UniFi Guest Network with pfSense

A starter’s guide to getting UniFi’s guest network functional with a pfSense installation.

pfSense in its own regard is an amazing piece of software that works just about on any combination of hardware… only just that its WiFi support (as of June 2019) is rather limited. Which is where Ubiquiti’s UniFi software and line of hardware come into the mix.

This article assumes that you…

  1. Have full admin rights to both pfSense and UniFi GUI panels. Amazingly, no need for a terminal window!
  2. Know your way around both pfSense and UniFi’s control panels.
  3. Dedicated running UniFi machine/instance for the UniFi controller. I run my UniFi on its own dedicated VM. The CloudKey should also function for this.
    • This is required for the hotspot manager!
  4. Have a decent understanding of the hotspot manager (if you so desire to use that vs normal guest ‘connect’ button auth)
  5. Understand how VLAN’s function.
  6. Know what IP range and subnet size you’ll be allocating for the Guest network.

General Notes

  • Using UniFi version 5.10.x series.
  • Using pfSense version 2.4.x series.
  • Majority of UniFi hardware (Switch/AP’s) running firmware 4.x (4.0.42.10433 at time of writing)
  • Guest VLAN is ID 48.
  • Guest IP Range is 10.48.1.1/24.
  • Main network is 192.168.20.1/22.

Let’s get UniFi setup first before touching pfSense…

  1. Login to the UniFi controller. Your URL to access it will be different from mine.
  2. Go to the global settings page. (That’s the cog wheel at the bottom left)
  3. Click “Guest Control”.
  4. Set the following settings…
    • Guest Policies
      • Guest Portal: Checked (Enabled)
      • Authentication: No Auth (HINT: The guest still has to click the “Connect” button in the walled garden)
      • Expiration: 24 hours.
      • Landing Page: Redirect to the original URL.
      • Redirection: Should be all unchecked (all buttons should be disabled regardless)
    • Portal Customization
      • Template Engine: Angular JS
      • Override Default Templates: Unchecked (No)
      • Title: This is what your guests will see on desktop/laptop machines. Name it aptly. Mine is simple: CWireless Guest Portal.
      • Welcome Text: Checked (Enabled).
        • Click “Edit”.
        • Your text can only be plain text. It’s parsed as is. This is what my guests see…
      • Terms of Service: Unchecked (No).
        • Unless your company or whatever requires a waste of bandwidth legal book to be attached, no need for this to be enabled.
      • Text Position: Above Boxes
      • Languages: en / English (Default).
      • Portal Customization…
        • Custom Logo: Unchecked.
        • Background Image: checked – if you want to use a neat background that doesn’t make people question your sanity.
        • Colors: Set these to your needs.
        • Box Opacity: If your image used isn’t too jarring, set the opacity to something sane between 40 to 100%. (Or disable it at 0%.)
      • Access Control
        • Pre-Authorization Access: None – leave empty.
        • Post-Authorization Restrictions: Your actual LAN subnets. For me, it is 192.168.20.0/22.
  5. Apply Changes.
    • First part completed!

UniFi “Networks” section

This part is quite straightforward.

Go to Settings -> Network -> Click “Create New Network”. Assuming you’ve already have a “Corporate” (your main LAN) network setup.

At this point, you should see a new page show up with a bunch of input boxes for variables. It may look menacing, but it’s quite straight forward.

From the top down, here’s the values that I have set….

  • Name: Guest Net
  • Purpose: Guest
  • Interface: LAN (useless in our case since we don’t use UniFi’s security firewall hardware!)
  • VLAN: 48
  • Gateway/Subnet: 10.48.1.1/24
  • Domain Name: This can be an addon to your main networks domain name or something unique. In my case: guest.home.lan
  • IGMP Snooping: Unchecked.
  • DHCP Mode: None (pfSense does this leg work!)
  • DHCP Guarding: Unchecked.
    • If you’re a business or something of the sorts, check this and slap in your DHCP server(s) to the list.
  • UPNP LAN: Unchecked (useless without USG)
  • Configure IPv6: None (This isn’t quite fleshed-out on UniFi in some setups)

Poke ‘Save’. You should now see something like this on your Web GUI:

UniFi “User Groups” section

What fun is a guest network without slowing down those blazing fast internets to good ol’ ADSL speeds?!

Go to Settings -> User Groups -> Click “Create New User Group”.

Name it “Guest” (or something that lets you know said user group is for the guest network).

Check both Bandwidth Limits. Set both speeds in terms of Kbps or Mbps. For me, I cap each guest to 5Mbps down, and 512Kbps up.

UniFi “Wireless Networks” section

Go to Settings -> Wireless Networks -> Select your WLAN group (I don’t use the “Default” here – as pictured below) -> Click “Create New Wireless Network”.

