How To Setup VLANs

So I am migrating my install from an OpenWRT setup that had a switch in it, to a Unifi 6 Lite where it does not. So the switch category does not exist, so setting up VLANs is not the same.

I'm not sure where i'm going wrong, but basically my setup is as follows. I have a few different SSIDs, lets say LAN, LAN2, Guest.
Then I have one cable going from the AP to the firewall. The firewall is tagged with VLAN tags 10 for LAN, 20 for LAN2, 30 for Guest.
Then under switch in OpenWRT, I have clicked add vlan and set the tags and they all go over that one wire.

Now when switching to the Unifi AP, because there is no switch, there is no way to do that. I looked around and it looks like in Network > Interfaces you can simply manually type eth0.10, eth 0.20, etc. which is what I did.
Currently I have the Unifi connected directly to my computer to configure.
When I connect that one wire that runs from my firewall to the Unifi, I can no longer reach the web gui, and devices are unable to connect. They can reach the AP, but can't connect ot the internet, which makes it clear it is an error in my configuration with the VLANs/IPs.

Here is what the interface and device settings currently look like on the Unifi (the one having issues) Note br-lan was the only interface that was originally on there, I added the rest:

librewolf_6oSctWnC3c988×661 55.4 KB

librewolf_iOiNqWuWgf994×722 34.1 KB

And below are the settings that were on the original access point:

librewolf_4YLE3ISQMM1027×718 23.3 KB

librewolf_cLnLE5lFAU959×858 74.8 KB

librewolf_apAxVFBOXo982×570 33.5 KB

A few things to note here...

1. Typically, you should only have an address on a single interface/VLAN -- the one that is used for managing the device. The other VLANs should be included in a bridge and then assigned as proto = none (unmanaged) for the actual interfaces. (this is the case when all networks are provided by an upstream router)

2. IIRC, the U6 series devices actually use DSA syntax even though they do not have an internal switch.

3. It would be helpful to see your upstream connection -- the router or switch that connects to the U6 -- to understand the configuration of the trunk that is required of the U6.

4. Let's also take a look at your network and wireless config files. It would actually be best to look at the default files (rather than those that you have already edited) so that we can ensure we have the right syntax in mind for your U6 configuration.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless

I can't say I'm extremely familiar with vlan concepts, this is my first time doing this really.
I figured this would all be pretty cookie cutter seeing literally nothing is changing. The only thing that is changing is there is no switch built into the Unifi. However I only had one cable going to my old AP anyways, and there's one cable going to this AP.. so I don't see why it would have issues.

However I believe an issue is I am not currently incorporating a managed switch into my setup, although there is some separation.
What is basically is is, I have a few ports on the back of my firewall. I have one for wan, one for my lan which runs to an unmanaged switch with all my devices, one for lan2 which runs to an unmanaged switch for all my family devices, and one for the access point.
So LAN and LAN2 each have their own ethernet port, and 2 wireless ssids each. Guest and IoT have no ethernet, and one wireless SSID each. LAN and LAN2 isolated from one another, Guest and IoT also isolated from everyone else. Some stuff crosses over manually via specific port rules.
It hasn't been an issue like this because all my families devices are on one unmanaged switch as previously stated. And all my devices are on another so that is the separation right there to substitute for a managed switch. I have one but I do not have the time to figure out setup on it, I plan to work on it in the future but I wanted to get this AP setup hopefully soon.

Basically lan is bridged on opnsense between my lan port, and the vlan tag so lan has wireless and ethernet. Same for lan2. Then for guest it only has a vlan so it only has wireless, and then same for IoT.

I will start by providing the information for my old access point seeing that is the one currently in use:

# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix ''

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '10.0.10.1'
        option ipaddr '10.0.10.3'
        option gateway '10.0.10.2'
        option device 'br-lan'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr ''

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '10'
        option ports '0t 2t 1t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '20'
        option ports '0t 2t 1t'

config interface 'LAN2'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.0.20.3'
        option gateway '10.0.20.2'
        list dns '10.0.10.1'
        option device 'br-LAN2'

config interface 'GUEST'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.0.30.2'
        option gateway '10.0.30.1'
        list dns '10.0.10.1'
        option device 'br-GUEST'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '30'
        option ports '0t 2t 1t'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.10'

config device
        option name 'br-LAN2'
        option type 'bridge'
        list ports 'eth0.20'

config device
        option name 'br-GUEST'
        option type 'bridge'
        list ports 'eth0.30'

config interface 'IoT'
        option proto 'static'
        option ipaddr '10.0.50.2'
        option netmask '255.255.255.0'
        option gateway '10.0.50.1'
        option device 'br-iot'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '50'
        option ports '0t 2t 1t'

