L2/Switching/VLANs

• N

  Connect 4 physical ports to the same switch
  • njanja

  9
  0
  Votes
  9
  Posts
  195
  Views

  

  If you want all 4 ports to go to the same switch on 4 different broadcast domains then just connect all 4 ports to 4 untagged switch ports on 4 separate switch VLANS. Pretty much nobody would do that because VLANs are much more flexible but if that's what you want, knock yourself out.
• K

  Moving device to new VLAN setup not working
  • kiekar

  17
  0
  Votes
  17
  Posts
  148
  Views

  K

  @johnpoz said in Moving device to new VLAN setup not working: you don't have any vlan 2 setup on your switch from what you posted You're right I don't have any vlan 2 setup now but from my readings for best practice if a vlan is created e.g.for port 3 for NAS then any other connection e.g. port 2 wlan interface 192.168.2.XXX should also have a vlan setup made. Correctly if I'm wrong. If i want the NAS device to go outside the network (e.g. internet) how will this work if it no longer has a wifi connection since the wifi router in on subnet 192.168.2.2 Do I have to NAT the NAS device to the wifi router? You have to create rules on those to allow what you want. I have a all open rule setup on the NAS interface but still was't able to ping the device using pfsense box under diagnostics however the gateway 192.168.30.1 succeeded. It may be my NAS device (wd mycloud ext2 ultra) giving me the problem. DHCP leases is displaying an ip for the device but it is showing it as offline. The unit itself is showing 3 blue lights indicating all is online.
• N

  Build router with pfSense
  • njanja

  2
  0
  Votes
  2
  Posts
  44
  Views

  

  @njanja said in Build router with pfSense: What is the purpose of buying a network card with multiple ports.On almost every forum they recommend to me Use VLANs Link aggregation, to increase available bandwidth. You might also want physically separate networks.
• M

  1WAN & 2 LAN on SG-1100?
  • markchen

  4
  0
  Votes
  4
  Posts
  86
  Views

  

  Not really. It works fine. The default configuration is DHCP WAN and 192.168.1.1/24 on LAN. All you have to do is edit Interfaces > OPT1, enable it, and number it with something other than what is on any other interface (like 192.168.2.1/24), add firewall rules to OPT1 to pass the traffic you want to allow, and enable a DHCP server on OPT1.
• P

  IGMP Not working
  • PlzHelp

  1
  0
  Votes
  1
  Posts
  30
  Views

  No one has replied

• J

  Sanity Check - VLAN or Subnets to seperate a single WiFi computer
  • joeschmuck

  8
  0
  Votes
  8
  Posts
  104
  Views

  J

  Thanks for the advice. I found some of it before I read your message but your message was right to the point. I had to read your message a few times to understand, the third rule was kicking my butt because I didn't include the DNS in the first rule. While this type of stuff is probably easy for many people, my goodness it's a lot to think about and keep track of. I mean, I do understand it but dang! So it looks like I have a VLAN that is isolated from everything except the printer. I will still use that 8 port switch as I desire to run some VM's on my ESXi machine on a separate VLAN and I need the switch that handles VTAGS to go between the pfSense computer and ESXi computer, so there was a benefit to having purchased it.
• I

  [RESOLVED] rate of data transfer between different vlans is extremely low
  • ivanildolb

  4
  0
  Votes
  4
  Posts
  99
  Views

  I

  [RESOLVED] The problem was in Traffic Shaper .. When I prioritized the traffic on the network using the wizard, I reported the speed of the WAN link, in this case, 20 mbps. So, as I checked, pfsense limited the network bandwidth to 20 mb (2.5 MB), including LAN and WAN. As this information is not made explicit in pfsense, I only notice when I deleted Traffic Shaper and set it up again. The solution I found was to report the maximum capacity of the circuit (1 Gb) to use the entire internal network bandwidth. Otherwise, the entire network is limited to the speed of the WAN link. I had done this configuration for a long time, but since the network was not segmented, the internal traffic was not through pfsense, so when I created vlans, pfsense limited the band ..
• S

  Post Installation , LAN not working
  • satnar

  1
  0
  Votes
  1
  Posts
  47
  Views

  No one has replied

• D

  New to networking; can't get traffic over VLAN
  • david_g17

  7
  0
  Votes
  7
  Posts
  103
  Views

  

