@tgl said in Ubiquiti switch VLANs problem: but not controllers combined with switches or APs. Very pedantic of me but there are the UniFi Express, UniFi Express 7, Dream Router/Router 7 and Dream Wall which are gateway & AP & cloud controller.

@patient0 said in Identifying Rogue Traffic: @james_h it's more the last rule with 'PreferFIBRE'. The default allow-all rule after installation is source 'LAN subnets' and the rest any. You rule allow anything as source on the PRIVATE interface. If you do expect traffic with source IPs of PRIVATE subnet then changing it from * to 'PRIVATE subnet' would have blocked the 172.20.* traffic. Are the 'admin_devices' all in the PRIVATE subnet? Yes I think thats what I should do. The admin devices are indeed in the PRIVATE subnet.

@jogovogo said in No Internet access with VLAN via OPT1: My first surprise is that I'm now on the firewall, but why? The web server that serves the pfSense GUI runs on all assigned interfaces. When you installed pfSense, there was a pass rule for incoming traffic on the initial LAN interface : it accepts all traffic. When you add more LAN type interfaces, the ones called OPTx, there will be no inital rules, so you can't access anything. DHCP will work as pfSense will add hidden DHCP (UDP port 67 and 68) rules, but nothing else (no http https dns icmp etc etc etc etc). When you add a pas rules for TCP, UDP, etc, things "start to work". When you use addresses like this : [image: 1758697659291-89b7f27a-e729-4579-81c1-cb12989a7d3f-image.png] you use IP addresses. So, even is DNS is not working, then that won't be an issue. Your browser doesn't need to use use DNS (for translating host names to IP addresses) as you already gave an IP. It can contact the device 192.168.151.1 right away. You've allowed TCP IPv4 traffic to port 477, which is apparently your changed your pfSense https web GUI interface port. @jogovogo said in No Internet access with VLAN via OPT1: The issue has been resolved, simply, by restarting the DNS resolver. Euh ...... As you've changed lost of things at the same moment, it's hard to tell why dns (== the resolver) didn't work initially. Normally, when you add an new interface like your OPT1 interface, system processes like DNS (the resolver) gets restarted. The resolver will listen to All Interfaces : [image: 1758698045123-e07276c8-27b7-4a13-b999-ca154f396adf-image.png] by default so it would work right away on the new OPT interface. Again, you still have to add a firewall rule to allow DNS traffic to reach the pfSense DNS port 53 of course.

@patient0 Got it, will explore 'Shellcmd' package Thank you!

@Monta you could do a traffic capture and look out for dhcp related packets...coming from, going to...pfsense offers that already. here: https://docs.netgate.com/pfsense/en/latest/diagnostics/packetcapture/webgui.html you could also provide screenshot(s) of: vlan config pfense and vlan interfaces for dhcp vlan config of switch config of AP maybe that gives a hint... as already said: said in How to view VLAN: you possibly get more help if you give precise info ;)

@SteveITS said in VLAN connectivity broken after upgrade to 2.8.1-RELEASE: Sure you don’t have asymmetric routing? You're absolutely right — the current setup does involve asymmetric routing. The state policy does positively influence the firewall's behavior, though it’s not a decisive factor. I had assumed that if one interface with asymmetric routing functions correctly, the others would follow suit. However, that’s not the case — only one interface appears to affect the behavior. In any case, this gives me confidence that the firewall will operate as expected once the VM is shut down. Fingers crossed for a smooth transition!

I think I just figured it out. Services > DHCP > ServerSettings Code: { "option-def": [ { "space": "dhcp4", "name": "vlan-id", "code": 132, "type": "uint32" } ] } Then hop over to the interface, in my case: PHLAN { "option-data": [ { "name": "vlan-id", "data": "10", "space": "dhcp4" } ] } Hope this helps someone! I don't have enough permissions apparently to delete my own post LOL.

