@SteveITS Hello, many thanks for your prompt response! Indeed, ping has nothing to do with DNS. I didn't notice it because I didn't even attempt it on one machine. This is working now as well. We used pfBlockerNG, and the opt1 still needed to be defined in the Outbound Firewall Rules. Then once update via cron and now it works! cheers ron

@patient0 Got it, will explore 'Shellcmd' package Thank you!

@Monta you could do a traffic capture and look out for dhcp related packets...coming from, going to...pfsense offers that already. here: https://docs.netgate.com/pfsense/en/latest/diagnostics/packetcapture/webgui.html you could also provide screenshot(s) of: vlan config pfense and vlan interfaces for dhcp vlan config of switch config of AP maybe that gives a hint... as already said: said in How to view VLAN: you possibly get more help if you give precise info ;)

@SteveITS said in VLAN connectivity broken after upgrade to 2.8.1-RELEASE: Sure you don’t have asymmetric routing? You're absolutely right — the current setup does involve asymmetric routing. The state policy does positively influence the firewall's behavior, though it’s not a decisive factor. I had assumed that if one interface with asymmetric routing functions correctly, the others would follow suit. However, that’s not the case — only one interface appears to affect the behavior. In any case, this gives me confidence that the firewall will operate as expected once the VM is shut down. Fingers crossed for a smooth transition!

I think I just figured it out. Services > DHCP > ServerSettings Code: { "option-def": [ { "space": "dhcp4", "name": "vlan-id", "code": 132, "type": "uint32" } ] } Then hop over to the interface, in my case: PHLAN { "option-data": [ { "name": "vlan-id", "data": "10", "space": "dhcp4" } ] } Hope this helps someone! I don't have enough permissions apparently to delete my own post LOL.

@HidekiSenpai not sure why you think a query to quad9 would be authoritative.. quad9 is not the authoritative ns for google.com Your unbound setting there are resolver mode, for you to be able to resolve you would have to be able to talk to all the NS on port 53.. If your upstream is blocking this then yeah your going to have issues. What does dns lookup on the diagnostic menu dns lookup report? To test if you can resolve and to see where you might be having issues do a dig + trace on pfsense. [25.07.1-RELEASE][admin@sg4860.home.arpa]/root: dig google.com +trace ; <<>> DiG 9.20.6 <<>> google.com +trace ;; global options: +cmd . 84617 IN NS d.root-servers.net. . 84617 IN NS f.root-servers.net. . 84617 IN NS e.root-servers.net. . 84617 IN NS m.root-servers.net. . 84617 IN NS j.root-servers.net. . 84617 IN NS b.root-servers.net. . 84617 IN NS c.root-servers.net. . 84617 IN NS g.root-servers.net. . 84617 IN NS k.root-servers.net. . 84617 IN NS l.root-servers.net. . 84617 IN NS a.root-servers.net. . 84617 IN NS h.root-servers.net. . 84617 IN NS i.root-servers.net. . 84617 IN RRSIG NS 8 0 518400 20250915050000 20250902040000 46441 . r2EKEjvLOSDMWT4XAMJK+3McQntRgJ/wtG2WXCZ90DdKxUgNUCU1Q1R+ YDovtNQExt87dM1gu8S10al5FJPNkLM6pbQM010+1E2AnyCQyt4DQrJh JgMhwcYONIbT/gGrXfQS7sdN8B5g0ob2HcqXRxqMkDOldxdBCJy7B5ZM AufoQlrCrdazkGHVxC+vzsDIDVYnAFLlLkoHtcpbLmiK1w6MiVNfzfWt EC4v7Bibau5rMYzhYZ0EwGv4CCG6dn8HiGEg0rNBmMi7onXndKhq2S4H T9b1jkIj1qG1GfVOzVuqmzv7OWgW9+0jbqel3VR7AAfO9plH7JLeVNY1 EmTLTg== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A com. 86400 IN RRSIG DS 8 1 86400 20250915050000 20250902040000 46441 . PuEt7PPZTytXpON7kI4PR4ePmn1RbbZwWwksIwQqStFADSXkHLtaCWBk 6rjtDQogfGqqcRZnJzXTwq7FD+lsB//y3DBBkzBB+ag7XmldiFGtkV3Y 9ueUEL4ydZnyftPClzOtBYbtzMVA2oC6gfNbi7LyIFUUH8xc0IZUPJah 9IQF443ZocHNNl8jPpSilA7QVkSf6rKRH5CNUdTsJ6qhfXUEOWgNqIaV yLCrPzsnyl7+PoU1dBpPmsbUY0DUO2A0E5Zs5lBpcgjThoEK/SMokB1v Rb75/7Yvb+MGyDWmZVwd9uKdVadxzn6jdJgxgSM+SBuxaSpkWlnqhJnx fYnP/w== ;; Received 1170 bytes from 2001:503:c27::2:30#53(j.root-servers.net) in 9 ms google.com. 172800 IN NS ns2.google.com. google.com. 172800 IN NS ns1.google.com. google.com. 172800 IN NS ns3.google.com. google.com. 172800 IN NS ns4.google.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250908002603 20250831231603 20545 com. I5bq7mPPNzfXbaaD27hOUwaUOIQJi6EcJYwN+Ab4FiMqp5GgoHWsfgSm LHUn2Mg3jXAGfxykTCnJXfUQYtJ+oQ== S84BOR4DK28HNHPLC218O483VOOOD5D8.com. 900 IN NSEC3 1 1 0 - S84BR9CIB2A20L3ETR1M2415ENPP99L8 NS DS RRSIG S84BOR4DK28HNHPLC218O483VOOOD5D8.com. 900 IN RRSIG NSEC3 13 2 900 20250909012623 20250902001623 20545 com. 1Sn2h2Xvf9GUFWqqEDwCOD+aZFVhrEhV+87H/RxeCGuNoA42E7tz5Oq6 A7hnIkd0J8coWN0C9M9gQlJLjrrfvw== ;; Received 644 bytes from 192.26.92.30#53(c.gtld-servers.net) in 27 ms google.com. 300 IN A 172.217.2.46 ;; Received 55 bytes from 216.239.36.10#53(ns3.google.com) in 25 ms The dig + trace is exactly what the resolver would do - so seeing all the steps can show you were you might be failing in the process.

