I think I've solved both problems. The first problem with the second port of the LACP not working is resolved by removing and then readding the specific interface to the LACP group. After I did that the port started working immediately. After that, there were still messages of "Interface stopped DISTRIBUTING, possible flapping" but now on both interfaces of the LACP group. To resolve this I added the system tunable I already mentioned in my first post ("net.link.lagg.lacp.default_strict_mode" with value 0) and restarted the firewall. Since that moment (last Saturday evening) until this moment I'm writing this, there are zero log entries with that error and the link hasn't gone down either since that.

Hi, I don't see any issue with the intended setup. But, is this switch being shared with internal LAN? If so, triple review VLAN config to avoid security issues. Regarding overhead/hardware load between vlan or multiple NICs, I see no issues. Probably the amount of traffic passing through Pfsense will have hight impact than VLAN tagging. BR, Benito

After lots of debug and hours lost, that turned out to be some incompatibility between the NIC card on the computer I was running those tests, and the NIC on PfSense box (Intel). Probably defective card but only failing when talking to Intel Nic on PfSense (weird). Changed NIC to a new one and problem is gone.

Hello, Sorry to answer that now. With ACLs, cala works. I don't know HaProxy well yet (I was doing this with Nginx), I thought we had to do this with PfSense rules. Thank you so much.

Aha! You are a lifesaver. I feel like an idiot. Thank you so much!

@Raffi_ said in Youtube cast across VLANs: UPNP as you mention if I do decide to put all my devices on the same layer 2. UPnP is always dangerous... @Raffi_ (an enemy of any firewall and/or router) but if handled well, it is indispensable for the game my son is an active PS4 player... (only when he study, he don't....) his buddies taught he to speak english (very well) in the PS4 community (game world), ergo on PS4 is the best and cheapest English teacher... I only tolerate it, in our home network, because the teach.....

Yeah that is great.. but if your in vlan X, you can't arp for something in vlan Y.. Doesn't work that way.. So its working as it should.

Probably too late on the party for this one, and seems like you got a solution anyways- but more than anything else I am a noob and wanting to learn, so this is as much for me as it is for you- but I digress. In the unifi controller, there is a built in option to allow passthrough of a VLAN for the specific purpose of a voip phone. In switch profiles, you can indicate a voice network (which can be a real network, or in this case, a VLAN that is configured as a network in the unifi controller). I think this is a relatively newer feature? But I may be wrong on that. Lawrence Systems on YouTube has a good video on this. Like I said, this may be a solution looking for a problem but thought I'd put it out there.

@Derelict Thank you. Changing the parent interface to lagg0 worked. Now, I'm going to see if I can make it work on the expansion card.

@pi said in Help Config Aruba IAP VLANs: I will configure the OPT1 port this is fine in itself, but I will also follow the Aruba VLAN, when I will have time to read through it

Looks like my onboard NIC doesn't support VLAN tagging. I set up LAN and opt3 identically:[image: 1595787320627-vlan.png] [image: 1595787844589-intelvlan.png] When I have my desktop directly plugged into em1, I don't get an IP from pfsense. When I have the desktop plugged directly into igb1, or igb1 through the switch, I am able to get an IP from the VLAN. I still haven't figured out the TomatoRouter part, but atleast I know now it's not a pfsense issue. My motherboard: https://www.supermicro.com/products/motherboard/Xeon/C216/X9SPU-F.cfm Network Controllers Intel 82574L Dual Port Gigabit Ethernet Virtual Machine Device Queues reduce I/O overhead Supports 10BASE-T, 100BASE-TX, and 1000BASE-T, RJ45 output

You don't really need vlans, just separate lans. :) You already have 5 lan interfaces, and since one should be dedicated to the wan, you can have up to 4 segmented lans to play with, without any vlans. If you need more that that, then the dlink switch in 802.1p mode can provide even more segmented lans. But I think 4 is enough. Lets say 4 zones, business, leisure, guest/wifi/printers/phones, and?? Of course things get complicated if for example you want wifi access to he business segment from wifi for some devices, but not for guests, or we don't want the missus to have fb access (god save us). You should strive to have devices having common internet requirements on the same lan, so you can leverage pfblockerng et al better.

@mourad13 You're welcome, no problem!

@newberger said in HP switch and vlan: Also, you might need to check your NAT rules? I had the po change FW to allow all and still not getting IP. Prior to using wireshark, HP switch is configured to LAGG with Unifi switch, I had remove the LAGG to enable port mirroring. Capture trace on the port connecting esxi box and vmnic. DHCP traffic vlan50 is captured on the switch port but not on vmnic. I have pfblocker running and the NAT rules are for DNSBL.

@johnpoz Yes, QNAP has similar functions, but that makes sense on the setup. I think I will stay with the simple (aka, "working") setup! ;) Thanks for all your help, as usual!