How to integrate Unifi AP’s with a pfSense router with a VLAN for a guest network

Well, in my last article where I discuss why I am trying out 2 new AP’s by Unifi, it was discovered that they are … I think perfect. I am going to let them soak for a while and see how iOS devices hand off when walking across the building. But for now, they are great to configure.

I had to do a little fiddling with the pfSense box and learn new stuff again, but it all seems to work. I think I love pfSense [UPDATE Fall 2015 – no I REALLY LOVE pfSense].

In short – how to get the Unifi boxes to work with the main and guest networks by using a VLAN and how to route that traffic. This is for a church where on Sundays – hundreds of people come – so we need lots of guest IP addresses. Here we go…

First, I am using 100% pfSense. So the person with this article got me going the most. I followed his tutorial ignoring all the Cisco stuff and concentrating on VLAN 10.

  • I configured a VLAN on my LAN port of my pfSense box and called assigned it an ID of 10 like the article said.
  • Then, I added a new interface that used that VLAN like the article said
    • 172.16.10.1 and used a /23 behind it (1022 addresses -see cheat sheet link below). Now what does that mean? Well, I know it has something to do with the Subnet Mask et. al and all I ever use is 255.255.255.0 networks – which i know to be 253 devices . So I needed this article to fill in the rest of my knowledge which led me to the cheat sheet that really gave me my answer. I know it was talking about class C stuff etc. but it really helped me understand things
    • THEN in pfSense – when you go to configure the DHCP (below) – it tells you the range you can pick from  – so why did I need the above? Because I learn from what I know – then the “hindsight” fills in – pfSense is awesome because you can ono a little and it will help fill in the rest often.
  • Then I configured DCHP which needs the above interface (VLAN10) to have a static ip address.
    • I have my users 172.16.10.20-172.16.11.254 which is about 490 addresses – good enough for the Sunday morning church rush
    • I configured their lease to expire in 3 hours – so if one had 2 services of church – this should only be 1 hour so the IP’s can be reused.
  • Then I configured the guest network in the Unifi AP to only
    • allowed subnets 172.16.10.0/23 network and
    • restricted subnets of 192.16.1.0/24 network
    • so that the two could never see each other and now we have a normal network and a guest network.

Beauty. I tested them to ensure they could not see each other and it worked. I have to test the roaming on iOS but my iPhone died before I could do that test. I bought the cheap charging cable so I don’t have one in my car. Bummer. I will have to come back.

Oh – and as a follow up – the controller MUST be working for the landing page right? So to get it working as a service in the background (not as a thing that needs a user to be logged in – on a mac, follow extra these steps. I followed the one where it was a .plist file.

[UPDATE Fall 2015] Frustrated in getting the service up and running and seeing the web page? THERE IS A BUG!!!! You have to install both the 64 and 32 bit versions of Java (no – really – this works!) See these guys’ article – SCROLL TO THE BOTTOM and work your way up. Don’t forget to do the setup, env. var paths for both versions. Then it will work. I only had 1 customer our of 3 where this was required.