Last Updated on August 14, 2022 by Thiago Crepaldi
A typical home network is a composed of a single network and if any of your devices is compromised or infected with malware, the attacker is able to spread malware or compromise all devices.
You can better protect your home network by separating your home network into sub-networks (aka subnets). Devices in a subnet do not have access to another subnet, therefore, the risk of a compromised device would be limited to a single subnet.
There are many ways to subnet your network, and in this post we will focus on segregating your network through Wi-Fi VLANs, which requires pfSense, a managed router (Unifi Dream Machine Pro) and an Access Point (Unifi AP FlexHD). This post is based on a daisy chained router topology. For our example, we will use three different Wi-Fi networks (Home, Guest and Obfuscated). While all Home, Guest and Obfuscated have internet access, none of them will be able to see each other. Obfuscated will use a VPN client connection as gateway, making its traffic encrypted from the rest of the world. We will also discuss about a hypothetical IoT network you could create in which it can have access to Internet but not to your Home or even you can give it access to your Home but block its internet. It really depends on your use case/creativity.
Requirements
- pfSense as main router
- 2 LAN physical port
- One connected to the UDM-Pro port and the other to the AP
- 1 WAN physical port connected to the ISP
- (optional) VPN client connection for Obfuscated Wi-Fi network
- 2 LAN physical port
- UDM-Pro as secondary router (daisy chained)
- Unifi AP
- Home, Guest and/or Obfuscated Wi-Fi networks
A note on (daisy-chained) topologies
On my original setup, I had the Unifi AP FlexHD connected into a UDM Pro LAN port. This has the benefit that the Unifi controller and the AP are in the same network, which makes the overall Unifi solution work out of the box. However, my Internet and VPN client connections are configured on the pfSense router. To allow Wi-Fi networks to be routed to different pfSense based on VLAN tagging, we need to pass (multiple) VLAN information from the AP through the UDM-Pro’s WAN port, which is not supported… To overcome another this limitation on the UDM Pro, I had to change the topology a bit and moved the Unifi AP from UDM-Pro switch ports to a second LAN port on the pfSense router. This created connectivity issues between UDM-Pro and the Unifi AP (UDM Pro and AP are in different networks now). The solution is to open a few ports on the UDM-Pro to allow remote management.
Create a new LAN on the pfSense
On your pfSense, go to Interfaces >> Assignments and on Available network ports select an available NIC and click on Add button. Next, click on the new interface that was created and do as follow:
- General Configuration
- Enable interface: checked
- Description: UNIFI_APs
- IPv4 Configuration Type: Static IPv4
- Static IPv4 Configuration
- IPv4 address: 10.20.0.0/24
Leave the rest as is and click on Save and Apply changes.
DHCP Server
Now we need to enable DHCP service for the new Interface. Navigate to Services >> DHCP Server >> UNIFI_APs (or however you named your interface):
- General Options
- Enabled: checked
- Range: 10.20.0.100 to 10.20.0.199
- Servers
- DNS servers: 10.20.0.1
- Other Options
- Domain name: lan.domain.com
- NTP Server 1: 10.20.0.1
Leave the rest as is and press Save at the bottom. Now we need to reserve an IP for the Unifi AP so that the controller can always reach the AP in an uniform way. At the bottom, click on Add at the DHCP Static Mappings for this Interface section:
- Static DHCP Mapping on LAN_UNIFI_AP
- MAC Address: Your Unifi AP MAC address
- There should be a sticker on your AP with the MAC. You can also find it on the Unifi Controller UI through Network icon >> Devices >> your_AP >> Details page.
- Client Identifier: a friendly name for your AP
- IP Address: 10.20.0.2 or anything you like
- Hostname: Use your imagination
- MAC Address: Your Unifi AP MAC address
Finish the reservation by pressing Save and Apply changes.
Firewall rules
At this point, your new interface can recognize the AP and assign an IP to it, but there is no connectivity to the LAN/Internet. We need to go to Firewall >> rules >> UNIFI_APs and create our rules to allow Internet and LAN access. What you can do is just duplicate every rule from the main LAN in the same order and just replace the Interface field by the new interface (from LAN to UNIFI_APs in this example). However, I am creating a basic rule below just for completeness. Press Add and fill in as below:
- Edit Firewall Rule
- Action: Pass
- Interface: UNIFI_APs
- Address Family: IPv4
- Protocol: Any
- Source
- Source: UNIFI_APs
- Destination
- Destination: Any
- Extra Options
- Description: Default allow all rule
Finish by clicking on Save and Apply changes. You can test this interface configuration by connecting a laptop in this physical port, checking a 10.20.0.100 IP was assigned and that Internet is available.