@HidekiSenpai not sure why you think a query to quad9 would be authoritative.. quad9 is not the authoritative ns for google.com Your unbound setting there are resolver mode, for you to be able to resolve you would have to be able to talk to all the NS on port 53.. If your upstream is blocking this then yeah your going to have issues. What does dns lookup on the diagnostic menu dns lookup report? To test if you can resolve and to see where you might be having issues do a dig + trace on pfsense. [25.07.1-RELEASE][admin@sg4860.home.arpa]/root: dig google.com +trace ; <<>> DiG 9.20.6 <<>> google.com +trace ;; global options: +cmd . 84617 IN NS d.root-servers.net. . 84617 IN NS f.root-servers.net. . 84617 IN NS e.root-servers.net. . 84617 IN NS m.root-servers.net. . 84617 IN NS j.root-servers.net. . 84617 IN NS b.root-servers.net. . 84617 IN NS c.root-servers.net. . 84617 IN NS g.root-servers.net. . 84617 IN NS k.root-servers.net. . 84617 IN NS l.root-servers.net. . 84617 IN NS a.root-servers.net. . 84617 IN NS h.root-servers.net. . 84617 IN NS i.root-servers.net. . 84617 IN RRSIG NS 8 0 518400 20250915050000 20250902040000 46441 . r2EKEjvLOSDMWT4XAMJK+3McQntRgJ/wtG2WXCZ90DdKxUgNUCU1Q1R+ YDovtNQExt87dM1gu8S10al5FJPNkLM6pbQM010+1E2AnyCQyt4DQrJh JgMhwcYONIbT/gGrXfQS7sdN8B5g0ob2HcqXRxqMkDOldxdBCJy7B5ZM AufoQlrCrdazkGHVxC+vzsDIDVYnAFLlLkoHtcpbLmiK1w6MiVNfzfWt EC4v7Bibau5rMYzhYZ0EwGv4CCG6dn8HiGEg0rNBmMi7onXndKhq2S4H T9b1jkIj1qG1GfVOzVuqmzv7OWgW9+0jbqel3VR7AAfO9plH7JLeVNY1 EmTLTg== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A com. 86400 IN RRSIG DS 8 1 86400 20250915050000 20250902040000 46441 . PuEt7PPZTytXpON7kI4PR4ePmn1RbbZwWwksIwQqStFADSXkHLtaCWBk 6rjtDQogfGqqcRZnJzXTwq7FD+lsB//y3DBBkzBB+ag7XmldiFGtkV3Y 9ueUEL4ydZnyftPClzOtBYbtzMVA2oC6gfNbi7LyIFUUH8xc0IZUPJah 9IQF443ZocHNNl8jPpSilA7QVkSf6rKRH5CNUdTsJ6qhfXUEOWgNqIaV yLCrPzsnyl7+PoU1dBpPmsbUY0DUO2A0E5Zs5lBpcgjThoEK/SMokB1v Rb75/7Yvb+MGyDWmZVwd9uKdVadxzn6jdJgxgSM+SBuxaSpkWlnqhJnx fYnP/w== ;; Received 1170 bytes from 2001:503:c27::2:30#53(j.root-servers.net) in 9 ms google.com. 172800 IN NS ns2.google.com. google.com. 172800 IN NS ns1.google.com. google.com. 172800 IN NS ns3.google.com. google.com. 172800 IN NS ns4.google.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250908002603 20250831231603 20545 com. I5bq7mPPNzfXbaaD27hOUwaUOIQJi6EcJYwN+Ab4FiMqp5GgoHWsfgSm LHUn2Mg3jXAGfxykTCnJXfUQYtJ+oQ== S84BOR4DK28HNHPLC218O483VOOOD5D8.com. 900 IN NSEC3 1 1 0 - S84BR9CIB2A20L3ETR1M2415ENPP99L8 NS DS RRSIG S84BOR4DK28HNHPLC218O483VOOOD5D8.com. 900 IN RRSIG NSEC3 13 2 900 20250909012623 20250902001623 20545 com. 1Sn2h2Xvf9GUFWqqEDwCOD+aZFVhrEhV+87H/RxeCGuNoA42E7tz5Oq6 A7hnIkd0J8coWN0C9M9gQlJLjrrfvw== ;; Received 644 bytes from 192.26.92.30#53(c.gtld-servers.net) in 27 ms google.com. 300 IN A 172.217.2.46 ;; Received 55 bytes from 216.239.36.10#53(ns3.google.com) in 25 ms The dig + trace is exactly what the resolver would do - so seeing all the steps can show you were you might be failing in the process.

