@dbeaver2471 said in Cant get VLAN configuration between Netgate 4100 & Aruba 1930 to work: n the port that my pc plugs into I tagged VLAN1 That is almost always going to be wrong.. If your tagging vlan 1, I can pretty much assure you doing it wrong. Especially if your plugging a pc into that port. pfsense - 1 U, 10T, 20T - switch - ports you want devices in either 1, 10 or 20 - all would be untagged. Untagged is also just another way to say native, if you have your lan on icg0 then that is a native and untagged.. If you want to carry other vlans over that same icg0 interface they would be tagged. Your switch would have its default (vlan 1) as native on the port that plugs into icg0 of pfsense - and would have tagged vlans 10 and 20. Devices you plug into this switch that you want on a specific network, be it 1, 10 or 20 would be just untagged in that vlan on your switch. Only if you are uplinking to another switch, or AP or like a vm host interface or something would you tag 10 and 20.. When that thing your uplinking to would need to be able to put traffic on any of those networks. If you would tag a vlan to your PC, then you would have to setup your pc to understand the tag, and also any traffic it put on the wire would need to be tagged.

@viragomann said in Can't get pfSense bridge to work with VF NIC: Yeah, if you pass through the hardware to a VM, the host cannot use it anymore. That is 100% not true. As I mentioned, I pass through VF, SR-IOV is designed just for this. Host device remains and is supposed to be able to talk to guests and to the outside. @viragomann said in Can't get pfSense bridge to work with VF NIC: You should rather create a bridge in Proxmox, connect the hardware NIC to it and assign and IP and connect the virtual interface of the VM, if you want to access both devices over the single NIC. That is exactly the description of the virtio interface I have, but it is slow, just ~1.3 Gbps in pfSense due to multiple reasons (issues opened for years and little if any progress is happening on them, so I wanted to pass through the physical hardware). On Linux virtio interfaces trivially push over 10 Gbps, but not in pfSense.

Just tried on pfSense 2.8.1, seems to work fine. The VLAN is working fine, but the ixv driver itself seems to be flaky and sometimes not really working properly on boot, which in turn causes VLAN issues as well. But it is not happening nearly as often as it did in the past.

Ok this is all kinds of messed up - nothing is actually wrong, the server management keeps showing me absolutely nonsense IP connected on that particular port. Even after a reboot. WTF?

@patient0 said in Identifying Rogue Traffic: @james_h it's more the last rule with 'PreferFIBRE'. The default allow-all rule after installation is source 'LAN subnets' and the rest any. You rule allow anything as source on the PRIVATE interface. If you do expect traffic with source IPs of PRIVATE subnet then changing it from * to 'PRIVATE subnet' would have blocked the 172.20.* traffic. Are the 'admin_devices' all in the PRIVATE subnet? Yes I think thats what I should do. The admin devices are indeed in the PRIVATE subnet.

@jogovogo said in No Internet access with VLAN via OPT1: My first surprise is that I'm now on the firewall, but why? The web server that serves the pfSense GUI runs on all assigned interfaces. When you installed pfSense, there was a pass rule for incoming traffic on the initial LAN interface : it accepts all traffic. When you add more LAN type interfaces, the ones called OPTx, there will be no inital rules, so you can't access anything. DHCP will work as pfSense will add hidden DHCP (UDP port 67 and 68) rules, but nothing else (no http https dns icmp etc etc etc etc). When you add a pas rules for TCP, UDP, etc, things "start to work". When you use addresses like this : [image: 1758697659291-89b7f27a-e729-4579-81c1-cb12989a7d3f-image.png] you use IP addresses. So, even is DNS is not working, then that won't be an issue. Your browser doesn't need to use use DNS (for translating host names to IP addresses) as you already gave an IP. It can contact the device 192.168.151.1 right away. You've allowed TCP IPv4 traffic to port 477, which is apparently your changed your pfSense https web GUI interface port. @jogovogo said in No Internet access with VLAN via OPT1: The issue has been resolved, simply, by restarting the DNS resolver. Euh ...... As you've changed lost of things at the same moment, it's hard to tell why dns (== the resolver) didn't work initially. Normally, when you add an new interface like your OPT1 interface, system processes like DNS (the resolver) gets restarted. The resolver will listen to All Interfaces : [image: 1758698045123-e07276c8-27b7-4a13-b999-ca154f396adf-image.png] by default so it would work right away on the new OPT interface. Again, you still have to add a firewall rule to allow DNS traffic to reach the pfSense DNS port 53 of course.