  Yes. The rules are the same whether they are on em3 or em3.2
• 

  Interfaces for LAN vs VLAN
  • ARAMP1

  6
  0
  Votes
  6
  Posts
  111
  Views

  

  its a good obfuscation then - looks like actual screen shot! Better to mention you obfuscated or use documented example networks and mention that ;) 192.0.2/24 198.51.100/24 203.0.113/24 2001:DB8::/32 Just saying ;) You would be surprised at some of the stuff you see around here people doing for real ;) Or just block out part of the actual address so its clear is obfuscation..
• T

  make pfsense box a 10GbE switch
  • tiro_uspsss

  21
  0
  Votes
  21
  Posts
  345
  Views

  

  Oh I see he was put on a time out ;) I would of made it longer.. Maybe he can go demand info on how to do something that makes no sense on facebook or reddit.. But with such a demanding attitude he won't get much help over there either..
• 

  pfSense SSH connection between 2 different LAN's dropping after 1 minute
  • chippey5

  4
  0
  Votes
  4
  Posts
  72
  Views

  

  Solved It was a layer 8 issue - between the chair and the monitor. Static routing on LAN2 was incorrect. Reconfigured the static route (as per the settings in my previous reply) and connections are not dropping anymore.
• C

  Routing out to Internet through pfSense HW
  routing dns resolver rules internet • • Coops

  4
  0
  Votes
  4
  Posts
  94
  Views

  

  Using LAN is OK as long as you understand that you almost certainly shouldn't put anything but other routers with full infrastructure routing knowledge on LAN.
• N

  Convert Current Network to VLANs
  • NasKar

  8
  0
  Votes
  8
  Posts
  307
  Views

  

  If you tell pfSense to tag on VLAN 5, and the switch port connected to that has tagged VLAN 5, then your workstation needs to be connected to an untagged VLAN 5 port on the switch to have layer 2 connectivity to pfSense. That's the whole point.
• K

  LAGG (LACP) - UniFi Switch (16XG)
  lagg lacp unifi • • kklouzal

  43
  0
  Votes
  43
  Posts
  915
  Views

  

  OK then the MAC address should be spoofed. The MAC address on the LAGG should also be the spoofed MAC. That is exactly what would be expected.
• J

  Access for one host to VLAN
  • JohanÅ

  6
  0
  Votes
  6
  Posts
  179
  Views

  

  Please post your rule set not a summary of what you think is there. You left out a lot of key information.
• A

  Motorola MB8600 LAGG / LACP direct from pfSense WAN not recognized by modem (?)
  • AveryFreeman

  6
  0
  Votes
  6
  Posts
  167
  Views

  

  Figure this out yet? While screwing around with this I remembered I had to set a MAC address on the WAN page..
• J

  7100-1U - Switch ports LAGG problem
  switch lagg bug • • joesxs

  3
  0
  Votes
  3
  Posts
  123
  Views

  

  @Asamat: Your 'this Bug' URL is this thread here. -Rico
• A

  VLAN Routing Issue
  • angdigi

  5
  0
  Votes
  5
  Posts
  166
  Views

  

  A windows host out of the box is not going to answer icmp from a network other than its local network.. So yeah if you wan to be able to access a windows machine from another vlan you would have to adjust its firewall to allow for the access.
• D

  Losing connection
  • doqu

  5
  0
  Votes
  5
  Posts
  154
  Views

  D

  @derelict Thank you for pointing us in the right direction. Eventually found in the switch a different ARP the in the pfsense. Eventually followed those issue around in the network and solved the issue. Thank you for the advice.
• B

  TOR project and regular network on separate VLANs with openVPN to each
  openvpn vlan tor • • bmwever

  2
  0
  Votes
  2
  Posts
  72
  Views

  B

  Two things that I forgot to mention are that I already have OpenVPN set up successfully for my normal network and that since I'm new to the pfSense concept, I've never worked with VLANs on it before. I do, however, understand the VLAN broad concept since I've taken a Principles of Networking class as a computer systems administration student at my university.
• M

  Trouble creating LAGG - no parent interfaces
  • mikej47

  4
  0
  Votes
  4
  Posts
  104
  Views

  M

  Thank you for pointing me in the right direction, I am brand new to pfsense. I wasn't expecting the SG-3100 to have it's built in little switch. I am finding conflicting information regarding the SG-3100 being able to support LACP on a LAGG. This post indicates the SG-3100 seems to not support LACP https://forum.netgate.com/topic/131207/lagg-on-switched-ports-on-sg-3100 and this Netgate article has LACP described for the SG-3100 has LACP listed as a protocol for the SG-3100. I am still have difficulty created a 2 port LAG to a Cisco switch using LACP and trunking multiple VLANs over it. Has anyone here been successful at this? Thank you.
• T