Quick update that the advice above worked great. Stripped out those bridges and re-architected all APs and switches across one link. 5 total VLANs. Unexpected benefit was what seemed like at least a 20% bump in overall performance from the 4200. Note: Also took the opp to upgrade the 4200 w a SSD so that it's now a "Max"- maybe that helped w perf, too.

@piook said in Take two at this a year and no replies later.: But when I connect the LAN port to the switch and everything over that port is 1GB Full duplex Which port on the USW Pro Max 16 are you connection the LAN cable. Of course you are aware that only 4 ports are 2.5G on that switch (according to the product page) What speed selection does is show if you remove the LAN cable, still 1G the fastest speed selectable? What happens when you switch the ports from the pc and the LAN cable? In general you would have better support on the Unifi forum I think.

@patient0 VLAN 1 is a normal VLAN. 0 means untagged, which means that the packets don't have any VLAN information in it and the switch assignes the Primary VLAN (port in trunk mode)/assigned VLAN (port in access mode) to packets entering the switch port and sets the VLAN number on those packets.

@keyser Thanks for the reply. I have a spare port on my router and I will use it to experiment with.

@chris.doldolia The 2100 has a 4 port switch. The documentation page I linked above will allow you to treat a given port as (change it to become) a separate network interface. In the default configuration the individual ports cannot have an IP address because they are all the same LAN. If you want to add a VLAN and have it work on all four ports then I think you need to add the VLAN to "port 5" which is the switch. You might post your Interfaces > Switches pages, and Interfaces > Assignments pages.

Now, I can start configure more rules on the FW + connecting the Netgate directly to my ISP Modem. Great Is there a recommende list of FW settings laying around? I saw several of the Youtube videos where they kind of had their own focus. Based on the description, this would be a GUEST network. Here’s an example for you: Note: GUEST users are not allowed to use pfSense’s DNS server. Instead, I’m using DHCP to provide a public DNS server for them. [image: 1753873577326-5f99a867-d081-4c33-ac6a-de697d0826fb-image.png] Internal network alias is an alias that contains all my local networks.

@SteveITS Yep. The address in that /29 was given by DHCP.

@johnpoz You just don't get the different in working on layer 3 and layer 2. It is why you have default gateways and default routes and they are different. ThAT SEEMS TO BE OVER YOUR HEAD. Your firewall to the world is going to be layer 3. You are lost in pfsense and you can't see the forest for the trees. Go away John please do not reply to my threads. I will try not to post any more here. And yes I ran a small team of network people a long time ago. I had over 4000 PCs and around 50 locations so get over it. You ran me off last time and I went back to Cisco over pfsense. Look back in the threads years ago. Plus pfsense was having routing issues or slowdowns on routing as I was doing layer 3 back then at home. Version 2.8 is fast now which is good. Having a connection of 10gig reduces your latency whether you run full 10gig or not. I have 1 gig of data on a 10gig connection. I think this is best you can do now for home. I have a Cisco 10gig layer 3 switch I plan to install soon. So I can push the extra data bandwidth.

@spickles I would think the easiest way to replace a Cisco ASA 5505 would be use pfsense as a firewall not a router. Keep using your Cisco L3 switch. I do that at my home. I use an Cisco L3 switch and route between my L3 switch and pfsense. You lose pfsense control over your local network. This would not be an issue with you as you will already have that with your L3 switch. Setup pfsense with no vlans and keep all the vlans on your L3 switch. Then set up your firewall rules and static routes to your L3 switch.

Indeed, I have to consult the community on how to configure the captive portal, too.