L2/Switching/VLANs

Network issue in 2.81 VLAN inter-routing

tdvw — Sun, 19 Apr 2026 09:21:04 GMT

Verifica lo siguiente: Services -> DHCP Server: Check you vlan dhcp ranges. Example: If you have vlan10 192.168.10.0/24, your address pool range 192.168.10.10-192.168.10.254 Check the vlan untaged ports in you switch. Example: if you port 3 apear untaged in vlan10, and your pc conected to this port have a manual ip 192.168.20.3 <-- this is the error, put the pc on dhcp or configure manual ip 192.168.10.3. but i need mor informations, vlans and ranges.

TP-Link Managed Switch VLAN failure

baitinghollw — Sat, 11 Apr 2026 21:41:46 GMT

Greetings All, Thanks for your help. It thawed out my brain freeze. Your help got me on the right track and I'm now good to go. Thanks

After router replacement, 2nd server NIC stops working

repetty1 — Tue, 31 Mar 2026 06:46:02 GMT

Server with 2 NICs (1 for internal use and 1 for public-facing servers).

Running pfSense 25.11.1-RELEASE

The last few months, I've been rejiggering parts of my home network, moving from a plain Debian server to TrueNAS, setting up Docker-based services, etc.

I was running Immich in Docker in TrueNAS. HAProxy was handling
forwarding external connections to it on "public" NIC, with a Let's Encrypt cert.

When I was still running Debian instead of TrueNAS, I had two Apache web sites running inside of a virtual machine and they were serving just fine from the "public" interface.

Everything was running perfectly but my old router failed. I bought a new one and restored from a saved config file.

Original Router: little 2-port SG-2220
New Router: little 5-port SG-2100

TrueNAS private internal interface: 10.10.20.10
TrueNAS public external interface: 10.10.50.10

Public VLAN gateway of 10.10.50.1 is pingable from my infrastructure network of 192.168.0

nmap 192.168.0.1 (pfSense)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
443/tcp open https
8443/tcp open https-alt (pfSense)

nmap 10.10.50.1 (gateway of public VLAN)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
8443/tcp open https-alt (pfSense)

Obvious security problem here, which I will address later.

I have 6 VLANs defined and they work fine on the new router. Also, internal web sites (pfSense, TrueNAS, WAP) work okay. HAProxy is forwarding the traffic and providing encryption with no trouble.

My problem is that I cannot access servers running in Docker on the "public" interface. When I turn on HAProxy health check, it says that the server is not running but it is.

Could be a problem with the new router's built-in network switch, which the old router did not have. Currently, the switch in the new router is running as a dumb switch (no VLANs configured). I think that is basically what the old router's single LAN NIC was doing.

I really don't think that the new router's built-in switch is the problem. If it was, I'd have other VLAN-related problems, which I don't.

I feel like I must be overlooking something obvious.

Two VLANs with different MTUs?

netblues — Tue, 24 Mar 2026 06:32:32 GMT

@McMurphy Well, its common to configure the native lan with eg jumbo frames ~9000 and then specify smaller mtu for vlans. 1504 is common to support native 1500 mtu on pppoe. I suppose the interface is not in passthrough to pf, just bridges. I can't say how xen exaclty handles this, but in kvm is as above.

Netgate 7100 internal switch MTU question

stephenw10 — Wed, 11 Mar 2026 01:47:06 GMT

It's probably the VLAN setting propergating to the parent NICs and then getting applied to all VLANs on it. You can usually work around that by explicitly setting an MTU value on the parent interface first. But you may need to temporarily remove the lower MTU on the VLAN to do so.