  WAN starts cycling link after Ethernet link loss
  • tgoltz

  8
  0
  Votes
  8
  Posts
  212
  Views

  J

  @derelict said in WAN starts cycling link after Ethernet link loss: It runs another ifconfig to explicitly set autoselect. When it does it bounces the link. That is probably freaking out what it is connecting do and it is bouncing the link too, initiating a negotiation loop. I wouldn't call it a bug in pfSense. It could be a bug in the modem. :) I would call it an incompatibility caused by someone that shouldn't be tweaking settings and checking boxes unnecessarily since default (usually autoselect) is the default for a reason. Nice explanation. Not sure of the need to slam those of us that have run into that problem though. After all, the GUI text specifically says: "WARNING: MUST be set to autoselect (automatically negotiate speed) unless the port this interface connects to has its speed and duplex forced." A bit of a stretch to blame us for heeding the bold warning.
• K

  Accessing DSL modem
  pfsense modem access • • kcallis

  8
  1
  Votes
  8
  Posts
  237
  Views

  K

  Now if only I could edit the topic, I could change it to solved!
• S

  vlan works allocates dhcp and web access only when connected to LAN port and stop when connected to switch or AP
  • shtrull

  5
  0
  Votes
  5
  Posts
  192
  Views

  S

  @jknott thanks for your help, finely i got it to work, i needed to add the VLAN to the switch and then tag the ports i want to transfer the VLAN with
• J

  VLAN over openvpn
  • JohnSed

  5
  0
  Votes
  5
  Posts
  231
  Views

  

  @johnsed said in VLAN over openvpn: so I have 11 vpns on each router Certainly not how I would do it. I'd have a central site feeding all of those. I would have redundancy at the central site so no one failure took everything down. That site would route between the "spokes." Everything necessary to all of the "spokes" would be accessible via the central site. They way you have done it is take the number of sites you have and the number of problems that might ring your phone is sites^2 instead of sites/2.
• F

  New VLAN won't route to other VLANs
  • fescorick

  6
  0
  Votes
  6
  Posts
  203
  Views

  

  Did you put a gateway on your vlan 5 rules? This is common mistake where users set a gateway on the rule, this forces traffic out that gateway vs allowing pfsense to use it routing table. Post up your rule(s) you put on vlan 5 interface Blocking rfc1918 on the interface have seen as well.
• M

  kernel arp moved from
  • Miguel López

  3
  0
  Votes
  3
  Posts
  156
  Views

  M

  Hello Completely true, IP duplicated in the LAN segment. Thank you so much.
• 

  How can I verify VLAN support for my NIC?
  • numeratrix

  18
  0
  Votes
  18
  Posts
  514
  Views

  

  Ah, well then it shouldn't be required through the edge router either. Just a matter of getting it to pass the traffic. Steve
• S

  Camera VLAN Configuration
  • SCCMAdmin

  5
  0
  Votes
  5
  Posts
  188
  Views

  

  @sccmadmin said in Camera VLAN Configuration: The DVR will need to have access to both VLANs to access the cameras and to be accessed from user computers to login to web interface to view the camera feed/recordings. How can I accomplish this? That is called routing.. And yes that is how any device in vlan X gets access to devices not on vlan X.. Be they are vlan (tagged) or just different physical networks. That is what pfsense does out of the box. You can set the rules to be any any on both networks/vlans or you can restrict traffic to the specific ports needed. I would NOT recommend dual homing your DVR.. Unless your going to isolate all your camera's behind the DVR itself on different vlan that doesn't even have to touch pfsense. And then another nic on the DVR will give the DVR access to the rest of your network, etc.
• L

  Connecting two edge switches together
  • linuxpc4me

  3
  0
  Votes
  3
  Posts
  106
  Views

  

  What needs to be done is all the vlans that you want on the downstream switch need to be tagged and allowed on the port that connects the switches on both switches.. Cisco calls that a trunk port yes. edit: BTW moving this to the L2 section.
• S

  VLAN Trunking over multiple ports
  pfsense vlan bridge trunk interfaces • • sethc

  2
  0
  Votes
  2
  Posts
  155
  Views

  