If you followed my pfBlockerNG post on blocking ads and want to do the same for the AP network, you need a new firewall rule for it. Duplicate from the main LAN and just change the Interface to the UNIFI_APs. You also need to go to Firewall >> pfBlockerNG >> IP and at IP Interface/Rules Configuration >> Outbound Firewall Rules make sure you add UNIFI_APs to the list. You can wait an hour for the change to take effect or do a Force Reload at Firewall >> pfBlockerNG >> Update
If you followed my previous protecting your network DNS using pfSense post, you also need to duplicate the firewall rules from the main LAN which involves port 53 and 853.
NAT
In a previous post about configuring VPN clients on your pfSense I mentioned we should use Hybrid Outbound NAT rule generation to allow pfSense to create NAT rules for the existing networks while you can add your own rules. If you did that, you are all set here. Otherwise, navigate to Firewall >> NAT -> Outbound and select Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below). Press Save and Apply Changes.
If you followed my previous protecting your network DNS using pfSense post, you also need to duplicate the NAT rules from the main LAN which involves port 53.
Allowing Unifi device adoption through UDM Pro WAN interface
By default, UDM Pro (and most routers) will not allow traffic coming from WAN into the LAN network. That causes connectivity issues with the Unifi AP on the pfSense network which has to be adopted by UDM Pro across its WAN port. The solution is to open a couple ports so that the AP can communicate with the Unifi controller, allowing adoption on a different network. I have adapted instructions from Unifi for remote controllers to get this working.
In order to the adoption to succeed, we need to override the pfSense DNS Resolver service to force resolution of ‘unifi’ hostname to the actual Unifi controller IP which we reserved at DHCP server in previous steps. There are other adoption mechanism, but DNS is the simplest for pfSense, as it runs its own name service and we are used to it. On your pfSense, navigate to Services >> DNS Resolver, scroll down to Host Overrides and click on Add:
- Host Override Options
- Host: unifi
- Domain: lan.domain.com
- IP address: 10.0.0.2
- Description: Static unifi hostname to allow adoption
Finish the override by pressing Save and Apply changes.
Now the Unifi knows where to find its Unifi Controller. but we still need to open UDM-Pro ports for communication. Go to your UDM Pro web UI, select the Network application, navigate to Settings >> Internet security >> Firewall, scroll down to GROUPS and click on Create new group that will encapsulate all ports that need to be opened:
- Name: Unifi device adoption port group
- Type: Port group
- Port: 22, 8080, 3478, 80, 443
Confirm by pressing Apply. Next, create a new group with the UNIFI_APs subnet:
- Name: UNIFI AP net
- Type: IPv4 address/subnet
- Address: 10.20.0.0/24
Confirm by pressing Apply again and create a third group with the Unifi controller IP:
- Name: Unifi controller IP
- Type: IPv4 address/subnet
- Address: 10.0.0.2
With all 3 groups created, scroll up to RULES and click on Create new rule to put everything together as below:
- General
- Type: WAN local
- Description: Allow Unifi device adoption through WAN
- Enabled: checked
- Rule applied: Before predefined rules
- Action: Accept
- IPv4 Protocol: TCP and UDP
- strictly speaking 3478/UDP and 22,80,443,8080/TCP are the minimal selection, but I am allowing TCP and UDP for all listed ports for simplicity
- Source
- Source type: Address/Port group
- IPv4 Address Group: Select UNIFI AP net
- Port group: Select Any
- Destination
- Destination type: Address/Port group
- IPv4 Address Group: Select Unifi controller IP
- Port group: Select Unifi device adoption port group
Click on Apply and all TCP/UDP ports from connections starting on the Unifi AP network towards the controller will be opened.
(Re)configuring the Unifi AP
If your AP was already adopted by the controller, you need to move it to the new pfSense UNIFI_APs port and everything should just work. If it doesn’t, I suggest that you factory reset your Unifi AP, remove it from the Unifi controller and start over the adoption process. It is fast and you will be on your feet pretty quick. One quick test before resetting the whole thing is to SSH into the Unifi AP and, from there, SSH into the Unifi Controller. If all firewall rules were created right, you should be able to connect to the controller from the AP. Refer to Unifi troubleshooting guide if you get stuck in this step and can’t adopt the AP.