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'eth0.50'
        option ipv6 '0'

# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option country 'US'
        option cell_density '0'
        option htmode 'VHT40'
        option channel 'auto'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'LAN5ghz'
        option key ''
        option ieee80211w '2'
        option encryption 'psk2+ccmp'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option cell_density '0'
        option htmode 'HT20'
        option channel '3'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'LAN24ghz'
        option key ''
        option encryption 'psk2+ccmp'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'LAN25ghz'
        option network 'LAN2'
        option key ''
        option encryption 'psk2+ccmp'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'LAN2-2ghz'
        option network 'LAN2'
        option key ''
        option encryption 'psk2+ccmp'

config wifi-iface 'wifinet4'
        option ssid 'GuestWireless'
        option device 'radio1'
        option mode 'ap'
        option isolate '1'
        option network 'GUEST'
        option macfilter 'deny'
        option key ''
        option encryption 'psk2'

config wifi-iface 'wifinet5'
        option device 'radio1'
        option mode 'ap'
        option key '
        option network 'IoT'
        option encryption 'psk2+ccmp'
        option ssid 'IoTWireless'
        option wmm '0'
        option ieee80211w '1'

I will report back soon with the Unifi configs.
I can't grab my OPNsense configs atm, but if you can tell me the exact files and ideally paths if you don't mind, you want to see on it I can grab it when I get home. Hopefully this gives you something to work with for now though.

Edit:
Here are the Unifi configs:

# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix ''

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '10.0.10.1'
        option ipaddr '10.0.10.3'
        option gateway '10.0.10.2'

config interface 'LAN2'
        option proto 'static'
        option device 'eth0.20'
        option ipaddr '10.0.20.3'
        option netmask '255.255.255.0'
        option gateway '10.0.20.2'
        option type 'bridge'

config interface 'IOT'
        option proto 'static'
        option device 'eth0.50'
        option ipaddr '10.0.50.2'
        option netmask '255.255.255.0'
        option gateway '10.0.50.1'
        option type 'bridge'

config interface 'GUEST'
        option proto 'static'
        option device 'eth0.30'
        option ipaddr '10.0.30.2'
        option netmask '255.255.255.0'
        option gateway '10.0.30.1'
        option type 'bridge'

# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fded:26c9:2d14::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '10.0.10.1'
root@:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '2g'
        option htmode 'HT20'
        option channel 'auto'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option band '5g'
        option htmode 'HE80'
        option channel 'auto'
        option cell_density '0'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option key ''
        option network 'lan'
        option ssid 'LAN5ghz'
        option encryption 'sae-mixed'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option encryption 'sae-mixed'
        option key ''
        option network 'lan'
        option ssid 'LAN24ghz'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option encryption 'sae-mixed'
        option key ''
        option network 'LAN2'
        option ssid 'LAN25ghz'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Wayne Manor Guest2'
        option encryption 'sae-mixed'
        option key ''
        option network 'GUEST'
        option isolate '1'

config wifi-iface 'wifinet5'
        option device 'radio0'
        option mode 'ap'
        option encryption 'sae-mixed'
        option key ''
        option network 'IOT'
        option ssid 'IoT

config wifi-iface 'wifinet6'
        option device 'radio1'
        option mode 'ap'
        option encryption 'sae-mixed'
        option key ''
        option network 'LAN2'
        option ssid 'LAN22.4

This might be helpful. If you have some time to watch, there are excellent resources:

Most recent video using OW21 with DSA:

Two-part slightly older videos which are also excellent:

Could you draw a diagram of your topology? That would go a long way to understanding your physical setup.

Since unmanaged switches are not designed to be used with VLANs, the behavior is technically undefined when tagged frames enter the switch. Some switches work okay and simply pass all the tagged frames through to all ports, but others may not work as expected and could cause problems. Multiple untagged (normal) networks should never be connected to an unmanaged switch.

From the above stanza, we can see that the U6 uses the DSA syntax. So you do need to follow the DSA guidelines, even though there is no internal switch on that device.