Unable to create VLAN

patient0 — Wed, 25 Feb 2026 15:35:50 GMT

@root0day8004 if you search the forum 'bridge vlan' you'll find a few posts about that. The TL;DR: put VLANs onto the interface first, then bridge the interfaces. But: avoid bridges whenever possible, the performance will take a hit. Buy a cheap switch.

transparent bridge

patient0 — Thu, 19 Feb 2026 23:29:31 GMT

@publictoiletbowl said in transparent bridge: You want to snort on your WAN (ISP1 & ISP2) interfaces but let the 3rd party router do all other tasks. Transparent bridging does work, see in the Netgate documentation. Not sure about the performance penalty of it, what upstream speed to you get from your ISPs? https://docs.netgate.com/pfsense/en/latest/bridges/index.html#internal-external-bridges The 3rd party router will get the public IPs from ISP1 and ISP2 and you will want to setup one of the other interfaces as admin interfaces to be able to access the pfSense.

Kernel Panic: mbuf_cluster kern.ipc.nmbclusters limit reached

SteveITS — Tue, 17 Feb 2026 23:13:46 GMT

@yctn me neither, but they mention it some at https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#mbuf-exhaustion 2.7.2 is over 2 years old, why not try a later version?

QinQ migration from MikroTik to pfSense – MTU confusion (L2MTU vs MTU)

JKnott — Thu, 12 Feb 2026 20:06:03 GMT

You have a strange setup. First off, I have never worked with MicroTik, so if they do something weird, I can't help with that. My experience with QinQ is with a telecom company providing a connection to a customer over fibre. Since fibre has so much bandwidth, it's usually split before reaching the customer. The first method it to use different wavelengths, with an optical filter located near the customer. Then QinQ (C tag)¹ is used to separate different customers. Depending on the connection, the 2nd VLAN (S tag) can be used to further subdivide the bandwidth or passed on to the customer. In the jobs I worked on, there was a media converter to convert between fibre and Ethernet and used the 2nd VLAN to connect it to a Cisco router, which then provided IP over Ethernet to the customer. So, I'm surprised you'd have QinQ on the WAN. As for MTU that's determined by whatever the interface is configured for. As I mentioned earlier, VLAN tags do not affect that, since they're ahead of the Ethertype field. On my own network, while I can set the MTU on the native LAN, I can't on the VLAN. It just follows whatever the native LAN provides. I also checked adding a VLAN and found I can only add them to an interface, not on top of another VLAN. You found similar with the bridge. It's just not something pfSense can do, as far as I can tell. As for connecting the VLANs between sites, that's normally done by routing the subnets, through a VPN if necessary. Do you actually have Ethernet between sites? Or just IP? If Ethernet, do you have something like MPLS to carry it? Is there anyone else here who knows MicroTik? C tag = carrier level VLAN S tag = subscriber level VLAN.

Allow Rule not working

Gertjan — Wed, 04 Feb 2026 22:50:20 GMT

@eagledtony Most will have troubles reading what you've just wrote. Your Enter key seams to be broken also ( ^^ ). As no details (images) are available, so only some general advise : If you can, remove all 'VLAN' setup, go bare bone classic "VLAN 0" or no VLAN no where. This makes the setup simpler .... and issue start to vanish fast. If an issue arrives 'suddenly' then the last think you want to do is 'upgrading'. Upgrading will not (can not) resolve sudden local issues, but can create new issues. So, first, resolve the issue, which can be as simple as : Save the current pfSense config. Now get a config from 'before 2 weeks'. Issue solved : go question the pfSense admin, torture him if needed, and you will get to the bottom of things. The 'diff' between the current and 2 weeks old config will tell you what changed. Issue not solved : get the current config back and now you'll be sure : the issue isn't pfSense related. Go have a talk with the other (VLAN) stuff, and do question the "admin" gain. edit : Your pfSense has a config history : [image: 1770288431925-99464f43-9690-4b60-ba2f-740cb54e5dc3-image.png]

Any one experience this behavior

JoshHuynh — Sun, 25 Jan 2026 14:03:09 GMT

Re: Netgate 8200 WAN 4 interface ix1 trunk port no mac address 00:00:00:00

Netgate 8200 WAN 4 interface ix1 trunk port no mac address 00:00:00:00

JoshHuynh — Sun, 25 Jan 2026 04:54:34 GMT

Hello,

I configure the WAN 4 10GB port as a trunk port connect to down stream switch (Extreme). The physical layer it's indicated green lights but no traffics passing through.
I am not sure whether is the 10GB SFP+ module compatible or not.