@patient0 Got it, will explore 'Shellcmd' package Thank you!

@Monta you could do a traffic capture and look out for dhcp related packets...coming from, going to...pfsense offers that already. here: https://docs.netgate.com/pfsense/en/latest/diagnostics/packetcapture/webgui.html you could also provide screenshot(s) of: vlan config pfense and vlan interfaces for dhcp vlan config of switch config of AP maybe that gives a hint... as already said: said in How to view VLAN: you possibly get more help if you give precise info ;)

@SteveITS said in VLAN connectivity broken after upgrade to 2.8.1-RELEASE: Sure you don’t have asymmetric routing? You're absolutely right — the current setup does involve asymmetric routing. The state policy does positively influence the firewall's behavior, though it’s not a decisive factor. I had assumed that if one interface with asymmetric routing functions correctly, the others would follow suit. However, that’s not the case — only one interface appears to affect the behavior. In any case, this gives me confidence that the firewall will operate as expected once the VM is shut down. Fingers crossed for a smooth transition!

I think I just figured it out. Services > DHCP > ServerSettings Code: { "option-def": [ { "space": "dhcp4", "name": "vlan-id", "code": 132, "type": "uint32" } ] } Then hop over to the interface, in my case: PHLAN { "option-data": [ { "name": "vlan-id", "data": "10", "space": "dhcp4" } ] } Hope this helps someone! I don't have enough permissions apparently to delete my own post LOL.

@HidekiSenpai not sure why you think a query to quad9 would be authoritative.. quad9 is not the authoritative ns for google.com Your unbound setting there are resolver mode, for you to be able to resolve you would have to be able to talk to all the NS on port 53.. If your upstream is blocking this then yeah your going to have issues. What does dns lookup on the diagnostic menu dns lookup report? To test if you can resolve and to see where you might be having issues do a dig + trace on pfsense. [25.07.1-RELEASE][admin@sg4860.home.arpa]/root: dig google.com +trace ; <<>> DiG 9.20.6 <<>> google.com +trace ;; global options: +cmd . 84617 IN NS d.root-servers.net. . 84617 IN NS f.root-servers.net. . 84617 IN NS e.root-servers.net. . 84617 IN NS m.root-servers.net. . 84617 IN NS j.root-servers.net. . 84617 IN NS b.root-servers.net. . 84617 IN NS c.root-servers.net. . 84617 IN NS g.root-servers.net. . 84617 IN NS k.root-servers.net. . 84617 IN NS l.root-servers.net. . 84617 IN NS a.root-servers.net. . 84617 IN NS h.root-servers.net. . 84617 IN NS i.root-servers.net. . 84617 IN RRSIG NS 8 0 518400 20250915050000 20250902040000 46441 . r2EKEjvLOSDMWT4XAMJK+3McQntRgJ/wtG2WXCZ90DdKxUgNUCU1Q1R+ YDovtNQExt87dM1gu8S10al5FJPNkLM6pbQM010+1E2AnyCQyt4DQrJh JgMhwcYONIbT/gGrXfQS7sdN8B5g0ob2HcqXRxqMkDOldxdBCJy7B5ZM AufoQlrCrdazkGHVxC+vzsDIDVYnAFLlLkoHtcpbLmiK1w6MiVNfzfWt EC4v7Bibau5rMYzhYZ0EwGv4CCG6dn8HiGEg0rNBmMi7onXndKhq2S4H T9b1jkIj1qG1GfVOzVuqmzv7OWgW9+0jbqel3VR7AAfO9plH7JLeVNY1 EmTLTg== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A com. 86400 IN RRSIG DS 8 1 86400 20250915050000 20250902040000 46441 . PuEt7PPZTytXpON7kI4PR4ePmn1RbbZwWwksIwQqStFADSXkHLtaCWBk 6rjtDQogfGqqcRZnJzXTwq7FD+lsB//y3DBBkzBB+ag7XmldiFGtkV3Y 9ueUEL4ydZnyftPClzOtBYbtzMVA2oC6gfNbi7LyIFUUH8xc0IZUPJah 9IQF443ZocHNNl8jPpSilA7QVkSf6rKRH5CNUdTsJ6qhfXUEOWgNqIaV yLCrPzsnyl7+PoU1dBpPmsbUY0DUO2A0E5Zs5lBpcgjThoEK/SMokB1v Rb75/7Yvb+MGyDWmZVwd9uKdVadxzn6jdJgxgSM+SBuxaSpkWlnqhJnx fYnP/w== ;; Received 1170 bytes from 2001:503:c27::2:30#53(j.root-servers.net) in 9 ms google.com. 172800 IN NS ns2.google.com. google.com. 172800 IN NS ns1.google.com. google.com. 172800 IN NS ns3.google.com. google.com. 172800 IN NS ns4.google.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250908002603 20250831231603 20545 com. I5bq7mPPNzfXbaaD27hOUwaUOIQJi6EcJYwN+Ab4FiMqp5GgoHWsfgSm LHUn2Mg3jXAGfxykTCnJXfUQYtJ+oQ== S84BOR4DK28HNHPLC218O483VOOOD5D8.com. 900 IN NSEC3 1 1 0 - S84BR9CIB2A20L3ETR1M2415ENPP99L8 NS DS RRSIG S84BOR4DK28HNHPLC218O483VOOOD5D8.com. 900 IN RRSIG NSEC3 13 2 900 20250909012623 20250902001623 20545 com. 1Sn2h2Xvf9GUFWqqEDwCOD+aZFVhrEhV+87H/RxeCGuNoA42E7tz5Oq6 A7hnIkd0J8coWN0C9M9gQlJLjrrfvw== ;; Received 644 bytes from 192.26.92.30#53(c.gtld-servers.net) in 27 ms google.com. 300 IN A 172.217.2.46 ;; Received 55 bytes from 216.239.36.10#53(ns3.google.com) in 25 ms The dig + trace is exactly what the resolver would do - so seeing all the steps can show you were you might be failing in the process.

