@nomis-home43 You can leave it as layer3.
Config one port on the switch as a trunk. Tag all 3 vlans on that port.
Untag the vlans on any switchports you need for the networks, I think you said you only need 1 port per network so just do that.
In pfSense, go to interfaces/vlans. Add the 3 vlans to the LAN port, This is the equivalent of making that port a trunk, so remove any config you have on it.
Then go to Interfaces/assignments. On the bottom there's "available network ports". In the drop down, all 3 vlans will be there. Assign each vlan, one at a time, and they will be assigned an OPTx name. Click each OPTx, enable it, rename it, assign ip's as needed. Go to Services/DHCP server. You will see all 3 vlans at the top, click one, enable dhcp server and set range. Repeat for the other two.
Then set firewall rules on the new ports.
Should be good from there.

akuma1x,
I'm starting to understand. I need to read the post and digest it. I'm not sure how to configure the X, Y, Z ports between the switches. I never thought about doing that.

@johnpoz Since both my phone and desktop are on LAN and the phone can see the chromecast and cast to it and the desktop cannot.

doesn't that mean something is wrong somewhere?

@stephenw10 said in Single NIC Setup Not Working as It Should:

mixed mode' of some type in order to carry both tagged and untagged traffic on one port.

Not really a "mixed" mode.. But the untagged traffic would need to be set as the native vlan..

Wouldn't show it in the gui..

Here would be a port config of doing tagged with an untagged vlan.

interface gigabitethernet5 description "sg4860 WLan and vlans" switchport trunk allowed vlan add 4,6 switchport trunk native vlan 2

here is how it looks in the gui of my sg300

switch.jpg

On this port vlan 2 is untagged, while vlans 4 and 6 are tagged.

@aaronssh It was confusing as hell to me too until someone explained in a way that my primitive brain could process. It's opposite how you intuitively want to think about it. I still get it backwards sometimes.

The house analogy is actually a fantastic way of keeping it straight in my head.

@amc_oldsarge Any new vlans creatred will need outbound rules adding, if you want an internet only rule do something like this:-

Screenshot 2022-05-16 at 20.36.06.png

Where n_ip_local contain all the local subnets.

@prtonguy77 said in Block clients on same VLAN from seeing eachother?:

Any ideas?

get a switch that does, or create vlans to isolate the devices you don't want talking to each other.

Thanks to all for explaining doh. I changed my SecureLANs alias to not include the 192.168.20.0/24 network. So now, all PCs on 20.0 seem to get DNS, etc. I added a rule to block source from 20.0 network and destination to This Firewall/443. I think I'm good, unless I missed something else.

@dansci

Yes, you're making the same mistake I thought you were making. You want static IPv4 on both interfaces. By not enabling IPv4, you are disabling that interface.

@johnpoz said in How to keep networks separated:

Seems odd to me that your saying pfsense is getting a public IP - but other devices are getting 192 - this isn't normally how a gateway in bridge mode works.

That's how the att garbage works. Their gateways have what's called passthrough mode. Via dhcp it assigned the public ip to a single device on the lan side.

However, the public ip still remains assigned to the gateway's wan as well. It's a pseudo passthrough mode of sorts, fake bridge.

The end result, customer's device (router, pfsense, etc) has what appears to be a public ip as well as the gateway. As such, the gateway can assign various private ip's to other devices (wired and wireless) connected its ethernet ports and/or wifi ssid. A traceroute behind the customer's router (pfsense or other), will show the gateway ip as the first hop (192.168.1.254) rather than the real wan gateway.

For those of us on fiber in areas not get upgraded to xg-pon, several bypass methods exist which eliminate the isp gateway box entirely. The best is extracting (or buying) the 802.1x certs then implementing them in software using wpa_supplicant. This gives customer full access and control of the network, no double nat, etc. Also a /60 PD for ipv6 vs /64 from the gateway box.

The other methods still rely on the gateway box in one manner or another.

Replying to myself.

I got the switch and finished setting up. It does not appear to support mac wildcards for mac based vlan. I tried 00, and FF as the wild card characters. Rejects * as well. So each unique mac must be manually entered.

I suppose if there's a long list, one could make a backup which is text based, then following the existing format, paste additional macs in there, restore.

Functionality; My set up at this time is using sophos utm. Each vlan has its own dhcp server assigned along with various firewall and masq rules. The setup does appear to work.

I'll need to use a linux client to do some probing to see if I can see what leaks over on the wifi side from clients on different vlans.

What is missing from the initial steps is the pvid screen, which proved quite important. It is important to assign all pertinent vlans as UNTAGGED in the configuration. In the example below, physical port 8 is the one feeding the orbi device.

For now it's configured with 2 vlans, 4 and 5. Proper connectivity would not happen until vlan 4 and 5 were configured as untagged. PVID of 4 means any undefined (no mac vbased vlan entry exists) mac will be defaulted to vlan4.
0187b852-a37d-4e88-b966-140ef2128862-image.png

The rest of the lan operates on vlan1, which is not assigned to that port at all. I may make special routing rules later for a few things (like WOL using app on phone). For the most part, I don't want anything wifi having access to the main network.

The switch cost me about $50, the orbi's cost nothing. I am hopeful sometime in the near future someone figures out how to gain console access so the whole vlan mess can be untangled and defined properly. It's a bit odd having the same ssid/wifi password for the guest network as other networks.

What IP range is used in the router before pfSense? I think pfSense is looking ok, don't know about that switch.