** Noticed I used the same 10GB SFP+ modules on other WAN 3 interface and it's operates normal.

WAN 4 ix1 -- no IP address
VLAN101 -- 10.200.101.1/24
VLAN102 -- 10.200.102.1/24
VLAN201 -- 10.200.201.1/24

Here's the interface status

CONTROLS_NETWORK Interface (opt3, ix1)
Status
up
MAC Address
00:00:00:00:00:00
IPv6 Link Local
fe80::92ec:77ff:fe95:d16f%ix1
MTU
1500
Media
Unknown
Plugged
SFP/SFP+/SFP28 10G Base-LRM (LC)
Vendor
FS PN: SFP-10GLRL-31 SN: G2430373200 DATE: 2024-08-23
Temperature
40.25 C
Voltage
3.28 Volts
RX
0.91 mW (-0.40 dBm)
TX
42.58 mA
In/out packets
0/0 (0 B/0 B)
In/out packets (pass)
0/0 (0 B/0 B)
In/out packets (block)
0/20 (0 B/868 B)
In/out errors
0/0
Collisions
0

LAN connection to 2.5gb managed switch(Port) shows 1000M on the switch not 2.5gb

Hoser7632 — Wed, 21 Jan 2026 21:21:39 GMT

@johnpoz I've done some more investigation and found some weird behavior. Let me explain: These are the details I brought up the PFSENSE Web gui I navigate to "System>Advanced>System Tunables>+New" In the Tunable Field I enter: dev.ix.1.advertise_speed In the Value Field I enter: 16 In the Description Field I enter: 2.5GB I then hit save and reboot my pfsense box After pfsense comes up and from the Welcome Screen I Select "Option 8" I then enter the following SYSCTL Command: "sysctl dev.ix.1.advertise_speed" The Response is "sysctl dev.ix.1.advertise_speed: 7" This tells me my tunable did not take effect after the Boot. Now I navigate to "System>Advanced>system Tunables>" and "EDIT" the tunable I created above and click "SAVE" without changing anything. I then go back to the welcome gui and select "Option 8" Again I then enter the following SYSCTL Command: "sysctl dev.ix.1.advertise_speed" The Response is "sysctl dev.ix.1.advertise_speed: 10" Which is the Decimal equivalent of 16 Now I go To my switch and the Lan Port on the switch is now running at 2.5gb. It is my understanding that placing a tunable in "System>Advanced>System Tunables>" should relieve me of having to open the tunable and pressing save. What do you think. Is this a bug or am I missing something?

Help Moving VLANs off Lagg0 (xg-7100)

AndyRH — Sun, 18 Jan 2026 01:59:51 GMT

If I remember correctly, you just use the drop down to select the new Network Port, but only make the change when connected to a different network. Mine looks like this now. [image: 1768967119072-9e9ce812-7211-4592-b43f-9448abbcf1a0-image.png] Only difference is I moved to the 10Gb ports.

pfSense its strange 'layered bridges' (and their behavoir)

netblues — Tue, 13 Jan 2026 08:17:38 GMT

@louis2 Why? Bridges bridge Interfaces. Vlans in pfsense are not interfaces. So yes, it takes a few more steps, but it works. And as a matter of fact is also performant. You can also try vxlan if you wish which is a new feature in pf plus.