Quick update that the advice above worked great. Stripped out those bridges and re-architected all APs and switches across one link. 5 total VLANs. Unexpected benefit was what seemed like at least a 20% bump in overall performance from the 4200. Note: Also took the opp to upgrade the 4200 w a SSD so that it's now a "Max"- maybe that helped w perf, too.

@piook said in Take two at this a year and no replies later.: But when I connect the LAN port to the switch and everything over that port is 1GB Full duplex Which port on the USW Pro Max 16 are you connection the LAN cable. Of course you are aware that only 4 ports are 2.5G on that switch (according to the product page) What speed selection does is show if you remove the LAN cable, still 1G the fastest speed selectable? What happens when you switch the ports from the pc and the LAN cable? In general you would have better support on the Unifi forum I think.

@patient0 VLAN 1 is a normal VLAN. 0 means untagged, which means that the packets don't have any VLAN information in it and the switch assignes the Primary VLAN (port in trunk mode)/assigned VLAN (port in access mode) to packets entering the switch port and sets the VLAN number on those packets.

@keyser Thanks for the reply. I have a spare port on my router and I will use it to experiment with.

@chris.doldolia The 2100 has a 4 port switch. The documentation page I linked above will allow you to treat a given port as (change it to become) a separate network interface. In the default configuration the individual ports cannot have an IP address because they are all the same LAN. If you want to add a VLAN and have it work on all four ports then I think you need to add the VLAN to "port 5" which is the switch. You might post your Interfaces > Switches pages, and Interfaces > Assignments pages.

Now, I can start configure more rules on the FW + connecting the Netgate directly to my ISP Modem. Great Is there a recommende list of FW settings laying around? I saw several of the Youtube videos where they kind of had their own focus. Based on the description, this would be a GUEST network. Here’s an example for you: Note: GUEST users are not allowed to use pfSense’s DNS server. Instead, I’m using DHCP to provide a public DNS server for them. [image: 1753873577326-5f99a867-d081-4c33-ac6a-de697d0826fb-image.png] Internal network alias is an alias that contains all my local networks.

@SteveITS Yep. The address in that /29 was given by DHCP.

@johnpoz You just don't get the different in working on layer 3 and layer 2. It is why you have default gateways and default routes and they are different. ThAT SEEMS TO BE OVER YOUR HEAD. Your firewall to the world is going to be layer 3. You are lost in pfsense and you can't see the forest for the trees. Go away John please do not reply to my threads. I will try not to post any more here. And yes I ran a small team of network people a long time ago. I had over 4000 PCs and around 50 locations so get over it. You ran me off last time and I went back to Cisco over pfsense. Look back in the threads years ago. Plus pfsense was having routing issues or slowdowns on routing as I was doing layer 3 back then at home. Version 2.8 is fast now which is good. Having a connection of 10gig reduces your latency whether you run full 10gig or not. I have 1 gig of data on a 10gig connection. I think this is best you can do now for home. I have a Cisco 10gig layer 3 switch I plan to install soon. So I can push the extra data bandwidth.

@spickles I would think the easiest way to replace a Cisco ASA 5505 would be use pfsense as a firewall not a router. Keep using your Cisco L3 switch. I do that at my home. I use an Cisco L3 switch and route between my L3 switch and pfsense. You lose pfsense control over your local network. This would not be an issue with you as you will already have that with your L3 switch. Setup pfsense with no vlans and keep all the vlans on your L3 switch. Then set up your firewall rules and static routes to your L3 switch.

Indeed, I have to consult the community on how to configure the captive portal, too.

Thanks! Surfshark does not support IPv6. DHCPv6 Server is not running on Guest Guest VLAN IPv6 Configuration Type is None. [image: 1751811989749-e300cdf0-d2f6-472a-bc37-67536aa7f008-image.png] Router Advertisement Router Mode is Disabled [image: 1751812258868-585e8e78-a12d-4437-8663-7ea80d8c1555-image.png] Added a Guest firewall rule at the top of the stack to block IPv6 traffic [image: 1751812578788-7cf2241b-4d32-4d08-9a25-75e272d7ae31-image.png] Also tested disabling IPv6 in the APN on my phone. Didn't help. We're still having problems with some apps/content on our phones.

I managed to solve this myself today. The reason I can't ping the client directly connected to the igc1 of pfsense is because of the Bitdefender stealth mode setting. Once I turned it off, I can now ping the client. I came up with this solution because I tried Ubuntu on a flash drive, and I can ping it, so there is a problem with the firewall of the Windows machine. That's why I checked all the firewall settings one by one on the Windows client.