Ubiquiti Guest Wifi VLANS and PfSense

Click the icon to Follow me:- twitterTelegramRedditDiscord

Ok, so you have upgraded your Wi-Fi to  a new shiney circular Ubiquiti device….and you are using PfSense too? Welcome to the club. Lets get started.

There are multiple parts to get this all working so lets step through them.
Few things to note:-

  • I have setup the GUEST network as an isolated VLAN on my network.
  • I have a Guest wifi portal enabled.
  • I have a server on 24/7 with the Ubiquiti controller running.
  • I am using PfSense latest version
  • I have a managed switch NETGEAR GS108T.
  • I am using a Ubiquiti AC PRO latest version.


Lets setup the VLAN

Interfaces –> Assignments –> VLANs

img 59eb39818dca3

Here you want to add in your VLAN TAG and what interface it will be running on, here i am using

Interface: LAN

Tag: 30

img 59eb39bfa781f


Go back to
Interfaces –> Assignments –>
Where it says Available Network Ports: Choose your VLAN!

img 59eb3a854b849

You should now click save and it will be called something like OPT4 or whatever. Click on that new interface.

Change your settings:-

Tick enable interface
Give the Interface a name
Choose static IPv4
Set the subnet , for me the VLAN tag was 30 so i set the subnet as the same.. This IP is the IP of the interface, this will be the VLAN gateway IP.

img 59eb3b24ae97b

Click SAVE.

Services –> DHCP Server

You now need to setup the DHCP scope for the GUEST DMZ

img 59eb4682a79ab

img 59eb4693780fc

Click SAVE

Firewall –> Rules

Now i am allowing only allowing access from the GUEST DMZ out to the internet, not back to my LAN or my VPN subnet.

Firewall rules are processed from the TOP to BOTTOM.

  • The top rule is to allow the Guests to connect to the Portal on the Ubiquiti Controller SERVER. This allows the guest wifi to produce a portal / hotspot.
  • The next rule is to block access to the LAN
  • The next rule is to block access to the VPN subnet
  • The bottom rule is to allow access to the internet

img 59eb3cb1051bf

I have a a number of outbound VPN interfaces that i have group into a gateway group on the bottom rule, you may not have this so can ignore the gateway option, if would use your default outbound WAN device.

If you want to allow access from your LAN to the GUEST then you need to add a rule in the LAN interface.
This means only the LAN devices can start a connection with the GUEST DMZ not the otherway around.

Firewall –> NAT

You now need to create a NAT firewall rule for the GUEST DMZ device.

So we are saying
Interface: (your outbound, typically on a normal setup your WAN)
Source: GUEST DMZ subnet
NAT Address: (your outbound, typically on a normal setup your WAN)

img 59eb3f191d01d

Ok, so we are good to go on the PfSense End.

Wireless AC PRO

I will assume you know how to do this part, but just in case, click on the “Create NEW wireless network” button.
as you can see i have 2 networks, my normal wifi and my guest network using VLAN 30.

img 59eb42977063e

Give your guest network a catchy name 😉

Really i should not need to explain to you how to be doing this…..

img 59eb430d4f017

Just ensure that you are using VLAN 30

USER GROUP: I have created a group that throttles peoples download speed…

Go back to the NETWORKS menu and create a GUEST network
ensure you are using VLAN 30 for the guest and that the subnet is your gateway IP.

img 59eb43b9e4b8b

 Guest Control Settings

Well you can customise this yourselves

img 59eb45e185fd3

We also don’t need to bother with the access control as we have taken care of that with the PfSense firewall rules

img 59eb46159bc43


Login to your switch…. hopefully you have changed the default password….right ?

Your wireless ethernet cable was plugged into your managed switch right? And you know the port number you chose?
If you go over any other switches you will need to also allow tagging on them too.

PORT G1 is the LAN cable coming from the PfSense –> Switch.
PORT G4 is the UBIQUITI AC PRO ethernet cable –> Switch.
You are going to need to know what these are, to be able to enable the PORT tagging.

img 59eb3fed6d09a

Click on Switching –> VLAN

Here you are going to want to add in the VLAN tag we setup earlier in PfSense.
In this case we are using a VLAN ID of 30


img 59eb4063d587f

click on Advanced –> VLAN membership

img 59eb40aad0777

We need to enable the tagging on the G4 interface ( UBIQUITI AC PRO).
We are using VLAN ID 1 here as that is the default LAN tag, we need to do this to allow the switch to send more that one tag on that port so the PfSense interface can see the tags coming from that wireless access point to that port.
This is INCOMING traffic from the AC PRO into the switch

img 59eb417bc5113

Now we click on VLAN ID 30 (this is our GUEST DMZ VLAN)

So, noticed we are not taggin on 2 ports on the switch.. the
INCOMING wireless tags to the switch (PORT G4)
OUTGOING tags from the switch to PfSense. (PORT G1)

img 59eb41b4bdfd0

So the traffic is coming in on G4 and going across the switch out to Pfsense via PORT G1.

We are now done with the switch and should now have a working guest wifi.

If i have saved you hours of shit, but putting myself through shit to get this working, then please show me some support, whack a few of those crypto currencies over my way.. 😉 and Retweet me on twitter etc..

Available for Amazon Prime