@derek_nos said in Netgate 2100 Vlans With Aruba 1930 Switch And AP15:

so the following should be fine for native vlan1 and vlan30

Yep!

Okay so I indirectly "fixed" my problem. All it took was installing Debian as I couldn't install proxmox directly via serial console, then modded Debian into proxmox, virtualised pfsense with virtio networks cards.

I don't know why a testing device acquired an IP address for the Guests VLAN while connected to a wireless network associated with the IOT VLAN. I tweaked subnet/VLAN settings a little, but still very similar to the settings as described above. The testing device now acquires an IP address in the expected subnet, when connected to the IOT wireless network, so I guess that problem is resolved...
Even after the device acquired an IP address in the expected subnet, it still had no Internet access. After adjusting outbound NAT, this too was resolved.

@andrea-rizzini for starters what are the rules on your private interface? Are you forcing traffic out a gateway before you allow access to your camera vlan? Or your camera IPs

But examples were given on how to create the source nat (or outbound nat on the iot camera vlan) interface.

It would just be an outbound nat using your IOT interface, and the IOT interface address. Now when you talk to the camera's from your private net, it looks like your talking from the IOT interface IP.

Currently I show uptime of
63 Days 06 Hours 39 Minutes 54 Seconds

Which would of been when I updated to 22.01

@marvosa @mcury @NOCling @the-other

Thanks for the help!

The issue has been resolved. I'm still not totally sure what the setting was, but something was of with my pfBlockerNG settings. I was playing around with some settings in there, screwed up, and had to run the wizard again. All of a sudden my HOME VLAN began working properly. Tested on both the Dell and TPLink switches.

Thanks again everyone!

@lees
Your assumptions are correct.
I have not even assigned a pfSense IF , to my VLAN parent IF's

Parent IF "could" also be known as the "Untagged or Native IF"
As it would be the IF that receives "Untagged frames" on that "wire".

/Bingo

@openwifi said in I need to create a bridge connecting my LAN to OPT port.:

@marvosa Implementing a switch was the initial plan but then a switch would be an extra layer on the network that might fail at any time, so I thought why not just use the extra port and switch it together with the LAN. That means I do not need an extra power outlet for the switch and also reduced an extra point of failure on my network

A switch is an integral part of proper network design, you can't think about it as adding an extra point of failure.

If you're adamant about a collapsed design, then your best bet from a performance standpoint is moving to an appliance with an integrated switch (e.g. Netgate 2100).

@opoplawski

????

Are you moving that Mac between the 2 connections? How is your network set up? Do you have the Wifi and Ethernet on different interfaces? If so, why?

Can't seem to submit an edit of my post so:

Edit: Nevermind, I bought a switch... I already started this thread with "I know this isn't good practice",and trying to fix this issue, I realized, even as a temp fix it's not a good idea to do this, so I'm going to set the network up the proper way...

@worldhopp I believe you just solved my issue! I was just visualizing tagged and untagged backward. I'll let you know for sure how it turns out.

Thanks for the response on this old forum.

@dotdash said in Same Networks in different VLANs:

multiple routing tables is just that and not actually several routers

We could debate semantics I guess ;)

To "me" VRF is actual another router.. Since it is a whole set of new routing tables, and sure other interfaces.. Even if they are "virtual"

"Virtual routing and forwarding (VRF) is an IP-based computer network technology that enables the simultaneous co-existence of multiple virtual routers (VRs) as instances or virtual router instances (VRIs) within the same router."

think the OP should just use different networks for the vlans

We agree here ;)

Solved...
For some reason, "Firewall -> NAT -> Outbound" showed me an "Auto created rule for ISAKMP - ... to WAN" for one failing VLAN, but it did not add the "randomize Source port" entry automatically.

No clue why... I also seem to have had "Manual Outbound NAT rule generation." on, but then I wonder how I ended up with the above auto created rule.

In any case, I now added the needed NAT entries manuall and now finally it works :)

@johnpoz : Linksys EA7300 - You said it would work, but it doesn't!!! 😆 🤣

Not listed as supported on the DD-WRT web site. 😞

But it is supported on OpenWRT with vLan! Yay!

So, cool beans! I can (probably) take it from here.
Thanks for your, and everyone's, help!!!

@ossgeek said in Best Practices for VLANs with Multiple Interfaces:

it would be a few extra clicks to configure.

Either way adding more vlans to a physical interface is no big deal, be it you have untagged on the interface already or not. Sure you would have to change the config on your switch a bit.

But I run native (untagged) network on same interface I also have tagged vlans on.. There is nothing saying you can not do that - unless you had some limitation of your switch? Or again some company policy stated not to do that ;)

@viragomann Big thanks for this, man. One click fix after days of troubleshooting and even consulting with others.

@skippythemagnificent You shouldn't have it tagged if the only thing on it is untagged... but you do have to have the assignment made.

There's a lot of data in this ticket so if you said you have a 802.1Q switch on that interface or other tagged device then that would make sense.

@grovesjon

https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/router-on-a-stick.html

i dont have the screen in step 5

@steveits Hey,

Thanks for your response, sorry for the late reply.
I did follow Netgate's instructions, futhermore I've tried most of the configurations looking at the specific ports and if tagged or untagged traffic comes in.
Though the router is not implemented yet in the network. Its still on its test setup.
The DHCP server is enabled and configured the same as my other interfaces, wich do work.
The interface is has a /24 subnet.
I hope I am explaining it correct, I'm still a bit of a noob with networking.

@gertjan said

PS : It's not a Russian bank, right ? ;)

Not exactly but they have had other "problems"