  Create a LAGG on pfsense and on the switch stack. Use the LAGG as the vlan parent.
• R

  MAC Y VLAN
  • raca

  2
  0
  Votes
  2
  Posts
  94
  Views

  N

  If your talking about changing the vlan interface mac addresses, you can’t you need to change the mac on the parent interface.
• N

  Setting up a Vlan for security,
  • nambi

  10
  0
  Votes
  10
  Posts
  299
  Views

  

  @johnpoz said in Setting up a Vlan for security,: You should never be suggesting to someone that they can get by with using a dumb switch if they want to start using vlans. What about my original intention for using a VLAN. I have an access point that supports multiple SSIDs and I was planning on setting up a guest SSID & VLAN. It was the only device on my network, other than pfSense, that would use a VLAN. Was I supposed to toss a perfectly good Cisco unmanaged switch, just because I was running a VLAN to one device? However, I definitely recommend VLANs for security cameras, VoIP phones, etc.. In some cases, it makes sense to use a managed switch to keep LAN and VLAN separate. In others, maybe not. An example would be a network where most devices are VoIP phones, with computers plugged into the phones. (I've seen networks where there's nothing else other than VoIP phones & computers and the Internet connection) In that situation, what advantage would a managed switch provide? Due to the way switches filter traffic, there would be very few VLAN frame appearing at devices not configured for a VLAN. As always, look at the requirements and be guided accordingly. That said, there's not much reason to not buy a managed switch these days. BTW, my plan failed because our favorite manufacturer, TP-Link, didn't know how to handle VLANs properly. Me and jknott bang heads about this all the time. And you have horns on yours!
• C

  link aggregation Alcatel switches
  • ChrisT

  6
  0
  Votes
  6
  Posts
  167
  Views

  

  That ifconfig indicates LACP isn't even set on that lagg.
• D

  Gateway down forever when adding new VLAN interface
  • df15kb

  3
  0
  Votes
  3
  Posts
  145
  Views

  D

  Hello, I'm using version 2.4.4
• R

  pfSense Hyper-V VM, DSL modem, VLANs
  • regexaurus

  3
  0
  Votes
  3
  Posts
  175
  Views

  R

  @derelict Hmmm...I'm not sure there is a way to assign a virtual NIC for a Hyper-V VM to an untagged VLAN. I had added a VLAN during pfSense initial config, to match the virtual NIC and physical switch port configs. The general ease of virtualization lured me into forgetting the requirement for VLAN support at the NIC hardware/driver level. Broadcom docs indicate Netlink 57XX series don't have VLAN support. My onboard NIC is a Broadcom Netlink BCM57780. I ended up adding a multi-port PCI-E NIC (removed the bracket so it would fit my low profile Optiplex 380), connecting a second port between Hyper-V host and switch (untagged/PVID VLAN 100) for VLAN, and reconfigured switch, virtual NIC and pfSense interfaces accordingly. Success. Though for me it defeats the purpose of a VLAN in the first place. The switch, modem and Hyper-V host (pfSense) are all in close proximity, so I can simply connect the modem to the second port on the Hyper-V host. But I never used a modem connected to a switch port instead of directly to my router, and was curious whether it would work as expected. Your response got me thinking in the right direction. Thank you!
• P

  CARP, HA, pfsense, and Switches
  carp m4300 sg350 • • purduephotog

  11
  0
  Votes
  11
  Posts
  298
  Views

  P

  @teamits yeah. It should just work. It doesn't tho... And it's really messing up my holiday giving spirit. I should've just did it all myself. No outside vendor. Sigh.
• S

  Seperate subnets on the same physical NIC with VLANs
  • SDcrockz

  6
  0
  Votes
  6
  Posts
  180
  Views

  

  Then start following the manual: https://www.netgate.com/docs/pfsense/routing/connectivity-troubleshooting.html and if this isn't enough capture packets on both sides to see where it fails. Btw. if you really want to use VLANs get managed switches, unmanaged switches can strip/mess up VLAN tags.
• W

  WAP Wifi VLAN problem
  • webrat11

  9
  0
  Votes
  9
  Posts
  209
  Views

  W

  There is a second VLAN id field hidden under the adavnced option for each Wifi network profile. Correcting that allowed me to ping across the waps to the firewall but still no internet. I need to reserach more about the Netgear WAPs tagged/untagged network option and then will retry next year. Thanks for the suggestions.