There are two things wrong here. One is that you're referencing eth0 which doesn't exist in DSA syntax for this device. And the other issue is that you're defining a bridge within the interface stanza. Bridges must be defined as a separate statement (see the br-lan device definition), and then the bridge is used as the device in the network interface stanza.

I also recommend that you start with just one additional VLAN and verify that it works before you try to do all of them. This way you can learn what works and copy the general recipe for the remaining ones. This makes troubleshooting easier, and it becomes less complicated to clean up incorrect syntax.

I personally have not watched the videos linked by @darksky , but it seems to be quite commonly used in these forums and most users do benefit from watching them. If you are confused about VLANs, you should first learn the fundamental principles of 802.1q tagging and how the tags and managed switches function with multiple networks running on a single shared cable/port (and piece of equipment). The specific configuration details for VLANs differ by the product line and firmware, but ultimately all (or nearly all -- someone will surely know of an exception) network equipment uses 802.1q compliant methods (which makes them compatible with each other). These concepts (as well as some specifics for your devices) will help you understand how you can configure your managed switch so that you can have proper control of your VLANs.

I am not home at the moment so I can't easily draw a diagram. But to give a rough idea.
To be clear, everything has worked no issues as I originally had it setup.

Opnsense Firewall with 4 used ethernet ports.
1 port goes to wan. 1 to unmanaged switch (my lan). 1 to unmanaged switch (family lan). And 1 for the access poiny. So I guess in a sense, it's a managed switch (the 4 ethernet ports on the firewall) that are managing everything, and the unmanaged switches are just being used to allow for more than 1 device to that port.
All devices are plugged into the unmanaged switches.
As for OPNsense configuration, I am a little cloudy on remembering exactly how I set it up. I think I explained it as best as I could originally. Again if you want config files from that let me know.

Furthermore, I watched the video and I am a little confused but I get the idea of whats going on. I understand the rough idea of vlans but unfortunately my brain doesn't really get stuff unless I am doing it myself and making these mistakes. But again I fail to see what I am doing wrong so that in itself is an issue.

Now as far as what I am doing wrong which you point out.. I am setting up purely through the gui. It seems you are suggesting I copy pasted stuff from my old AP. i did not, I simply went in and compared the two and manually remade all the settings in the new AP gui.
That being said, because the switch area no longer exists it is different.
Based on the video, it seems to suggest I need to use the VLAN type under interface settings instead. However I am sure that is not my only issue.
In the end, I'm still not entirely sure what I am doing wrong configuration wise.

Does your pfsense box have a built in vlan aware hardware switch? Or is each port separate (often called individually routed ports)? This will affect your ability to actually achieve your goals.

I am not entirely sure how to confirm this.
It is a Supermicro machine.
X10SLH-LN6TF X10SLH-N6-ST031

I do not entirely see why this would matter, as what I am trying to do does not seem any different than what I am already doing. I am simply swapping out the access point for a new one. It is already setup with VLANs and such as described in the photo. The only difference is the actual AP.

The U6 Lite is based on an MT7621 chip, which has a switch built in, so it's unavoidable that you're using a switch. There are five GbE ports on the MT7621 but in the U6 Lite only one of them is wired to actual hardware.

I don't know if it works yet to put lan.X into multiple networks. What definitely will work is going full DSA even though there is only one physical port brought out.

• Have a br-lan with lan as its (only) port.
• Make bridge-vlans on br-lan for each VLAN. The VLAN numbers would be the same ones that are configured in the OPNsense router. Make lan a tagged port in the bridge-vlan.
• Make a proto none network for each wifi function with br-lan.X as its device, the number X matching one of the bridge-vlans.
• Attach APs to these networks.

There are two factors here:

1. vlan configuration on your router (pfsense)
2. vlan config on your ap

@mk24 covered #2.

On the first point, if the router had individually routed ports, it means that you cannot (directly) have the same network present on multiple physical ports. Instead, each port is treated individually and wouldn’t have separate subnets assigned. If you want the same networks to appear on multiple individually routed ports, you need to ensure that the ports are included in a bridge (which is effectively a software switch) and then configured appropriately. This particular forum is not the best place to get advice/verification of your pfsense configuration with respect to bridge setups and the like. But this is necessary if you want to have the ap connected to the same networks as the other two physical ports.