Setup Wi-Fi VLAN subnets on UDM-Pro
All previous steps completes the configuration to implement the topology change. At this point, you should have 1) Unifi AP and Controller with proper network connectivity despite the fact they are in different networks, 2) AP properly adopted by the Controller and 3) at least one working WiFi network (Home), which will not use VLAN and whose configuration will not be modified.
The next step is to configure VLAN for your WiFi networks. I am assuming you wish to modify your existing Wireless networks (Guest and, optionally, Obfuscated), but creating new Wi-Fi networks are equally simple. On your UDM-Pro and using a different network (such as Wi-Fi Home or a wired connection) other than the Wi-Fi you will modify (aka Guest).
I recommend using a VLAN between 2 and 254, so that we can use VLAN ID as part of the third IP octet. For example, given VLANs will be created on 10.20.0.0/24 network, for a VLAN ID 100, we can have 10.20.100.0/24 as the VLAN network, which helps identifying connections in future analysis.
Go to Settings >> Wi-Fi >> Wi-Fi Networks page and click on Edit to modify your existing Guest Wi-Fi:
- Miscellaneous
- Use a VLAN: checked
- VLAN ID: 100
Click Apply changes. The Guest Wi-Fi network is now configured with the VLAN. This causes temporary connectivity issues and we need to setup pfSense to work with VLAN before things start to work again.
Setup Wi-Fi VLAN subnets on pfSense
Previously, you created a new interface for the Unifi AP to communicate with the Unifi Controller. Now you need to go through a similar process to create an interface for each Wi-Fi VLAN on that same physical UNIFI_APs interface.
On your pfSense, go to Interfaces >> Assignments >> VLANs, click on Add and do as follow for the Guest VLAN:
- VLAN Configuration
- Parent Interface: Select the interface created for the UNIFI_APs
- VLAN Tag: 100
- Description: VLAN 100 – Guest
Press Save and Apply changes. Now go to Interfaces >> Assignments >> Interface assignments and add a new interface with the newly created VLAN:
- General Configuration
- Enable interface: checked
- Description: Any intuitive name, such as UNIFI_APs_VLAN100
- IPv4 Configuration Type: Static IPv4
- Static IPv4 Configuration
- IPv4 address: 10.20.100./24
Click on Save and Apply changes. As before, the next step is to configure DHCP for the new interface. Navigate to Services >> DHCP Server >> UNIFI_APs_VLAN100 (or however you named your interface):
- General Options
- Enabled: checked
- Range: 10.20.100.100 to 10.20.100.199
- Servers
- DNS servers: 10.20.100.1
- Other Options
- Domain name: lan.domain.com
- NTP Server 1: 10.20.100.1
Leave the rest as is and press Save at the bottom. As before, the next step is to create firewall rules to allow internet traffic. As discussed before, you can duplicate each rule from the main LAN interface if you have pfBlockerNG and/or DNS stuff. But we will also add a new rule to allow Internet access-only.
First we will create a Firewall Aliases IP to define what LAN networks can look like and then use this definition to limit connectivity on the Guest network. On your pfSense, go to Firewall >> Aliases, click on Add and do as follows:
- Properties
- Name: RFC1918 or Private_IPv4s
- Description: All private IPv4 networks
- Type: Networks
- Network(s)
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
Press Save and Apply changes to create the alias which will be used by the new firewall. The alias will be created once and be used by many firewall rules (in case you are repeating these steps for Guest, Obfuscated, IoT, etc). Go to Firewall >> Rules and press Add
- Edit Firewall Rule
- Action: Pass
- Interface: UNIFI_APs_VLAN100
- Address Family: IPv4
- Protocol: Any
- Source
- Source: UNIFI_APs_VLAN100
- Destination
- Invert match: checked
- Destination: Single host or alias
- Destination address: RFC1918 or Private_IPv4s
- Extra Options
- Description: Default allow Internet-only rule
Finish by clicking on Save and Apply changes. Now your Guest Wi-Fi network has internet access, but it can’t access the Home Wi-Fi network as they are in different broadcast domains and we restricted the firewall rule to allow connections that are not targeting LAN addresses.