Creating VLAN on primary LAN subnet

NadaBytes — Mon, 12 Jan 2026 22:54:50 GMT

@luckman212 bingo! Thank you for so succinctly saying what I was fumbling around trying to say! Yes, primarily security. Google VLAN1 tons of articles and whatnot advising to turn it off for security reasons (primarily for large enterprise). Secondarily (especially at this point), is a little academic - I am kind of frustrated at myself for not figuring this out so would like to accomplish for my personal satisfaction (though I am busy like everyone else and don't want to be doing purely stupid things). I will look into the UniFi thing, their controller software is unusual but it does seem to allow configuring a default VLAN simply clicking on the default network in the controller software and entering the VLAN id however during hard reset it goes back to VLAN1 of course which could be issue if that becomes necessary. I think your "Secure Enough" strategy sounds more sensible given my limited experience (I did try to configure from another subnet but got locked out and required a reset of the router). I think I will try this first. Thank you for the out-of-da-box thinking!

Create Vlan with Several IoT Static IP's

AndyRH — Mon, 12 Jan 2026 22:06:44 GMT

To maybe make life simpler in the future, avoid common subnets like 192.168.0.0, 1.0, 2.0. These are used by many things such as ISP routers. I went with .42.0, because it is the meaning of life, the universe and everything.

unable to reach separate vlan on unRAID docker

wmcneil — Thu, 08 Jan 2026 15:33:44 GMT

I have created a vlan (named pihole_vlan) in pfSense, and created a docker container running on an unRAID machine that is using the vlan, which is defined in docker as a vlan network named br0.5 . The docker container using br0.5 is assigned static IP 10.55.5.4 :

From the router, when I attempt to ping the docker br0.5 console it fails. A packet capture on the router yields the following:
10.55.5.1/24 subnet Packet Capture on router interface PIHOLE_VLAN:
ARP, Request who-has 10.55.5.4 tell 10.55.5.1, length 28

I’m at the limit of my knowledge here, so I’m not sure if the ARP request reflects expected behavior from the router or not?, and whether there should be a response from the unRAID side? There is no response to the ARP request seen by the 10.55.5.1/24 packet capture on the router.

I have a any-to-any firewall rule configured for PIHOLE_VLAN, so there should be no firewall blocking. I have pasted in routing tables from the router and the docker br0.5 console, and other configuration screens below. I appreciate very much any help that can be given:

VLAN Configuration in the router:

VLAN any-to-any firewall rule in the router:

Routing table entries of interest in the router:

Output from “ip a” from console of br0.5 docker container:
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: tunl0@NONE: mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
32: eth0@if6: mtu 1500 qdisc noqueue state UNKNOWN group default
link/ether 4c:cc:6a:04:94:fb brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.55.5.4/24 brd 10.55.5.255 scope global eth0
valid_lft forever preferred_lft forever

Output from “route” from console of br0.5 docker container:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.55.5.1 0.0.0.0 UG 0 0 0 eth0
10.55.5.0 * 255.255.255.0 U 0 0 0 eth0

The network and br0.5 vlan settings in unRAID:

The docker settings in unraid:

The network configuration for the br0.5 docker container that is using the vlan:

inter VLAN connection not working after update to 2.8.1

SteveITS — Fri, 26 Dec 2025 21:54:03 GMT

@big_blue oh! Well good job me then.

VLAN interface direct to device without a switch between them

johnpoz — Sat, 20 Dec 2025 16:11:36 GMT

@Hoser7632 no connection like link would have nothing to do with what networks you might pass over this wire. Not exactly sure what you mean when light just flashes red, on your AP, on the interface? I take it your powering this via ac adapter since I doubt your x550-t2 interface is going to provide poe. Why would you tag traffic over this interface to your AP, unless you were going to carry more than 1 network on the wire? Seems kind of pointless to me to tag this traffic if only 1 device is going to be connected to this port.

Same issue on My device, No VLAN

Kayvil — Tue, 16 Dec 2025 03:38:29 GMT

Re: VLANs stop working after upgrading from 24.11 (for both 25.07.1 + 25.11)

I have this same issue, I upgraded it was working for about a day or two, then had a reboot and all my VLANS stopped working. I see them configured as was before, but does not see like internet is flowing to the VLANS.

