways but only one is for WAN.
Great tutorial. One question though - once traffic is flowing between the switches via L3, pfSense no longer has the ability to control that flow with firewall rules, right?
Yes and no. For traffics between the vlans controlled by UniFi l3 switch, right pfSense cannot control anymore. But for traffics that need to go out, pfSense can still control the subnets. I have updated videos in my channel.
How did you set up your port from your pfsense lan to your l3 switch uplink? Is it set up as a truck so it can see the 4040 vlan also? Also, did you create a 4040 interface and assigned it to pfsense lan and assign an ip?
If you mean the UniFi switch side for that “uplink”, nothing related to L3; if you mean the pfSense side, still nothing more. The VLAN4040 is on the normal pfSense LAN interface, nothing special.
No sure if I missed something but you mentioned the Gateway IP address of vLAN 4040 is 10.255.253.1 and IP address on L3 switch in your case was 10.255.253.3 (.2 in mine). When you setup pfsense I see nowhere did you actually use 10.255.253.1 in the setup but you mentioned in the video that gateway IP was important. Everything you setup in pfsense seems to refer to the switch ip address 10.255.253.3 only so I am confused on where 10.255.253.1 comes into play here on pfsense. thx
Thanks for the video, I am still new to networking and was wondering if these VLANs 101 and 201 have internet access. I have a different router (a Cisco Meraki MX64), and the interface is a little different to pfSense. The only difference I can see is the Gateway configuration for VLAN4040 in pfSense (19:40). There is only an option in my VLAN interface to point to the MX IP. I have set that IP to the one on Ubiquiti's 10.255.253.2 (only 1 layer 3 switch on my network). Have you got any idea as to why my VLANs on Ubiquiti cannot access internet? Thanks again.
Yes, after the settings in my video, my two VLANs can access internet, but with IP addresses only. That’s why in the end I mentioned the name server setting in controller.
I know this is very old but I had the same issue. Your firewall needs to be 10.255.253.1 (i had .100 in the beginning and it did not work) because that's where all the 0.0.0.0/0 traffic is being sent by Unifi by default.
@@gustavomoraes4908 I don't quite follow your issue, but I just checked the config in my lab environment. In my unifi controller's settings, when setting up the vlan, i don't have the dhcp dns server enabled, and i have the dhcp default gateway set as auto. My client machine's DNS and internet work. Apparently Ubiquiti improved the config part, so now we don't need to worry about DNS anymore.
Nice video ... but what if you want to block traffic between vlan 101 and 201 at L3 switch level ? As I found out recently - not posible. Only with some temporary ACL which disapear if you restart the L3 sw. And then - what its the point of a ubiquiti L3 switch ? I'm very disapointed. I've search a lot for a solution to avoid intervlan traffic to go to the router level (unifi, pfsense etc ... whatever it is). Just to manage the inter vlan traffic at a L3 switch - with simple ACL in between - and only the traffic who go on the internet to reach the router. No solution with unifi :( In this scenario - the bottleneck will be after all - that 1Gb uplink between L3 sw and router
I noticed that vLAN 4040 is created on all L3 UniFi firewalls, IPs starting at 10.255.253.2 and then .3, .4, etc. Since the vLANs are only created one particular Unifi L3 switch, is there a way other Unfi L3 switches can handle the same vLANs without reaching out now to the L3 switch those vLANs were originally setup on?
Thanks for the great video! In the last part of the video where you set the DHCP Name Server for VLAN101 to 8.8.8.8, could you have put in the IP address of pfSense instead, in order to use pfSense's unbound DNS Resolver?
show ip route on my Unifi Agg Pro doesn't show the static 0.0.0.0/0 via 10.255.253.1 route. only the other 3 connected routes. Am I doing something wrong?
Hi, ive setup a L3 switch with pfsense. Internet and traffic within a vlan works. I can ping across vlans and see that in only goes inside the L3 switch, so it looks good. The problem is that i cannot connect to services between vlans. If a have a pc on one vlan, and unifi software controller (server) on another vlan, i can ping, but not access via web. It works if they are on the same vlan. It seems that Unifi blocks the traffic between the vlans. Any idea?
