InfoSec News & Investigations

Ubiquiti Guest Wifi VLANS and PfSense

Ok, so you have upgraded your Wi-Fi to  a new shiney circular Ubiquiti device….and you are using PfSense too? Welcome to the club. Lets get started.

There are multiple parts to get this all working so lets step through them.
Few things to note:-

  • I have setup the GUEST network as an isolated VLAN on my network.
  • I have a Guest wifi portal enabled.
  • I have a server on 24/7 with the Ubiquiti controller running.
  • I am using PfSense latest version
  • I have a managed switch NETGEAR GS108T.
  • I am using a Ubiquiti AC PRO latest version.


Lets setup the VLAN

Interfaces –> Assignments –> VLANs

Here you want to add in your VLAN TAG and what interface it will be running on, here i am using

Interface: LAN

Tag: 30


Go back to
Interfaces –> Assignments –>
Where it says Available Network Ports: Choose your VLAN!

You should now click save and it will be called something like OPT4 or whatever. Click on that new interface.

Change your settings:-

Tick enable interface
Give the Interface a name
Choose static IPv4
Set the subnet , for me the VLAN tag was 30 so i set the subnet as the same.. This IP is the IP of the interface, this will be the VLAN gateway IP.

Click SAVE.

Services –> DHCP Server

You now need to setup the DHCP scope for the GUEST DMZ

Click SAVE

Firewall –> Rules

Now i am allowing only allowing access from the GUEST DMZ out to the internet, not back to my LAN or my VPN subnet.

Firewall rules are processed from the TOP to BOTTOM.

  • The top rule is to allow the Guests to connect to the Portal on the Ubiquiti Controller SERVER. This allows the guest wifi to produce a portal / hotspot.
  • The next rule is to block access to the LAN
  • The next rule is to block access to the VPN subnet
  • The bottom rule is to allow access to the internet

I have a a number of outbound VPN interfaces that i have group into a gateway group on the bottom rule, you may not have this so can ignore the gateway option, if would use your default outbound WAN device.

If you want to allow access from your LAN to the GUEST then you need to add a rule in the LAN interface.
This means only the LAN devices can start a connection with the GUEST DMZ not the otherway around.

Firewall –> NAT

You now need to create a NAT firewall rule for the GUEST DMZ device.

So we are saying
Interface: (your outbound, typically on a normal setup your WAN)
Source: GUEST DMZ subnet
NAT Address: (your outbound, typically on a normal setup your WAN)

Ok, so we are good to go on the PfSense End.

Wireless AC PRO

I will assume you know how to do this part, but just in case, click on the “Create NEW wireless network” button.
as you can see i have 2 networks, my normal wifi and my guest network using VLAN 30.

Give your guest network a catchy name 😉

Really i should not need to explain to you how to be doing this…..

Just ensure that you are using VLAN 30

USER GROUP: I have created a group that throttles peoples download speed…

Go back to the NETWORKS menu and create a GUEST network
ensure you are using VLAN 30 for the guest and that the subnet is your gateway IP.

 Guest Control Settings

Well you can customise this yourselves

We also don’t need to bother with the access control as we have taken care of that with the PfSense firewall rules


Login to your switch…. hopefully you have changed the default password….right ?

Your wireless ethernet cable was plugged into your managed switch right? And you know the port number you chose?
If you go over any other switches you will need to also allow tagging on them too.

PORT G1 is the LAN cable coming from the PfSense –> Switch.
PORT G4 is the UBIQUITI AC PRO ethernet cable –> Switch.
You are going to need to know what these are, to be able to enable the PORT tagging.

Click on Switching –> VLAN

Here you are going to want to add in the VLAN tag we setup earlier in PfSense.
In this case we are using a VLAN ID of 30


click on Advanced –> VLAN membership

We need to enable the tagging on the G4 interface ( UBIQUITI AC PRO).
We are using VLAN ID 1 here as that is the default LAN tag, we need to do this to allow the switch to send more that one tag on that port so the PfSense interface can see the tags coming from that wireless access point to that port.
This is INCOMING traffic from the AC PRO into the switch

Now we click on VLAN ID 30 (this is our GUEST DMZ VLAN)

So, noticed we are not taggin on 2 ports on the switch.. the
INCOMING wireless tags to the switch (PORT G4)
OUTGOING tags from the switch to PfSense. (PORT G1)

So the traffic is coming in on G4 and going across the switch out to Pfsense via PORT G1.

We are now done with the switch and should now have a working guest wifi.

If i have saved you hours of shit, but putting myself through shit to get this working, then please show me some support, whack a few of those crypto currencies over my way.. 😉 and Retweet me on twitter etc..