At the Create New Wireless Network page, name the broadcasted wireless network (end-users will see this on their devices).

Ensure the Enabled box is checked/ticked.

Security needs to be Open.

Check the Guest Policy box. An “Alert” info box should appear.

Click the Advanced Options section.

Ensure the following settings are set…

  • Ensure “Block LAN to WLAN Multicast and Broadcast Data” is checked – it should be checked, as you enabled Guest Policy above. 🙂
  • Excepted Devices: Leave Blank
    • Unless you’ve a compelling reason that a range of MAC’s should be broadcasting/multicasting.
  • VLAN: Set to 48
    • Or any number for that matter between 2 and 4096 – you’ll need to know this VLAN ID number for later.
  • Hide SSID: Unchecked.
  • User Group: Guest.
  • UAPSD: Unchecked.
  • Scheduled: Unchecked, unless you’re pedantic when this SSID should be “active” to be connected to and used.
  • Multicast Enhancement: Unchecked.
  • High Performance Devices (Beta): Leave unchecked.
    • Have had mixed results with that enabled on the guest SSID.

Additional Advanced Settings

802.11 Rate And Beacon:
DTIM Mode: Use Default Values.
Leave everything else as is.

MAC Filter:
Leave its sole option unchecked.

RADIUS MAC Authentication:
Enabled: No/Unchecked.
Leave the rest as is.

Click Save.

UniFi should begin auto-provisioning your UniFi AP devices due to the new AP addition. This could take anywhere between 15 seconds to one minute.

Check UniFi devices list.

If you’re not using the “Default” wireless profile via the “WLAN Group” dropdown from the previous section above, you can likely skip this step. However, it’s always safe to double check!

At the top of the devices list (not your clients list), click the “Filter By” button, set it to APs. You should now see your AP’s only, and nothing else!

Select the top left checkbox to select all devices to edit.

Click the top left checkbox. Click “Edit Selected” below.

Ensure your management VLAN is your primary LAN VLAN, not the Guest VLAN (don’t want a random smart person figuring messing with things now! 😉 )

Your dropdown should look similar to the image above. Select LAN if you’re unsure, click Queue Changes, then Apply Changes.

Your AP’s should begin to auto-provision/reprovision the changes.

To PfSense We Go!

Login to your pfSense web GUI – I don’t know what your port or IP to your pfSense box is!

Creating the VLAN on pfSense

Head over to the Interface Assignments landing page. (Interfaces -> Assignments from the menu)

Click VLANs tab, and then click on ‘Add’.

Ensure you’re creating a VLAN on the LAN interface, or the interface within your network that will be tagged for Guest/ VLAN 48.

  • Parent Device: LAN
  • VLAN Tag: 48
  • VLAN Priority: Leave Blank. If you use a traffic shaper on pfSense (not UniFi), you can set a priority and then control that in the shaper.
  • Description: Name it your guest wifi networks name for ease of remembering what it is for. Mine is “CWireless Guest”.

Save and apply configuration – if that little box shows up.

Applying the VLAN on pfSense.

Go to “Interface Assignments” within the Interfaces section.

At the bottom, where it says “Available Network Ports”, find the VLAN you made for the Guest wifi network. Click Add. Once the page reloads, click the new interface created. Generally, it shows up as OPT#. Where # is a value.

Edit and Apply the VLAN

For me, I have a habit of naming my interfaces in the form of 0000_Name, where 0000 is an ID of sorts. With the Guest network, I went with 0048_Guests. 0048 being VLAN 48. Easier to sort by IMHO.

In the Interface editor, we’ll need to input the following details…

  • Enable: Checked
  • Description: 0048_Guests
  • IPv4 Configuration Type: Static IPv4
  • IPv6 Configuration Type: None
  • MAC Address: Leave blank.
  • MTU: Blank
  • MSS: Blank
  • Speed and Duplex: Leave at Default.

Static IPv4 Configuration

  • IPv4 Address: 10.48.1.1
  • IPv4 Subnet: 24
  • IPv4 Upstream GW: None

Reserved Networks

  • Block private networks: Unchecked. You can check it if you’d like, but firewall rules can be set later.
  • Block bogon networks: Unchecked.

Save!

Firewall Rules

Go to Firewall -> Rules -> “0048_Guests”

We’ll be adding a few firewall rules here. One to permit traffic from Guests to the internets, one to block anything to LAN nets excluding the Guest UniFi portal.

It is very much so worth noting that this is a failsafe (or if someone somehow manages to bypass things) if you fail to configure the post-auth guest restrictions via the UniFi controller.