Hi....I am doing this with a sonicwall, all vlans are working just fine - except native vlan, which is where the switch management IP is. but unifi will not allow me to set the management vlan to a vlan that is on the L3 switch its self. Any thought or ideas?
Hi Stephen, I don’t quite follow why you need to set the management VLAN to the VLAN managed by the switch. My UniFi switches are all in a separate VLAN, which is a regular VLAN managed by pfSense.
Hi Sir, This is one of the best explanations I have ever seen. Even Ubiquiti Support or People don't have the best video demonstrated about third party firewall integration with Unifi switch. Please share me your e-mail I'd, so that we can drop an email to your account asking for some doubts about unifi devices and setup. Please. Thank you.
Hi, I am glad the video helps. As I said when replying other people with similar asks, I maintain this RUclips channel as part of my hobbies. At this moment I have no plan to extend the services.
Hi. When I try to input the static route, it doesn't work. It says "This network conflicts with address configured on interface *" What am I doing wrong?
It seems in my video I did not mention the creation of interface for VLAN4040, but you can see that the new gateway should have the VLAN4040 as interface.
Don't know if my comments are getting erased or what's going on? I'm trying to answer but my comments disappear? Anyway, I figured you had created an interface for VLAN4040 so I did as well. I don't think that's where the problem is? When I'm trying to make a static route like you did and input my IoT ip-address (192.168.100.40) in "destination network" pfsense warns that "This network conflicts with address configured on interface IoT"? I don't understand what I'm doing different from you?
Do you already have an interface for IoT defined in pfSense? Keep in mind only when the VLAN is ONLY managed in UniFi switch, you want to create a static route. BTW, RUclips marked your comment as “Held for review” for whatever reason. That’s why it “disappeared”.
great video....need more of these ASAP, no channel is covering Layer3 for any equipment
I am patiently waiting for ACLs to work in the switch so I could control the inter VLAN traffic. Great video and thank you for in explanation.
Fantastic video, and channel! Lots of information regarding UniFi’s L3 switching that I could only find here.
I’m having a hard time wrapping my head around the interface creation in pfSense. What do I want my IP configuration to be and how does that fit into the rest of the setup? Thanks!
There is nothing special in pfSense to make the interface work with UniFi. Anything specific you would like to know?
@@hz777 sorry, I’m quite new and still learning. I’m just not sure at all how your interface is configured. When I’m typically configuring VLANs for control by pfSense, under interfaces I use static as the configuration type and input an IP address for that VLAN under IPv4 address. I’m just not sure what to put in these interface settings for VLAN 4040 to allow me to continue with gateway configuration. I’m sure the answer is simple but I don’t quite follow.
Thanks for explaining the question so well. Basically you create a normal VLAN 4040, then assign the VLAN to a normal interface on LAN, with static IP address. The only thing to pay attention is the static IP address: it needs to be in the same subnet as the UniFi’s L3 internal gateway IP address. In my case, I set it to 10.255.253.1
very helpful video, thanks!
Thank you for the video.
Where is the default gateway for vlan4040(10.255.253.1)? do I need to configure that in the firewall interface?
I do have a new series of related videos with more details. You may want to check them out.
What an excellent video, I have a ton of planning to do in order to convert our current flat network to a Layer3 network, much more than I thought other than just purchasing the equipment. A bit overwhelming if I am honest. Going to be difficult to implement in a production environment within Active Directory.
What if you have an already established LAN network that it's DHCP server is thru the domain controller, how to convert the Layer 2 network to this Layer 3 setup? We are using Sophos XG instead of pfSense but similar I think.
there were discussions about dhcp relay when I made this video, but it’s not supported yet at that time. Not sure whether situation is changed or not now.
Can I hire you to go through my configuration and topology?
thanks for a useful video. question: do Pfsense see all the devices on both VLans? if so, is it possible to perform policy based routing in Pfsense FW for the WAN traffic?
