# opnSense + Unifi Layer 3 Routing In opnSense: - create a VLAN interface for each VLAN. - Give it a static address in a subnet that you want on that vlan. This will effectively be the address of the DHCP server, so don't use the .1 address so that can be the default route later (use e.g. 192.168.18.2). - Give the interface a gateway that's the .1 address (which will be set up later to be the address of the USW switch) - set up a DHCP server on that VLAN interface - override the gateway the server sends out to be the .1 address on your VLAN subnet. - create a VLAN interface for VLAN 4040, name it "Unifi_Routing" or something. Give it a static IP of 10.255.253.1 on that /24 subnet. This is the VLAN and subnet that Unifi uses for VLAN routing. - for its Gateway, create a new gateway of 10.255.253.2 [NOTE -- I think this is actually wrong, and this isn't really necessary at all] In the Unifi Network app: - create a new network for each VLAN - In Router, select your USW-Pro-24 or other capable switch - In IP range, give it the .1 address (e.g. 192.168.18.1), select the right netmask etc. The address you put in here becomes the USW's address. - In DHCP settings, select "None". - The opnSense firewall will be your DHCP server, and it has an interface on the VLAN already. - Unifi will automatically create a "Inter-VLAN routing" network, with the 10.255.253.x network. - Your USW will be automatically take .253.2 for here. (You can verify this by plugging in a computer to your network with a VLAN 4040 interface and on that subnet; you should be ble to ping .253.2) - If you have multiple switches, they'll take .3 etc., but I've never done a multi-switch config - Sometimes Unifi doesn't create the "Inter-VLAN routing" network. Sometimes it takes 5 minutes. Sometimes you have to factory reset and start over, because it's Unifi. - For each Layer-3-switched network, Unifi automatically sets the next hop route to be `10.255.253.1` on `VLAN 4040`. So routing for anything the USW can't route itself will be `[computer on .18.x network on VLAN] -> [.18.1, the USW] -> [10.255.253.1 on firewall] -> outside world` We need to make that routing actually work now, by adding NAT. Back in opnSense: - In Firewall/Rules, allow the Unifi VLAN interface to receive and pass packets - On the Unifi VLAN interface, create an allow-all rule (`Source: * Destination: *`). See below for multi-wan complexity. - In Firewall/NAT/Outbound, you'll have to manually add WAN / VLAN rules. - Select "Hybrid" for rule management, and create a new rule for every VLAN network: - `Interface: WAN, Source: VLAN net, NAT address: "Interface address"` Note: if you have multiple WANs, you'll need to create a separate NAT rule per WAN. If you want to route specific VLANs to specific WANs, you can set that up in Firewall/Rules: - On the Unifi VLAN interface in Firewall/Rules - Create one rule with: `Source: *, Destination: each of your LAN/VLAN networks, Gateway: *`` - And another for `Source: VLAN net Destination: *, Gateway: WAN_yourchoice.``