How To Setup VLANs With pfsense & UniFi 2023

Configuring pfsense Firewall Rules For Home
ua-cam.com/video/bjr0rm93uVA/v-deo.html
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
ua-cam.com/video/fsdm5uc_LsU/v-deo.html
The Best Diagramming Tool "Diagrams.net"
ua-cam.com/video/mpF1i9sfEJ0/v-deo.html
en.wikipedia.org/wiki/IEEE_802.1Q
⏱ Timestamps ⏱
00:00 VLANs With pfsense & UniFI
02:00 IEEE 8021.Q VLAN 101 Basics
05:54 pfsenwse UniFi Network Setup
08:50 Defining VLANs in pfsense
10:17 Defining VLANs in UniFi
14:27 Using VLAN to create switched networks

Set up my pfsense box last week, getting my ubiquity switch soon, perfect timing on video. Thanks for these informative tutorials!

Thanks very helpful, could you go over radius authentication with PFsense and Unifi? Much appreciated

Thanks so much for doing this. I just made the jump from USG to pfSense and this is perfect timing.

Perfect timing. I am building my Pfsense tonight. Thank you Tom!

I started using PFsense last year and haven’t looked back. That appliance is a straight up beast. I love the policy routing capabilities.

I am literally going through the process of setting up PfSense & a self-hosted Unifi Controller right now for my home network. This is exactly what I was looking for; What a coincidence!!

Thank you so much for this content. It has increased my enjoyment (and ease) with building and expanding home projects.

6:35 - The internet pictorial :) Nice nod to the IT Crowd!
Everything I know about pfsense has been from watching your channel, Tom. Thank you!

VLAN tagging is little confusing when u are first starting out. But once u understand the true concept, it becomes your bread and butter. One of the most important thing to understand is how switch is treating Tagged and untagged traffic. If u only assign one vlan to the switch port, that vlan is native/untagged on that port only. There can only be ONE native/untagged vlan on a port meaning u can’t have more than one untagged vlan on one port. In a corporate world for security reasons, u only tag certain vlans on port that are needed on that port, this means u don’t just tag ALL vlans like UniFi does. Tagging ALL vlans on all ports does make your job easier but at the cost of compromising security. I would only do this if the link is between the switches and both switch needs to have access to same vlans.

Also get into the security aspect of vlans, such as creating a "blackhole" vlan on the switch trunk/uplink, etc!

Where was this video yesterday when I was setting up VLANs with my PFSense and UniFi Equipment? In all seriousness, thank you so much for this!

Tom, thank you for your insight. I created a 4 port 'lagg0' in/on pfsense. On the switch 'cisco' i configured a 4 port 'port-channel' and trunk all traffic.

Getting back into PFSense, so this is very helpful, as in the process of ordering a dream machine

Tom - Your videos are one of the best sources of information regarding networking with pfSense and Unifi. I truly appreciate your efforts. In this video where you selected the second native NIC from pfsense, I totally get that segregation on the Unifi side. However, on the first "all" vlan feed from pfsense - wouldn't that also include the vlan 60 group traffic into that vlan 50 traffic mix? I get vlan 50 would not go into vlan 60 but since vlan 50 is "all", it includes all the vlans defined on Unifi. At least on my Unifi contoller shows it this way. If my object is to truly separate the traffic, wouldn't I need to redefine the native vlan to exclude vlan 60?

I swear you're psychic with these releases... The past 5 videos have all been stuff I've been working on as you release them! Excellent tutorial as always Lawrence

My dude, you know exactly what I need in life, thank you!

Very helpful Tom. I just got a new USW Pro 24 PoE switch and was needing to know how it works with PFsense or OPNsense. Thank you.

Well, that was more confusing than I had originally hoped, trying to get my VLAN from pfSense to Unifi. Turns out I was overconfiguring it.
Thanks for the helpful video Tom!

Thanks Tom. I think my pfSense is a different model than yours. My igb2 is only 100Mb. I was having a problem with setting up my VLAN on Unify/pfSense and watched your video 3 times. I could see DHCP Discover and Offer coming into pfSense VLAN port but no Request or Ack. Boot/reboot and finally decided although port shows lights changed the cable and voila, all working. Thanks for making it clear so at least I knew I had it right.

at 13:20 I agree with you...they need to fix this asap it was so annoying to trying configure a port I was looking everywhere and sure enough I had to scroll to see the VLANS.

Thank you guys for all the great and educational content. I was wondering if there would be a reason that you wouldn't use one of the 10Gb ports for trunking.

I have a very similar setup but I defined my connections between my pfsense and the switch as a LAG(LACP) group(using 3 ports), and pass tagged traffic between the switch and the pfsense. Which gives me the ability to utilize more bandwidth on one vlan, while still having availability for a smaller vlan when it needs it.

Good content, keep it coming.

