I found the issue is with the Orbis using STP by reading Flash008's post in the link below. https://community.netgear.com/t5/Orbi/Orbi-RBK53-ethernet-backhaul-issue/td-p/1505888 I had a couple of options to address this. Either keep the switches STP off and Enable BPDU, or turn on basic STP on the switches with the ports used by the Orbis using the default priority of 32768. I went with turning on STP and setting the ports to use the default 32768 priority which seemed to have worked. Network did go down for about 30 seconds, but then it recovered without isues since. It's definitely not the pfSense box. On another note, I will most likely tackle some Traffic Limiters next to see if I can't get an A or A+ on dslreports for bufferbloat. Thanks again for everyone's help. I think I'm good. :)

@dennypage To be clear, mDNS traffic WILL still move across the network and is still accessible if you are connected to the 2.4GHz side of your SSID. The problem was actually pretty hard to trace out due to the sporadic nature and the fact that the traffic was present on the network. It's just that the WAPs drop it over the 5GHz side if the meshing is enabled.

@r801248 any update on this?

Well power MAX can for sure be misleading.. Great device to add to your tool belt, if you have any care to what devices draw.. Is a kill-a-watt meter.. Or a smart plug with power reading.. So you can plug a device in, and see what it actually draws.. Say leave it on the plug for 24 hours min.. And try and atleast use it a bit like you think you normally would.. Cost of elect can vary quite a bit.. But at the national average of like 12cents per kwh.. A 100W will cost you 100 Bucks a year. Not counting delivery cost of the elect as well, and taxes on that etc.. so going to be 100+ a year to run something that sucks 100w if left on 24/7/365 I have gotten pretty into how much something draws, even before I went solar.. So Im the blue line - guess when I went solar ;) [image: 1611361470268-electric.png] I always use to be above even my non efficient neighbors (all the networking/computer toys) ;) The part I like the most is where I am under the 0... This is where I produced more than I used.. Which is the goal..

@rmfooty I dont know if it can help you... it was difficult to find on internet cause everybody say just set VLANS on pfsense after set on Switch... but nobody told us to set Hyper V when we are talking about VLANs on Hyper V https://blog.workinghardinit.work/2015/10/13/trunking-with-hyper-v-networking/

Well.... Made a backup of the settings in 2.2.6 and restored them into 2.4.5p1. Had to reinstall packages but everything is working like a charm. Exactly the same settings in interfaces... but now its working.

@cool_corona Yes I understand that, but pfsense is still involved correct? - when I change system -> advanced -> networking performance varies Thanks

@ncat I understand the convenience factor, however, instead of adding complexity, you could also address those issues by adding the appropriate routes as needed. I have yet to hear anything that couldn't be addressed with a routed solution.

Problem is solved, it looks like suricata was blocking my machine somehow.

@mcury Wow way too much time spent on this lately but finally getting it to where I want it to be. [image: 1609995306377-vlan.jpg] Vlan1: Management This is the Lan off the pfsense firewall. It has access to pfsense gui, all switches, ap, vlans. Vlan3: Server Unraid server running plex, LMS, a few other things Allowed: pfBLockerNG, DNS, Plex to HDHomeRun tuner on Vlan4, Internet Blocked: Firewall & Internal communication. Vlan4: Home Theater Denon Receiver, (3) piCorePlayers, (2) Nvidia Shields, Xbox, (2) HDHomeRun Tuners Allowed: pfBLockerNG, DNS, Plex players to Plex on unraid, piCorePlayer to LMS on unraid, Internet Blocked: Firewall & Internal communication. Vlan5: Work Work laptop, (2) VOIPs Allowed: pfBLockerNG, DNS, Internet Blocked: Firewall & Internal communication. Vlan8: Wireless (2) Iphones Allowed: pfBLockerNG, DNS, Internet Blocked: Firewall & Internal communication. Vlan9: Guest Wireless (2) Chrome books, (2) iphones, (2) kindles, PicorePlayer, roku, PC Allowed: pfBLockerNG, DNS, Internet Blocked: Firewall & Internal communication. Equipment: Pfsense box: HP Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz, 16 gigs of ram, HP 4 port ethernet card - Packages running: aprwatch, iperf, nmap, ntopng, pfBlockerNG, RRD_Summary, Status_Traffic_Totals, Telegraf Access Point: Netgear R7800 running Openwrt Switches: TP-Link TL-SG1024DE, (2) TP-Link TL-SG108PE Server: ASRock X99 Extreme3, CPU 2GHz 12 cores(24 HT), 32gigs ram Unraid Parity Drive: 4tb 15TB HD Space Cache Drive for Dockers Unassigned drive for VMs (Windows, Hassio, Linux) Things still testing: Iphone control while on Vlan8 to items in Vlan3(plex), Vlan4(Receiver, PiCorePlayers, Shields, Roku). Verify anything in Vlans 3+ can't get to pfsense box, switches, APs, Server. I am sure I am forgetting something.