Your firewall rules should look something similar (or exact) to the rules below (screenshot below).

  • First Rule:
    • Action: Allow
    • Disabled: Unchecked.
    • Interface: Guests
    • Address Family: IPv4
    • Protocol: Any
    • Source: Any
    • Destination: Single Host or Alias, 192.168.20.200
      • NOTICE: 192.168.20.200 is the Unifi instance. Your UniFi’s control panel IP will likely be different, so know it. Make sure it’s static (be it via DHCP Static or Machine static) as well!
    • Log: Checked (Optional)
  • Second Rule:
    • Action: Block.
    • Disabled: Unchecked.
    • Interface: Guests.
    • Address Family: IPv4+6.
    • Protocol: Any.
    • Source: Unchecked, Any, blank.
    • Destination: Unchecked, LAN net (my lan network is named 0001_LAN), blank.
    • Log: Checked (Optional).
  • Third Rule:
    • Action: Block.
    • Disabled: Unchecked.
    • Interface: Guests.
    • Address Family: IPv4+6.
    • Protocol: Any.
    • Source: Unchecked, Any, blank.
    • Destination: Unchecked, This firewall (self), blank.
    • Log: Checked. (Optional)
  • Fourth Rule: (To the internets!)
    • Action: Pass
    • Disabled: Unchecked.
    • Interface: 0048_Guests
    • Address Family: IPv4
    • Protocol: Any (if you really want to limit what can be sent to the internet, set this to TCP/UDP.)
    • Source: any
    • Destination: any (had issues with getting it to accept DHCP and DNS otherwise.)
    • Log: Checked. (Optional)
  • Once all three are added, Apply!
  • NOTE: Do ensure they’re in the given order as above, or seen in the screenshot below.

pfSense DNS and DHCP settings

DHCP Server/Service

Head to Services -> DHCP Server -> 0048_Guests to configure the DHCP server.

  1. Enable the DHCP server.
  2. BOOTP: Unchecked
  3. Deny Unknown: Unchecked.
  4. Ignore Denied: Unchecked
  5. Ignore Client Identifiers: Unchecked

Your Subnet, Subnet Mask, Available Range all should be populated with some acceptable values that your DHCP Pool can utilize.

Set the range: Front: 10.48.1.2 , To: 10.48.1.250

We don’t use Pools here, unless you need to specify additional segments of a range. In our case, we’re using a /24 (254 client-usable), so there isn’t much of a use or need in this regard.

Servers: Leave all six fields blank.

Other Options: All blank except for the following…

  • Domain Name: “guest.lan” (without the quotes). This can be anything you want, but easier to tag a basic domain to the guest clients rather letting them run amok with random domains.
  • Time format change: Checked.
  • Statistics Graphs: Checked.

Additional BOOTP/DHCP Options (COMPLETELY OPTIONAL!!)

This section can be left blank, unless you wish to tell mobile devices that your AP is metered (bandwidth limited (overall speed issues)). In which case, if you want to further limit devices (Primarily Android based) from eating bandwidth up, set the following…

  • Option:
    • Number: 43
    • Type: Text
    • Value: ANDROID_METERED

Save.

DNS Server (unbound)

Go to Services -> DNS Resolver -> “General Settings” Tab.

Network Interfaces: Hold CTRL down while selecting the 0048_Guests interface.

Save.

Go to the “Access Lists” tab.

Add the guest IP range to a new ACL for the Guest IP range. LAN is “Allow Snoop”, while guests is just “Allow”.

This is what my Access Lists looks like…

Once you’ve applied the DNS Resolver, it’s time for the final tests…

Connecting to your Guest WiFi Network

Load up your mobile device. Disconnect your device from your main network if it isn’t already. Connect to the Guest network.

Now, wait for the device to notice “hey, i’m in a walled garden!!”. At that point, it’ll ask you (the guest) to sign into the network. You’ll have a notification like this on Android…

Poke, Tap, smash, or whatever floats your boat that little popup to get into the UniFi guest portal.

Whatever you’ve customized your portal to be, the guest (you in this instance) will need to click the “Connect” button. As shown below…

After poking said button, the UniFi portal should remove you from the walled garden and let you browse the internet… at whatever snail speeds you’ve set.

At this point, if your mobile device does the following, you’re in good shape…

  1. Can connect to the guest WiFi Network SSID.
  2. Can obtain an IPv4 DHCP Address on the Guest Network VLAN.
  3. Device cannot communicate with anything outside of the /32 (its own IP address). (UniFi and pf Rules)
  4. Can connect and auth via the UniFi guest-auth portal.
  5. Able to connect to websites once authed/connected fully.

Related posts

This site uses Akismet to reduce spam. Learn how your comment data is processed.