Hello Tom, first of all thank you for your very informative videos.
I currently have a UDM-Pro, a US16-150W switch, a U6-Pro, an AP-AC-Pro and an AP-AC-M. My networks consist of the main Lan, a guest network, an IoT network and a camera network, but only one NVR from another manufacturer is connected to it. But I would like to use a pfsense in the future, but I'm not sure whether I should use the pfsense in addition to my UDMP, or replace the UDMP completely with the pfsense.
What would be your recommendation in this case?
Many greetings from Germany

Thanks Law, you rule 😎

What if I don't have a USG or any switch plugged in between the pfSense and the UniFi AP? I have a proxmox server with extra nics running a virtual pfsense edge router. How would one go about setting up multiple vlans to multiple SSIDs?

This is pretty useful as a way of introducing how VLANs are handled in pfSense and UniFi and what happens when you connect them together (on a trunk port).
There are a couple of caveats though.
Firstly at 14:27, be aware, because of the port profile ALL that the traffic for VLAN 10 is also being sent tagged to igb2, (which pfSense will have to discard) as well as being native traffic on igb1.
If you want to exclude VLAN 10 from igb2 you need to create a port profile that contains only the desired VLANs (tagged and optionally for native) to match what you have setup on pfSense on the trunk.
Secondly, pfSense themselves recommend you do not setup a network on the parent interface (i.e. native frames) when using vlans,
for reasons (relating to how the NICs actually process the tagged and native traffic arriving on the same physical interface to assign to the logical interface in pfSense).
Because of this when using UniFi with pfSense and without a UniFi gateway, I don't use the default network they call Corporate at all, and setup a VLAN explicitly to handle management traffic.
This means the switch ports facing UniFi access points are given a port profile that is not ALL, but send the new management VLAN natively and tag for all the other SSIDs. This has the added benefit of not flooding broadcast frames to a Wi-Fi access points for VLANs for which there is no Wi-Fi SSID (e.g. wired-only VLANs).

Thanks for the video Tom.
Maybe a video, about dynamic assigned vlan based on radius login.

Thanks for all your videos Tom. They are very helpful and well presented. I was wondering, what software do you use to build your network diagrams?

Hey @Lawrence Systems, I'm trying to make the switch to pfsense from a USG-3p. After I get all my networks and VLANs defined in the pfsense box, I'm assuming I need to go into Unifi controller and change all my networks to be VLAN only. Is there anything else I might be missing?
PS. IPv6 is very easy to disable in UniFi Controller, but I'm not sure how to do it correctly in pfsense. Any chance you could touch on that in a future video? Thanks for all you do great stuff.

Could have done with this a few weeks ago.
Installed Starlink for a mobile home community, every van was cabled (not a massive site 20 users) Each van on its own vlan, with a Catalyst 10G switch to PFSence. Getting PFSence to play nice vlans was a propper BALLACHE, still its done, they all get there 8meg garanteed and they all get upto 200mbps burst. Not bad really when you think about it $75 install for each van coveres the hardware cost, and $100 a month split 20 ways = $5

Sorry Tom for my question. I am a huge fan of your work and long time follower. I am about to buy a new screen. May I ask the references of the one behind you please?

How would you integrate a Synology NAS that was used to stream to a TV and store work stuff on when you have the iot on a NSFW lan?

In the second configuration, where you've fed in NSFW_NET into a separate port, do you need to then set the other ports to specific networks? If they're setup for all, wouldn't they somehow get the NSFW_NET traffic too?

Will this type of setup work with the dream machine pro?

Great video! thank you!
Dumb question- where would the UDM pro go in this scenario?
i have a UDMP accepting my internet /WAN traffic and then connecting to a Unifi Switch!
Any suggestions would be appreciated

Could you do a follow-on video that will do pfsense - unifi dynamic vlan using radius authentication (user / MAC) with a single SSID? I would like to keep my wifi with a single SSID, but be able to send things like IoT (via MAC) into a vlan.

I'd love to see something on QoS of VLANs with pfSense and UniFi. We've been able to define the VLAN priority within pfSense, however it doesn't look like we can define the priority within UniFi.

Having a fun time trying to figure out if VLANS will work with my set up. Main host is ESXi 6.7.0 Update 3, with a PFSense vm as my main router, and the Unifi Network Controller hosted on another vm as a docker container (on the same ESX box). So far, no luck. PFSense is showing no traffic on the VLAN. Checked the VLAN tags, etc., as provided in this video, so I think somewhere in all of the virtualization, something is not VLAN aware.

So I have a scenario that I don't know the specific terms for. I have two networks, both without unifi routers but utilizing unifi switches after the router. Network 1 is Bridge Network (192.168.1.x) and Network 2 is Building Specific Network (192.168.30.x). My goal is to use one switch and give specific ports bridge network and the rest non-bridge network instead of having a separate switch for each network. Would I have to create the vlan within my router (Fortigate) and as well as on my unifi controller or do I just do it on the unifi controller? How do I go about this?