Quick update that the advice above worked great. Stripped out those bridges and re-architected all APs and switches across one link. 5 total VLANs. Unexpected benefit was what seemed like at least a 20% bump in overall performance from the 4200. Note: Also took the opp to upgrade the 4200 w a SSD so that it's now a "Max"- maybe that helped w perf, too.

@piook said in Take two at this a year and no replies later.: But when I connect the LAN port to the switch and everything over that port is 1GB Full duplex Which port on the USW Pro Max 16 are you connection the LAN cable. Of course you are aware that only 4 ports are 2.5G on that switch (according to the product page) What speed selection does is show if you remove the LAN cable, still 1G the fastest speed selectable? What happens when you switch the ports from the pc and the LAN cable? In general you would have better support on the Unifi forum I think.

@patient0 VLAN 1 is a normal VLAN. 0 means untagged, which means that the packets don't have any VLAN information in it and the switch assignes the Primary VLAN (port in trunk mode)/assigned VLAN (port in access mode) to packets entering the switch port and sets the VLAN number on those packets.

@keyser Thanks for the reply. I have a spare port on my router and I will use it to experiment with.

@chris.doldolia The 2100 has a 4 port switch. The documentation page I linked above will allow you to treat a given port as (change it to become) a separate network interface. In the default configuration the individual ports cannot have an IP address because they are all the same LAN. If you want to add a VLAN and have it work on all four ports then I think you need to add the VLAN to "port 5" which is the switch. You might post your Interfaces > Switches pages, and Interfaces > Assignments pages.

Now, I can start configure more rules on the FW + connecting the Netgate directly to my ISP Modem. Great Is there a recommende list of FW settings laying around? I saw several of the Youtube videos where they kind of had their own focus. Based on the description, this would be a GUEST network. Here’s an example for you: Note: GUEST users are not allowed to use pfSense’s DNS server. Instead, I’m using DHCP to provide a public DNS server for them. [image: 1753873577326-5f99a867-d081-4c33-ac6a-de697d0826fb-image.png] Internal network alias is an alias that contains all my local networks.

@SteveITS Yep. The address in that /29 was given by DHCP.