Netgate 6100 Max Recommended switch connection

Mission-Ghost — Sun, 14 Dec 2025 02:14:45 GMT

Architecturally similar to my installation. I have a "core" switch which connects to the firewall, but with one switch port with half the VLANs going from the core switch to the firewall and another switch port with the balance of the VLANs going to another firewall port. Then, the core switch connects to my two remote switches (analogous to your switch by the firewall and your garage switch). Without bridging the firewall ports, I don't think you can home-run both switches to the firewall and route all VLANs to both. And Netgate here has repeatedly discouraged using bridging on the firewall. Thus, a "core" switch is necessary, or, daisy-chain your switches. A couple of down-sides to daisy chaining switches is the single-point of failure in the daisy chain. If your top switch fiber goes bad, or the top switch goes bad, your entire LAN goes down. Also, all your traffic then has a single collision domain between your top switch and your firewall. Probably not a real issue on a 10G fiber, but if you have tons of traffic on that fiber it could degrade performance. A core switch could alleviate the collision domain issue, and if you connect the core switch to your firewall with two fibers, one for half your VLANs and the other for the rest of your VLANs, you'd remove a single point of failure for your entire LAN at least as far as the fibers go. If the core switch fails then everything fails*, but that would be easy to diagnose. If just one fiber or fiber port goes down, only half your LAN (one of your two switches) would go down and that would be easy to diagnose. YMMV. *You could certainly design some kind of redundant core-switch arrangement with spanning-tree protocol and multiple switches and fibers and so on, but that's out of my league.

VLANs stop working after upgrading from 24.11 (for both 25.07.1 + 25.11)

stephenw10 — Fri, 12 Dec 2025 22:57:13 GMT

You can clone the current BE (or use quick create) and boot into it. Then default the config in that new BE add back only the minimum config. You can always boot back into any other BE.

No connection with VLAN via OPT2 (Urgent)

jogovogo — Fri, 05 Dec 2025 10:40:15 GMT

Hi all! Thank you for your quick answers! It was connected to the PFBlocker NG; once it has been deactivated and reactivated, it works. cheers!

Pfense and unifi

flat4 — Mon, 24 Nov 2025 19:55:42 GMT

Need a little help, for years I've been running pfsense and cisco switch.
My pfsense has vlan 10 20 30 40(guest) and the LAN which does not have dhcp server and rules were place so the only device reachable was the pfsense box. Each of the vlans have a dhcp server. I added unifi AP's and a controller. For the AP's to see the controller I had to set the native vlan on the cisco to 10, which is the my server vlan, and it worked forever.

Unifi controller was setup with third party gateway (192.1681.1) which is the pfsense and the networks to match the vlans. This worked also forever.

Recently I switch the cisco for a usw-pro-24-poe and the uplink was set to native vlan 1 (192.168.1.1} that is how is shows but the switch would never show up for the controller. So I had to put the cisco switch in between pfsense and unifi have the port set to native vlan 10 in order for the controller to see it.

I am a lazy admin and on pfsense box when a device came online and grabbed a dhcp address I would create a static mapping and give it an ip not the in pool.

I soon realize that any device I did this to did not get that ip it would just pull an ip from vlan 10. So i experimented on the unifi switch a set ports to native vlan 10 20 etc and some devices would work and other not.

I then discovered that anything requesting an ip from any vlan did not get it if wired except if its wireless and only on vlan 30 and 40 is working. the others would just fail where before they did not.

In the pfsense logs for dhcp I have a ton of rejects on UDP 67 never had this with the cisco switch. Which explains why the devices are not getting an ip, but why?

Yep its mess up, Now that you've read a novel is there anyone else has that has this experience and how did you correct it?

any port that has the native vlan 1 (192.168.1.0) that's how its displayed and allow all when I plug a device it an ip in the vlan 10 and other times just sits there nothing happening.

Sorry for this long post, I don't think is a pfsense issue at all but I've run out of ideas and wanted to post here before i post on unifi since the response is likely its a pfsense issue

EDIT I figured it out