As discussed during UNIFI_APs NAT configuration, if you followed my previous protecting your network DNS using pfSense post, you also need to duplicate the NAT rules from the main LAN which involves port 53.
VLANs and beyond…
After following this long post, you were able to create a new subnet Guest on your Wi-Fi using VLANs, which is completely isolated from Home Wi-Fi and the wired network. Let’s just be honest, there are easier ways to apply guest policies using Unifi controller only without using pfSense and/or VLAN.
Using VPN client connection as gateway
One of the reasons I wrote this post was to show how to use these concepts and techniques to create Obfuscated Wi-Fi networks that not only don’t have access to my Home LAN, but also use a VPN connection as the default gateway. The Obfuscated Wi-Fi network runs side by side with regular Wi-Fi networks (Home and Guest), but it is isolated from it and completely anonymous. This approach is powerful as I can select which traffic should be protected (and potentially slower due to VPN bandwidth limitations) and when to use faster ISP connection on the other Wi-Fi networks.
For implementing Obfuscated, repeat previous steps and create a new Wi-Fi network on your UDM-Pro, set its VLAN ID and on your pfSense, create a VLAN interface, configure its DHCP server, DNS, NAT and Firewall rules. Test internet connectivity before making changes that will allow VPN Client connections as gateway and/or restrictions.
The difference between Home and Guest Wi-Fi is that it uses a VPN Client connection as gateway (aka Internet connection). In order to do so, on your pfSense, go to Firewall >> Rules and press Edit at the Default allow Internet-only rule:
- Extra Options
- Advanced Options
- Display Advanced
- Gateway: Select your VPN client connection or your VPN Gateway group if you have multiple VPN client connections for failover/load balancing
- Display Advanced
- Advanced Options
Press Save and Apply changes and you are ready to go.
Isolating IoT
We all have IoT gadgets that are rarely updated, posing an enormous threat to your home network, even if your routers, switches, laptops, phones and tablets are up to date. They can be categorized in 2 types:
- IoT devices that need internet to function, but do not interact with your network
- Examples are Google home, smart devices such as fridge, locks, etc
- IoT devices that do not need Internet, but need to be available on your network
- Examples are Surveillance cameras. They usually are accessed by your home Wi-Fi for recording, but you don’t want them sending your life online
Isolating IoT from your home
For 1), it is just better to allow the IoT devices to connect to internet and do their thing, but isolate them from your home.
This is exactly what we have done for Guest already, so just repeat previous steps for the IoT and you are done!
Isolating IoT from Internet
For 2), on the other hand, we can use VLAN ID 500 and start off by repeating previous steps for the IoT, but then modify the firewall rule to allow LAN connections only.
On your pfSense, go to Firewall >> Rules and press Edit at the Default allow Internet-only rule:
- Edit Firewall Rule
- Action: Pass
- Interface: UNIFI_APs_VLAN500
- Address Family: IPv4
- Protocol: Any
- Source
- Source: UNIFI_APs_VLAN500
- Destination
- Invert match: unchecked
- Destination: Single host or alias
- Destination address: RFC1918 or Private_IPv4s
- Extra Options
- Description: Default allow LAN-only rule
Press Save and Apply changes to complete.
Summary
During this journey, we updated our physical network to put our Unifi AP closer pfSense, allowing VLAN integration between the two.
Next, we pointed we don’t really need to make changes to the Home Wi-Fi network, as we want it to be in the same broadcast domain as the rest of your wired devices
Following, we configured a Guest Wi-Fi network that wile can reach Internet, is isolated from your home network.
We also covered an encrypted Obfuscated Wi-Fi network which is isolated from your Home and use a VPN Client connection as gateway, adding a privacy layer when you want to visit suspicious websites.
Finally, we covered two flavors of IoT Wi-Fi networks that either have Internet access but not LAN connectivity or the other way around, that is, no Internet but LAN connectivity.
Hope you enjoyed it…
This is basically the setup I am working on now. I have multiple wired APs (nano and in-wall hd) as well as a number of cameras. Rough topology is:
MODEM –> UDM PRO –> PoE 24 Port Switch –> APs/Cameras.
What would you recommend for adding the PfSense gateway (Still need to purchase one – probably Netgate 5100 or 7100)? I feel confident I can follow this and get one AP set up, but it seems like the AP needs to be connected directly to the PfSense unit, but all of my APs are PoE. Do attach the switch to the PfSense unit and then the UDM Pro? If so, what about the cameras?
