Network Rebuild Issues - pfSense (HP 207) + Aruba S2500 + Aruba IAP-207

This site has been an incredible resource in building a Thredrunner years ago all the way to rebuilding my home network over this past year. Thanks to all for the amazing insights and ebay deals :wink:

At this point my network looks like:
Spectrum 1GB WAN => pfSense (running DHCP) => Aruba S2500 => Aruba IAP-207 (x3)

Overall goals of the network are:

  1. Ability to have total control of network for DNS Servers (family friendly DNS servers), Ad Blocking etc
  2. VLANs to support splitting of the trusted internal LAN (wired and wireless clients) as well as IOT devices (untrusted by nature) and Guest Network (easy sign in but can limit access to LAN and throttle bandwidth etc). All of the VLANs to run under the same physical wiring. IE, each AP I want to broadcast all SSIDs with zero segregation of needing to run special wiring or APs dedicated by VLAN.
  3. Whole house wireless coverage with multiple (x3 currently) through Aruba APs

Here is where I stand today:

  1. pfSense box is running on an HP 290. pfBlockerNG is installed and overall is configured using SpaceInvader One youtube videos (love him!)
  2. S2500 is installed in the rack. Use the guide here to enable all ports and upgraded the FW to 7.4.0.4 (I don’t have an Aurba account to get the 2019 FW). Virtually zero setup done on the switch for VLANs or Trunking as its not something I actually/intimately know how to do
  3. 207s are all installed around the house. POE working perfectly. I setup 3 SSIDs corresponding to my internal LAN, IOT and Guest.
  4. VLANs are configured in pfSense to have their own IP address ranges (192.168.3.X and 192.168.4.X) to segregate them. DHCP server is enabled and Firewall rules are created (as per Spaceinvader One).

With goals and current install established, the good news is that the internal LAN is working as expected through wired and wireless. I am able to get a DHCP address assigned in the correct range and am able to roam over the APs. Excellent! But not really…

Here are my litany of issues:

  1. My Unraid server has dual 10gbe SFP+ ports to the S2500. They do not show as active on the S2500 web UI. The lights sort of show up when I physically plug them into the switch but oddly the lights flash ‘quickly’ as Im unplugging them… weird. I have the other ethernet ports on the MB so I can still access the box but Im essentially not using the 10gbe card at all at this point. This all worked fine with my 10gbe mikrotik switch so Ive not changed anything in Unraid. Just replaced the physical switch and reconnected all wires in the rack.
  2. IOT Network – I see the SSID being broadcasted, but when I connect devices to it the DHCP server on pfSense doesn’t assign an IP. It gives it a 168.254.XX.XXX address (subnet of 255.255.0.0 and no gateway). The VLAN and Interface are setup in pfSense as VLAN ID ‘30’ and I used that same ID setting up the IOT network on the APs where the option was ‘Static’ VLAN assignment. No VLAN work or assignments done on the S2500 since that area of the configurator is totally confusing to me.
  3. Guest Network – The SSID doesn’t even broadcast…. So yeah…. I don’t even know where to start troubleshooting that one.

This project has been rewarding and frustrating all at the same time. Months of planning and then weeks of execution. And I’m still at the ‘first stage’ of getting it up and running and haven’t even started getting into things like reverse proxy and PIA OpenVPN setup as the next stage. If anyone can assist that knows why my VLANs and APs are not playing friendly I would much appreciate!

PSA: I lost hours trying to factory reset one of the IAP-207s after a setup mistake. Many posts from Aruba forums indicated that the username and password should be ‘admin/admin’, or ‘admin/password’ or ‘admin/forgetme!’. None of those worked. However, there was a post that suggested to try the serial number. THAT WORKED. So it was ‘admin/SERIAL’ where SERIAL is the exact serial number of the unit in caps. I hope my pain is a benefit to someone out there!

EDIT 1 - I believe I understand the issue with the 10gbe ports not working. I think my cables are not supported although they are Cisco. After some reading here I just ordered Finisar DACs and Optical cables that were linked by yllanos in the main Aruba S2500 thread. Ill report back on that once I have get them delivered next week.