Could you cover pfsense along with ubiquiti layer3 switching?

cual es el modelo de unifi que hace capa 3 para hacer ruteo estatico vs pfsense ?

Thanks for the video Tom!
How does UniFi handle VLANs between switches? Say I had a port on one switch with a profile that trunks VLAN 2, 4, and 6 going to another separate UniFi switches port with the same profile, would the traffic going between the switches be tagged so that the second switch could transmit data to ports with profiles for the individual VLANs?

Top!!! THX

In case anyone needs this, if you're using VMWare ESXi with pfSense, you have to set the vLan to 4095 (trunked) on the VMWare Port Group.
This is different behaviour to my experience with the Ubiquti edge switch where the vLan PGs were set to 0 and the traffic still flowed.

Lawrence, will you make new Video with Unifi 8.1.113 version ?

Thank you for very informative video. Love your work mate. Also do you have any poll that we can vote for your next video or we just drop in the comments?

Hi Tom, thanks for the video. I have a follow up question / clarification needed.
For the 'advanced' scenario with the NSFW vlan.
As I understood,
main uplink port from Unify switch is set as ALL - meaning it will route ALL vlans to the pfsense, regardless of the vlans setup, right?
And traffic from Marcus PC will arrive with its vlan tag on Unify switch, and the idea is that it will get routed to pfsense ONLY via a secondary unify port setup on the same vlan.
Question: what prevents the "main" upling to catch that route - as it is configured as ALL, so it could route all vlans to pfsense.

Hi Tom, I have an idea for a video for you. I have a Unifi VLANed network with pfsense and a cloudkey controller. I wanted to extend the number of network points at a remote location on the network with another switch and all the connections are on the iot network, the cloudkey is on the main network. The switches I choose were the flex minis, as cheep and available. But how to get them to communicate. Happy to discuss with more detail.

I have a netgate 1100 an use bouth opt and lan ports from it to 2 different switches, vlans 10,20,30,40 out as trunk on both ports. Is that any problems?

Hi Tom. Still confused about default and native vlans. Also experience with vlan hopping? My setup works but I am not sure if it is really secure.

How you can connect Unifi to manage a remote network? I've trying setting up a VPN but doesn't seem to have an option to tell Unifi to look for that particular LAN... thanks

Very interesting, thanks.
P.s.
You forgot the first e in the #pfsnse.

Tom, do you feel UTM devices like Watchguard with their security subscription are worth it? Or would you prefer to use pfSense and then increase endpoint secruity software like Huntress?

It it possible to run a UniFI 6LR to pfsense without a switch.
Just a simple design.
I ask because I cant seem to set it up myself. I currently have a old AP-AC-Pro what I want to switch out but cant seem to figure it out.
Any clue as to where im failing

nice vids! one question though. do pfsense have a webserver "virtual hosting" capability. like in sophos?

Any tips for VLAN and Fortigate? Also what software are you using for the diagrams? It could be useful in teaching my team!

Can you make a video for block udp flooding port 1900 form smart tv?

At 14:00 Tom set port 1 port profile CAM_LAN (id 60) does that mean that port 1 is now what is usually refered as "access" port for VLAN60 or is it "trunk"?
How would you set e.g. port 2 as trunk that would route only VLANs 3 and 4?

Tom, do you do any work with OpenWRT? I've been looking for this type of information using pfSense and the new OpenWRT VLAN filtering to accomplish this same work.

So you only need L2 switch from unify to vlan tag the ports ?

Hi, thanks for video.
Can I use the scenario without USG ?
I mean, if I host Unifi network application on my own server, can I set on single port multiple VLANs ?

Do you have a recommendation for a home network using a managed Unifi switch?

For someone not concerned with saturating pfsense interface ports (internet speed is way less than gigabit), is there still value/reason for the dedicated opt switched networks? Besides for fun.

Tom are you typically deploying pfsense/UniFi with layer 3 switches?

Does Unifi also allow tunnels to controllers for level 3 roaming with vxlan or wlc-tunnel CAPWAP?

So, port 16 and port 24 are trunk ports. Am I right ? thanks !

Following the minute 14min30 of the video, When I set the port to the "new" unifi network, the AP connected to it refreshes and loses its adoption. Not able to adopt it again. “adoption failed, please again. if the issue persists, we recommend factory-reseting the device”. Any idea?

My understanding is ALL is a Trunk Port in Ubiquiti. Setup a trunk port if you are using another brand of switch.

Is it possible to set VLANs only at the UniFi switch level using dedicated untagged ports so that my LAN IOT traffic doesn’t hairpin at IGB1 thus halving the bandwidth. I assume in this scenario that the bandwidth of the switch is > 1Gbps total which is the case for most UniFi Switches.