I am just confused about how to get this all set up properly. Any help is appreciated.
Current Networks:
LAN
CAMERA VLAN – (no internet access)
GUEST VLAN – (bandwidth limited)
FAMILY VLAN – (parental controls)
IoT VLAN – (IoT plus apple devices)
Hi TJ, Regarding to the Netgate appliance, it all boils down to how much power you need.
Netgate SG-5100 can handle a lot already: 3.8Gbps as router, 3.6 Gbps as firewall and 923 Mbps on IPSEC VPNs. This is more than 99%’s people internet capacity by far. Even for just routing private networks, 5100 can handle a lot. However, if you have $300 to upgrade to DT-7100 or maybe XG-7100, I would never try to stop you. I love the idea of supporting pfSense by buying there hardware, but some people are on a strict budget and often opt to use Protecli and install pfSense on it. The disadvantage is that you cannot get pfSense plus with more feature than just pfSense Community Edition.
Regarding your topology, I would strongly recommend to get rid of the UDM Pro (you can sell for good money) and replace it with Netgate. Double NAT is doable, but in the long run you will hate it. Believe me, I know… Next, if your PoE 24 Port Switch is a Unifi with managed ports (or any managed switch really) you can connect your Unifi APs and cameras on it and follow several posts on my blog. You can install Unifi AP controller on another compuer/server or even your cell phone. Are your cameras Unifi too? What is the switch model?
My suggestion: MODEM -> Netgate appliance -> Unifi 24 Port switch with PoE -> APs/Cameras
However, if you really want to keep the UDM Pro, you can still let the APs/Cameras connected to the UDM Pro, but because UDM Pro does not support multiple VLANs on their WAN port, all your VLANs will have to be kept between your AP and UDM Pro. pfSense will not be able to do any VLAN with the UDM Pro. That is Ok for many scenarios, by the way. One scenario that wouldnt work is having VPN setup on pfSense and being routed to one of your wifis, for instance. That requires VLAN to go from pfSense up to the AP passing through the UDM Pro.
The more details you can share with what you want to achieve ad what devices you got, more tips I can provide
I have GB internet service, but being an eternal optimist, I dream of faster service, so I don’t mind upgrading to something that will handle more than is currently available. I just pulled cat6a throughout my entire home.
The cameras are all Unifi – two G4 Domes, 1 G4 Doorbell and 1 G3 Instant (wifi). I just installed the cameras and UDM-P and was hoping there was a way to just disable everything in it except the Protect features to run the cameras. It does not sound like that is possible.
The switch is the Unifi Switch Pro 24 PoE.
I do have a spare Raspberry Pi 4 (8GB) sitting around that I could use for the camera controller.
My goal is to maintain the camera network with local storage of the video. Fully utilize the access points. Not only do I want to be able to utilize the wifi via the 3 nanos and 4 In-Wall-HD units, I would like to keep the functionality of programming the ports on the In-Wall-HDs for the desired network. I must be able to route at least one VLAN’s outbound traffic via VPN. Finally, I absolutely want the robust firewall and threat management that PfSense offers (and Unifi falls short on).
Thanks!!
Well, I think there is a way. Connect pfSense lan port to one of the 4 LAN ports of the UDM Pro. Do not use UDM Pro WAN port. This way, UDM Pro will work as a switch. No more Double NAT too. Just not sure whether the Protect feature works well, but you ca easily test that
You will get notifications that your UDM Pro doesnt have internet connectivity (because of the disconnected WAN), but maybe there is a way to disable this annoyance.
You can sell your UDM Pro and by Unifi NVR (https://store.ui.com/collections/unifi-protect-nvr/products/unifi-protect-nvr). Than run the Unifi controller on your raspberry and you are gold.
I also have a Synology RS819 NAS that I have not connected. I do not want outside access to the NAS. I want it for internal use only, isolated from the internet.
That is just excellent. Just follow this post to have unifi controller running on your synology
You keep your NAS behind your pfSense and all is good. I would still sell the UDM Pro and getting a unifi NVR. UDM Pro lacks too many security and networking features anyway
I never tested it, but look this Github project https://hub.docker.com/r/iamjamestl/unifi-protect
Thanks for the advice. I will sell the UDM-P, grab the NVR, install the controller on the Pi and order the XG7100 1U to replace the UDM-P. I will post an update when I have everything running!
