@HidekiSenpai said in HELP PLSS, Internet access issues with pfSense behind an ISP router (double NAT + VLANs on a switch): Could blocking "private networks" on the WAN interface be preventing traffic That would only be source inbound traffic.. That wouldn't stop pfsense, or something behind it from going to say 8.8.8.8 Why do you have this rule? Firewall → Rules → Floating: one test rule "Pass any". The default lan rule should be any any by default, normally there is little reason to every put anything floating. You show that your lan already has the default lan rule. Both with WAN and LAN sources, the ping/traceroute does not reach the internet (not even 8.8.8.8 responds). If pfsense can not ping say 8.8.8.8 then seems like you have something upstream blocking it - to your upstream router, pfsense and anything behind pfsense should just be another client on its network. If pfsense can not ping the internet from its wan IP, then it would make sense that clients could not either because pfsense would nat device on its 192.168.2 network to its wan IP 192.168.1.x You should be able to ping stuff on the internet from pfsense wan IP, if you can not then nothing is going to work behind pfsense either because they just look like pfsense wan IP. Pfsense can ping its gateway - ie your upstream router of pfsense, 192.168.1.x something - but it can not ping 8.8.8.8.. Do a packet capture on pfsense.. You see it send traffic to 8.8.8.8 on its wan when you ping, this is to the mac address of your upstream router on 192.168.1.x example: here I fired up pfsense vm I have where its wan is one of pfsense interfaces 192.168.3.253, it gets its wan IP from pfsense dhcp 192.168.3.109 I can see in the arp table that mac address of its upstream router at 192.168.3.253 is my upstream pfsense interface... I then start a ping to 8.8.8.8, if I look in the packet capture I can see that it send the ping to 8.8.8.8, but if you look at what mac it sent it too - its its upstream gateway mac.. If you see that - but get no answer. Then its something upstream of pfsense causing the problem.. You say it gets a dhcp address from your upstream, and it shows its gateway online.. And you can ping that ip in pfsense diagnostic - but can not ping 8.8.8.8?? [image: 1756496021731-downstream.jpg]

Quick update that the advice above worked great. Stripped out those bridges and re-architected all APs and switches across one link. 5 total VLANs. Unexpected benefit was what seemed like at least a 20% bump in overall performance from the 4200. Note: Also took the opp to upgrade the 4200 w a SSD so that it's now a "Max"- maybe that helped w perf, too.

@piook said in Take two at this a year and no replies later.: But when I connect the LAN port to the switch and everything over that port is 1GB Full duplex Which port on the USW Pro Max 16 are you connection the LAN cable. Of course you are aware that only 4 ports are 2.5G on that switch (according to the product page) What speed selection does is show if you remove the LAN cable, still 1G the fastest speed selectable? What happens when you switch the ports from the pc and the LAN cable? In general you would have better support on the Unifi forum I think.

@patient0 VLAN 1 is a normal VLAN. 0 means untagged, which means that the packets don't have any VLAN information in it and the switch assignes the Primary VLAN (port in trunk mode)/assigned VLAN (port in access mode) to packets entering the switch port and sets the VLAN number on those packets.

@keyser Thanks for the reply. I have a spare port on my router and I will use it to experiment with.

@chris.doldolia The 2100 has a 4 port switch. The documentation page I linked above will allow you to treat a given port as (change it to become) a separate network interface. In the default configuration the individual ports cannot have an IP address because they are all the same LAN. If you want to add a VLAN and have it work on all four ports then I think you need to add the VLAN to "port 5" which is the switch. You might post your Interfaces > Switches pages, and Interfaces > Assignments pages.

Now, I can start configure more rules on the FW + connecting the Netgate directly to my ISP Modem. Great Is there a recommende list of FW settings laying around? I saw several of the Youtube videos where they kind of had their own focus. Based on the description, this would be a GUEST network. Here’s an example for you: Note: GUEST users are not allowed to use pfSense’s DNS server. Instead, I’m using DHCP to provide a public DNS server for them. [image: 1753873577326-5f99a867-d081-4c33-ac6a-de697d0826fb-image.png] Internal network alias is an alias that contains all my local networks.

