@ninthwave I have a pfSense with two LAN's : one for the company, with all the ethernet printers, and a second quest LAN (using the captive portal). I have a firewall rule on this second LAN that permits to contact user from the captive portal to contact the IP's of my printers. I've installed Avahi, so phones and devices can discover network services. This is what they see : [image: 1635149961861-313e6945-7183-4c6d-a15c-cfb7341607ad-image.png] btw : no need for 'cups' ....

@rafterx Your port on the switch should look something like GE2, GE1 is my router to switch interlink :- [image: 1635066837428-screenshot-2021-10-24-at-10.11.03.png] [image: 1635066846165-screenshot-2021-10-24-at-10.11.26.png] [image: 1635067180684-screenshot-2021-10-24-at-10.18.37.png] The only difference would be that I have my management network for my Aruba AP22 & switches on the untagged vlan 4903.

@johnpoz: I agree with you completely, and that’s exactly what I encountered. Once I had worked out the tagging on the various SG-1100 and switch ports, DHCP was working. It then required a better set of firewall rules to get out to the internet.

@johnpoz thank you and much obliged

UPDATE: Discovered that the upstream Cisco Switch connected to the Netgate 5100 had Cisco Port Security enabled, which was configured to only allow two MAC addresses for the port. Disabling that resolved the issue.

@prtonguy77 yes.. Any switch that can do vlans, and any AP that can do vlans can work together..

@rhvw said in Using only vlans no lan: is mixing tagged and untagged more susceptible to vlan hopping? No... But it could be more open to mistakes being made in the config I guess.. Tagged and Untagged traffic would only ever be on a port that is uplink to some device that would be handling the vlans. Another switch, another router, an AP.. Some VM host, etc. It what scenario would you have anything but 1 vlan untagged traffic going to an end use device? If you were doing that - then sure the end device could get on any vlan they wanted that was allowed on the port. The ability to hop vlans amost always comes down to a mis configuration.. If you setup your switch/AP correctly.. And there is no underlaying issue with the switch/ap - it not very likely to be able to hop vlans. In a correctly configured an functioning switch. If I put port X in vlan Y.. The user tagging traffic would not be allowed by the switch port, so it would/should not be possible for the user to hop to a different vlan.. Only untagged traffic should be allowed into that switch port, and it would be on vlan Y.

@johnpoz I have the factory reset pfSense running with two Vlans and the switch reset with a new IOS image and running with the two Vlans and getting IPs, internet. Everything is working as it should. I think that whoever configured the switch before me had some odd settings because it worked after the wipe and image upgrade, it worked.

@johnpoz said in Broadcast packets duplicated across VLAN: asking for 13.100, from 13.1 in both 11 and 13.. Something for sure is all messed up.. In case you are interested, I contacted Netgear support and they say it's an issue with my switch: "As I have this inquired to my senior experts, seems like the behavior of GS116ev2 Plus Switch is causing the issue for the certain VLAN. Since GS116Ev2 does not have native VLAN nor management VLAN ID, any DHCP request is being sent to all ports. As advised and to have this be corrected, Smart Pro switches are recommended."

Thanks a lot :-) Will try.....

@digitalcomposer simple hybrid nat, create the rule and then check the do not nat checkbox.. ;)

@cjnazz I would stay away from tplink switches to be honest - they have a bad track record. Current models might be fine. But previous they had an issue where you could not remove vlan 1 from any port.. So they were not actually isolating your vlans.. Tread with caution - there are many other switches in the same price point area that have not demonstrated a complete an utter lack of understanding of how vlans are suppose to work ;) I have used unifi AP for many years - I have had no issues with them, and setting up vlans to ssid is very simple. I have multiple vlans running on mine (have 3 AP in the house). And use poe injectors. No real need to setup "routing" out of the box really any router (pfsense included) will auto know how to talk to networks its directly attached to. What you allow or don't allow between your networks/vlans is simple firewall rules. You would setup different IP ranges for your different vlans, if you want to run dhcp on pfsense for these different networks then yes you would need to set that up on pfsense. Pfsense should be able to ping anything in a network its attached to yes - unless some firewall on the device your wanting to ping blocked that. I am not sure how easy or even possible to setup vlans on the unifi APs without the controller. They do have like a phone app you can run to set them up. But not sure if supports setting up vlans. But once they are setup the controller software does not need to be running 24/7.. But you might find it useful in the sense it provides info into your wifi devices - what band and speeds they are connected to, which AP, etc. I run my controller on a vm on my nas.. As to your printer question - access to the printer from other vlans would be a simple firewall rule to allow that.. Discovery might be problematic, airprint for example does not work across vlans. You would want to setup say avahi to allow for discovery if that is something you want to allow and need. But anything that can just put in either the fqdn or IP for the printer would be able to print as long as you allow the printing protocol/port your using via firewall rules.

@ninthwave One very important thing, don't let them run as Admin!!! Most people get a Windows computer and run as Admin, which leaves the computer wide open for malware. Run as a user and only use the Admin account when necessary. This is the way things are normally done in the Linux/Unix world.

So it was a routing issue after all. I checked the actual routing table on the pfSense (should have done this before) and there was a route for that range 192.168.3.128/26 via one of the OpenVPN servers. Sorry if I wasted anyone's time.

Thanks I thought as much, I will give it a go.