I can’t tell you how much I appreciate the help on this.
Sounds a great plan! I felt bad for selling my UDM Pro and getting a Unifi Switch 24 Port PoE at the time, but no regrets today!
Unfortunately I don’t have a Raspberry around to write a post on how to get unifi controller there for you, but I am sure you can do it! As I mentioned earlier, I run my unifi controller on my Synology NAS as a docker image. The good thing about it is that updating the controller is very easy. I stop the docker container, download the latest image and start the container. No messing with packages or anything
Happy homelabing!
I have ordered the NVR and the XG7100 Max. I will go the route of running the Docker container. I have been wanting to experiment with Docker anyway, so I will follow your post to do that. Looking forward to posting about everything being up and running. Thanks again!
Nice, dude. Happy for you. Just get your your mindset on Docker, it has three parts. 1) Docker server which runs all the software as a service, just like a virtual machine would. 2) Docker Image. Think of it as a installation CD/DVD which you can use to install your Windows/Linux OS. 3) Docker container, which is the installation of CD/DVD itself. Your running OS.
With one Docker Image you can create as many different Docker containers. Just like with one Windows DVD you can install as many Windows in as many laptops as you want.
So with docker software you can download docker images to create live docker containers.
Just realized that my NAS is not compatible with Docker. The RS819 is not on the list and after searching around, it is a common complaint of people who bought that model. I have to decide between buying a new NAS or using the Raspberry Pi…
That is unfortunate! The cheapest path is using Raspberry and do the package update whenever is needed. Another cheap option is getting a Unifi Cloudkey which is about $180. I do have a Synology RS818+ which does support Docker, so I can have some fun with power efficiency
I may return the NVR and go with the CloudKey2+. I think that may be the best solution for the video storage and controller.
It does support up to 20 cameras and would solve your need for a new NAS for the moment
And 20% of the cost for the same video storage.
The new Netgate appliance has not arrived yet, but I am planning the migration. Would you recommend first adopting all of the APs and Cameras via the Unifi managed switch using the Unifi interface? I am starting to confuse myself with the order of operations.
Hey TJ, you already can disconnect your cameras/APs from the UDM Pro and move to the switch. You don’t need to re-adopt because you changed them from one place to another.
You will need to do the re-adoption when you are ready to remove your UDM Pro from your network and put the Cloud Key Gen 2 on its place. In that case, you have to go to your UDM Pro and hit “forget” for each AP and camera, so that UDM Pro is not their Unifi Controller anymore. Next, you go to your new Cloud Key and “adopt” each camera and AP there.
Check out this on how to forget APs using unifi controller: https://help.ui.com/hc/en-us/articles/205143490-UniFi-How-to-Reset-Devices-to-Factory-Defaults#2
Ok. I finally had some time today. I “forgot” all access points and cameras. I connected the Netgate 7100Max. I did the minimal setup of the Netgate and could not get the CloudKey2+ to connect to the internet. It was plugged into the Unifi Pro 24port POE+ switch. I figured that out – I had to disable the default RFC 1918 firewall rule. The CloudKey2 has internet and sees the access points but will adopt them. In the Unifi Network app, I can see the cameras, but the Protect app does not find them. I am sure I am doing something stupid or missing something obvious. I will keep troubleshooting shortly, but wanted to see if you had a thought off the top. Thanks!
UPDATE: I “forgot” all of the acess points on the UDMP. Topology is now MODEM -> Netgate7100Max -> Unifi Pro 24 POE Switch -> Cloudkey2+/APs/Cameras. Initially, I couldn’t get the CloudKey to connect to the internet via the switch, but realized that the default WAN rule in PF sense blocks all of the RFC1918 addresses. Once I disabled that rule, the CK2+ connected. The issue I have now is that when I adopt the access points, they revert to “UNABLE TO ADD” status. Additionally, while the the Unifi wired cameras show up in the wired section of the Network app, they are never found in the Protect app. Any thoughts? I will continue to troubleshoot and update when it is resolved.
FACTORY RESET. Once I took down the first access point and hit the reset button, it rebooted and instantly connected. Getting the cameras down is going to be a pain.
try removing the pfsense from your topology and connect the modem directly to your switch and see if things work. maybe there is something odd going on with the switch or ck+ or cameras