Pfsense would not strip tags.. You can view tags in the capture by doing a sniff on the parent interface with tcpdump and using the -e flag You will then see this for something that has tag on it. ethertype 802.1Q (0x8100), length 58: vlan 4, p 0, ethertype IPv4

@jknott Yes typo, thank you. S/b: VLAN 1 untagged on ETH5-8. I have since added all the VLANs I need and VLAN1 works untagged and the rest are tagged and working on ETH5-8. [image: 1609790814484-pfsense_xg7100_switch_vlans.jpg]

@kiokoman said in VMware Vlans and PFSENSE: 0t thanks for replying, that was the issue once I tagged the 0 and 2 interfaces it worked like a charm

@johnpoz said in Need suggestions for home topology: Poor guy ... 10 100 days downtime/yr We both did typos ;) 365 - nice catch - doh! Well maybe i can get my tuition money back for calc ... Nice catch too

@bingo600 said in VLAN security question: As Mac should be unique. Well, any router that's connected to multiple VLANs will have the same MAC on those VLANs. On the other hand the IP addresses will be different, as they're on different subnets.

@bingo600 Yes all the management of the network is done from the 163 network. The only things connected to the 163 network is a Microsoft AD server and trusted computers in that AD domain. There is an additional physical 160 network set up just like the 163 network (physical ports on the switch and wifi) with the exception that it connects to pfSense on EM1 and it has port 13 assigned to it as a tagged port . There is an additional tagged SSID on the access point for devices to connect to the 160 network. This is also a dedicated interface with no other networks. It has various trusted devices, laptops, phones tablets etc that should not access the other networks. Those devices connect either by ethernet or wireless. Every network (physical or vlan) has firewall rules that reject access to RFC1918 networks with the exception of a few select devices on the 163 network that are used to manage the full network.

@sgw said in how to manage APs and various ESSIDs: What do you mean with "native LAN" ? The standard LAN on pfsense? "Native LAN" refers to the network without any VLANs. For example, with pfsense, you have an interface for your LAN. You can run all sorts of traffic over it, but there is no separation into virtual LANs. Anything beyond that basic network, is carried over VLANs on the same basic network. Of course, you could use a managed switch to remove the VLAN tag and place the packets on another physical network. Any traffic on that network would be "native", even though it would be VLAN elsewhere. On my system, I my native LAN interface is bge0. I also have bge0.3, which is VLAN3 on my native LAN. If you were to watch the traffic on that physical interface, you would see frames both with and without VLAN tags. While many devices can handle VLANs and work directly with tagged frames, others can't, which means they can only be on the native LAN or be behind a managed switch that has a port dedicated to that VLAN. My VLAN is used for my guest WiFi. So, I have pfsense, my AP and my switch configured for that VLAN. Both native LAN and VLAN 3 are on the switch ports connected to pfsense and the AP. All other ports are native LAN only.

@rostyslav-didus said in Trunk port beetwen Cisco 3750g & PfSense 2.4.2-RELEASE: @bingo600 Yes sir! My mistake-I didn't say that pfsense is on Esxi. We updated pfsense. Now it got last stable version. I am going to read how to make proper vlans on Esxi to allow vlan 5 flow. I'll show esxi config in 2 hours. Thanks. I have not tried a pfSense on ESXi , but have a small home ESXi , where i used vSwitch to make the trunk (& Vlan definitions). Someone else w. pfSense on a VM experience should chip in. Have a look in this section. https://forum.netgate.com/category/33/virtualization