How do you setup Unifi Dream Machine for gaming. Possible to make one VLAN and open all ports? Looks like its blocking voice in fortnite

Is it possible to make a USG4Pro work WITH pfsense? I do like the unifi environment and wish it was easier to use both.

Can I just define VLAN 10 in pfsense on the second example?

can this be done with a udm pro for unifi and a netgate 4100 for pfsense? right now i am using a udm pro in a fully unifi network but i want to jump into pfsense, i like both. i want to get into pfsense for HA and the firewall and to get familiar with it as a whole. can i keep both with these devices?

What do you have your “ Management Network” set to? I have experienced much grief without a true understanding sometimes of how I made something work with using Sophos as you do Pfsense and multi site self hosted controller. The “management network” has caused me several all nighters. Ugh.

So is it possible to define 4 networks in the pfsense and and have two VLANs over one Interface and the other 2 over the other? So by that I mean is it possible to have multiple tagged VLANs over a interface on but not all?
My use case: I have a pfsense and a UniFi switch in the main house. From there I connect multiple access points „VLAN 1“, security cams „VLAN 100“ also I make a connection to the garage where I have an extra switch which only needs an uplink to the main switch for VLAN 100 the Cam network and an extra VLAN 110 for the door access. So is this possible to have two VLANs tied to one port but not the main VLAN 1?

So with a Unifi switch, is it accurate to say that the a port with a single-network profile set produces untagged packets while a port with a multi-network profile (such as "All") produces tagged packets?

Hi Sir, This video is really helpful for us to understand how we connect PFSense with Ubiquiti Layer 3 Switch. However, is it possible to use Cisco ASA instead of PFSense?

Do you need to set up an "All Except NSFW" profile for the main trunk so that VLAN 10 traffic doesn't get sent back down the main trunk (only to be thrown away by the router)

Is it possible to mix untagged, and tagged vlans on Unify Switch but not "All", only few ?

Hmmm...I was just thinking about why I didn't actually define all my VLANs in Unifi when I first got my system set-up. I don't have a good reason other thank Unifi sees all the VLANs and I can set each port as needed. Should I bother explicitly defining them within Unifi?

I thought the Internet was wireless? That's what Roy and Moss told Jen, at least. 😀

Please do a similar video but for Tp link Omada! I have an Omada switch and WAP with pfsense and I can’t get vlans set up and I’m not sure why

Is there a reason like certain WiFi devices just won’t work on a vlan network, like a ring doorbell won’t connect to the vlan ssid but works fine on untagged default ssid. Other things work like laptops and iPhones. The doorbell tries to get an iPad and I can see where the firewall assigns one but it won’t work

Could you go a step further explaining how you could define SSID's bound to VLAN's that then via Radius or other auto switch based on the MAC address of the end user WiFi devices. Simplified 4 VLANS bound to 4 SSID's (VL10-VL20-VL30-VL40), based on a clients MAC Address it would automatically connect to the correct VLAN irrelevant of which SSID they choose. Use case: VL10 is for Ops Engineers or External Maintenance, VL20 is for General Office Workers, VL30 is for RnD Department & VL40 is for Guests, based on the MAC of the devices they use they would automatically be put onto the correct SSID regardless of which SSID [Maintenance; Office; RnD; Guest] they selected.

Do you have one for pfsense and omada?

I ran into problems :(
My Unifi APs are connected to an unmanaged POE switch, which I believe is preventing my vlan experiment.

what is the difference between vlan only, and just select vlan in the network?

Is it possible to do vlan with just a pfsense box and a Nano HD AP (or any unifi AP)? I cannot get the vlan to pull the right IP from DHCP server.

Where do you get the custom images you use in the diagrams?

Next video hope lesson on Inter-V-Lan routing.

I would have setup vLANS on a LAGG once it got to multiple physical interfaces out of the pfSense. Plus it adds a little tolerance to the network if one of the cables or physical interface went down, traffic would still flow. just my 2 cents.

The all Setting is not present any more. and one cable between pfsense and unifi switch doesnt work for me any more. Any hints on there?

what do you do if you don't use a unifi switch but have pfsense and unifi APs?

Well, thank you, this is exactly what I was looking for. Using OPNsense with TP-Link Omada, but as OPNsense is a fork of pfSense, and Omada a rip-off of Unifi, the video remains valid :)

Lawrence, if you're hiring for jobs in Michigan let me know!

reminds me of a friend who tells me more than i need to know.

Tom, I think you mislabeled the first chapter of the video.

do you need a unifi switch to use unifi Access Point? i was thinking about plugging it into a switch(or it's a hub. not sure) and have it go into the pfsense router. directly. i do know need to look for a poe device to power the access point. for a home network.