I don’t have the environment for the video for now, but what I remember is pfSense was not aware of the two VLAN’s which were managed by the L3 switch, so it could not see the devices under those VLAN’s.
@@hz777 thanks, wonder if such setup is possible in PFSense. if so, it would be the perfect setup. let USW handle the inter Vlan traffic and PfSense to handle all the policies for the WAN traffic. to bad you don’t have the environment setup. i need to upgrade to an USW pro and find out 😊
@@djdeepcrash I just did a simple testing with another L3 switch. Yes, because of the static routing in pfSense, pfSense is able to ping the device in the VLAN managed by L3 switch. And from the device in the VLAN, internet access is available, just without domain name resolving due to lack of name services. So without doing anything extra, the WAN access is already supported. As I know, plicy based routing is applied when you have multiple WAN's, but in this case yes there are multiple gateways but only one is for WAN.
Does all of this still apply with the addition of the DHCP Relay functionality that was recently added?
Awesome video. Thanks man
Great tutorial. One question though - once traffic is flowing between the switches via L3, pfSense no longer has the ability to control that flow with firewall rules, right?
Yes and no. For traffics between the vlans controlled by UniFi l3 switch, right pfSense cannot control anymore. But for traffics that need to go out, pfSense can still control the subnets.
I have updated videos in my channel.
How did you set up your port from your pfsense lan to your l3 switch uplink? Is it set up as a truck
so it can see the 4040 vlan also? Also, did you create a 4040 interface and assigned it to pfsense lan and assign an ip?
In the video starting from ~18:30 I showed the pfSense settings. The VLAN 4040’s parent interface is the regular LAN interface.
That time stamp only shows the tag vlan I understand that part. How did you set up the uplink port?
If you mean the UniFi switch side for that “uplink”, nothing related to L3; if you mean the pfSense side, still nothing more. The VLAN4040 is on the normal pfSense LAN interface, nothing special.
No sure if I missed something but you mentioned the Gateway IP address of vLAN 4040 is 10.255.253.1 and IP address on L3 switch in your case was 10.255.253.3 (.2 in mine). When you setup pfsense I see nowhere did you actually use 10.255.253.1 in the setup but you mentioned in the video that gateway IP was important. Everything you setup in pfsense seems to refer to the switch ip address 10.255.253.3 only so I am confused on where 10.255.253.1 comes into play here on pfsense. thx
Okay seems that 10.255.253.1 is IP address set on vLAN 4040 created on the fw, watchguard in my situation.
In my understanding the .1 acts as a gateway within that switch, and the .x acts as an address which can be reached from pfSense and other switches.
Thanks for the video, I am still new to networking and was wondering if these VLANs 101 and 201 have internet access. I have a different router (a Cisco Meraki MX64), and the interface is a little different to pfSense. The only difference I can see is the Gateway configuration for VLAN4040 in pfSense (19:40). There is only an option in my VLAN interface to point to the MX IP. I have set that IP to the one on Ubiquiti's 10.255.253.2 (only 1 layer 3 switch on my network). Have you got any idea as to why my VLANs on Ubiquiti cannot access internet? Thanks again.
Yes, after the settings in my video, my two VLANs can access internet, but with IP addresses only. That’s why in the end I mentioned the name server setting in controller.
I know this is very old but I had the same issue. Your firewall needs to be 10.255.253.1 (i had .100 in the beginning and it did not work) because that's where all the 0.0.0.0/0 traffic is being sent by Unifi by default.
@@gustavomoraes4908 I don't quite follow your issue, but I just checked the config in my lab environment. In my unifi controller's settings, when setting up the vlan, i don't have the dhcp dns server enabled, and i have the dhcp default gateway set as auto. My client machine's DNS and internet work. Apparently Ubiquiti improved the config part, so now we don't need to worry about DNS anymore.