@SteveITS Yep. The address in that /29 was given by DHCP.

@johnpoz You just don't get the different in working on layer 3 and layer 2. It is why you have default gateways and default routes and they are different. ThAT SEEMS TO BE OVER YOUR HEAD. Your firewall to the world is going to be layer 3. You are lost in pfsense and you can't see the forest for the trees. Go away John please do not reply to my threads. I will try not to post any more here. And yes I ran a small team of network people a long time ago. I had over 4000 PCs and around 50 locations so get over it. You ran me off last time and I went back to Cisco over pfsense. Look back in the threads years ago. Plus pfsense was having routing issues or slowdowns on routing as I was doing layer 3 back then at home. Version 2.8 is fast now which is good. Having a connection of 10gig reduces your latency whether you run full 10gig or not. I have 1 gig of data on a 10gig connection. I think this is best you can do now for home. I have a Cisco 10gig layer 3 switch I plan to install soon. So I can push the extra data bandwidth.

@spickles I would think the easiest way to replace a Cisco ASA 5505 would be use pfsense as a firewall not a router. Keep using your Cisco L3 switch. I do that at my home. I use an Cisco L3 switch and route between my L3 switch and pfsense. You lose pfsense control over your local network. This would not be an issue with you as you will already have that with your L3 switch. Setup pfsense with no vlans and keep all the vlans on your L3 switch. Then set up your firewall rules and static routes to your L3 switch.

Indeed, I have to consult the community on how to configure the captive portal, too.

Thanks! Surfshark does not support IPv6. DHCPv6 Server is not running on Guest Guest VLAN IPv6 Configuration Type is None. [image: 1751811989749-e300cdf0-d2f6-472a-bc37-67536aa7f008-image.png] Router Advertisement Router Mode is Disabled [image: 1751812258868-585e8e78-a12d-4437-8663-7ea80d8c1555-image.png] Added a Guest firewall rule at the top of the stack to block IPv6 traffic [image: 1751812578788-7cf2241b-4d32-4d08-9a25-75e272d7ae31-image.png] Also tested disabling IPv6 in the APN on my phone. Didn't help. We're still having problems with some apps/content on our phones.

I managed to solve this myself today. The reason I can't ping the client directly connected to the igc1 of pfsense is because of the Bitdefender stealth mode setting. Once I turned it off, I can now ping the client. I came up with this solution because I tried Ubuntu on a flash drive, and I can ping it, so there is a problem with the firewall of the Windows machine. That's why I checked all the firewall settings one by one on the Windows client.

@Dobby_ Thought I'd be the only one who would ever use a number like 300 in an IP address.

Ok I tried your solution, and it's ok. Really thank you, for the solution and for the explaination. I really don't like doing thing without understanding what I'm doing and why. One more time Thank you

@Bob-Dig said in CANNOT PING VLAN INTERFACE IP FROM SAME VLAN: @HHUBS said in CANNOT PING VLAN INTERFACE IP FROM SAME VLAN: Or I should ping it from the same VLAN even if no rules are added? No, it is the firewall and with that, it is able and will block the connection without rules. Different would be to ping a host on a switch, which is in the same LAN. Then the connection is not hitting the firewall in the first place and the firewall can do nothing about it. @johnpoz said in CANNOT PING VLAN INTERFACE IP FROM SAME VLAN: @HHUBS out of the box the only interface with default rule to allow is lan that defaults to an any any rule, anti-lockout.. If you create a new interface be it vlan or native you would have to add the rules you want. Yes by default no rules would hit the default deny and yes block ping, or any other access. Thank you so much for your help.

I got it to work. It had to do with not setting mtu of 1400. I can now do dns lookup and it works! Thank you for your suggestions.