Nice video ... but what if you want to block traffic between vlan 101 and 201 at L3 switch level ? As I found out recently - not posible. Only with some temporary ACL which disapear if you restart the L3 sw. And then - what its the point of a ubiquiti L3 switch ? I'm very disapointed. I've search a lot for a solution to avoid intervlan traffic to go to the router level (unifi, pfsense etc ... whatever it is). Just to manage the inter vlan traffic at a L3 switch - with simple ACL in between - and only the traffic who go on the internet to reach the router. No solution with unifi :( In this scenario - the bottleneck will be after all - that 1Gb uplink between L3 sw and router
You are right: the answer is ACL, and I do have a corresponding video in my channel. However Ubiquiti's support on the ACL is not complete.
I noticed that vLAN 4040 is created on all L3 UniFi firewalls, IPs starting at 10.255.253.2 and then .3, .4, etc. Since the vLANs are only created one particular Unifi L3 switch, is there a way other Unfi L3 switches can handle the same vLANs without reaching out now to the L3 switch those vLANs were originally setup on?
I don’t quite follow the question, but if it’s about multiple L3 UniFi switches VLAN routing, please check another dedicated video in my channel.
Thanks for the great video!
In the last part of the video where you set the DHCP Name Server for VLAN101 to 8.8.8.8, could you have put in the IP address of pfSense instead, in order to use pfSense's unbound DNS Resolver?
Yes you are right. It should work as well.
could you get this working? Even if I can ping the pfsense ip, I cant use it as DNS... Only works with 8.8.8.8 as backup
show ip route on my Unifi Agg Pro doesn't show the static 0.0.0.0/0 via 10.255.253.1 route. only the other 3 connected routes. Am I doing something wrong?
Search my channel for several other videos on the same topic but with more detailed steps. They may help.
Hi, ive setup a L3 switch with pfsense. Internet and traffic within a vlan works. I can ping across vlans and see that in only goes inside the L3 switch, so it looks good. The problem is that i cannot connect to services between vlans. If a have a pc on one vlan, and unifi software controller (server) on another vlan, i can ping, but not access via web. It works if they are on the same vlan. It seems that Unifi blocks the traffic between the vlans. Any idea?
Have you tried to include port number in the url when trying to connect to unifi network controller, such as :8443? it works for me.
@@hz777 yes. I solved this by just not using the default network at all. I setup dhcp to redirect unifi devices to another ip range
Hi....I am doing this with a sonicwall, all vlans are working just fine - except native vlan, which is where the switch management IP is. but unifi will not allow me to set the management vlan to a vlan that is on the L3 switch its self. Any thought or ideas?
Hi Stephen, I don’t quite follow why you need to set the management VLAN to the VLAN managed by the switch. My UniFi switches are all in a separate VLAN, which is a regular VLAN managed by pfSense.
Hi Sir, This is one of the best explanations I have ever seen. Even Ubiquiti Support or People don't have the best video demonstrated about third party firewall integration with Unifi switch. Please share me your e-mail I'd, so that we can drop an email to your account asking for some doubts about unifi devices and setup. Please. Thank you.
Hi,
I am glad the video helps. As I said when replying other people with similar asks, I maintain this RUclips channel as part of my hobbies. At this moment I have no plan to extend the services.
Hi. When I try to input the static route, it doesn't work. It says "This network conflicts with address configured on interface *" What am I doing wrong?
It seems in my video I did not mention the creation of interface for VLAN4040, but you can see that the new gateway should have the VLAN4040 as interface.
Don't know if my comments are getting erased or what's going on? I'm trying to answer but my comments disappear? Anyway, I figured you had created an interface for VLAN4040 so I did as well. I don't think that's where the problem is? When I'm trying to make a static route like you did and input my IoT ip-address (192.168.100.40) in "destination network" pfsense warns that "This network conflicts with address configured on interface IoT"? I don't understand what I'm doing different from you?
Do you already have an interface for IoT defined in pfSense? Keep in mind only when the VLAN is ONLY managed in UniFi switch, you want to create a static route.
BTW, RUclips marked your comment as “Held for review” for whatever reason. That’s why it “disappeared”.