L2/Switching/VLANs

• V

  UPnP Problem in VLAN
  • VioletDragon  

  2
  0
  Votes
  2
  Posts
  22
  Views

  

  UPnP has no idea whether it is on a VLAN or not.
• T

  WAN on VLAN or internal switch port
  • thomas_n  

  3
  0
  Votes
  3
  Posts
  54
  Views

  T

  The reasoning is as follows: The ISP is also the provider of set-top boxes (STB's) which are placed in several locations on the site. These STB's need to be connected to the WAN directly and not NAT-ed or routed in any way. However, we need their data to run over our internal trunks. As a result, a VLAN with the unrouted WAN on the trunk is what we need. But, at the same time we still need the firewall to provide NAT and routing for several internal networks also connected to the WAN. Normally I could achieve this by plugging the WAN into ports on the switch assigned to this VLAN directly and then connecting the WAN port of the firewall also to this VLAN, but that gives me no control over what is happening on the WAN within the facility. I want to have the ability to transparently firewall this VLAN as well, so it does have to go through the PFsense box. Is that more clear?
• G

  Not new to pfSense, but setting up my first VLAN, but I just can't grasp the concept...
  vlan • • GoateedGeek  

  17
  0
  Votes
  17
  Posts
  100
  Views

  G

  @johnpoz My drawing above is the existing config. The Netgear switch is completely unused. I would be fine using that if need be for the VLAN or port 5 or 6, although from Example 1 here, which I was going to loosely follow for the VLAN tagging, it appears to me, I should be able to remove a port from VLAN 1. https://www.tp-link.com/us/faq-788.html Tim
• N

  Problems with transit VLAN & management interface sg300\pfSense
  • networknewb  

  2
  0
  Votes
  2
  Posts
  43
  Views

  N

  Ok I finally was able to get the management interface to work, but in a backwards way. I added an ipv4 interface with VLAN 10 and rather than setting the IP I let it get it from DHCP. It did, and it worked fine! I then put a static IP mapping in pfSense for the MAC and forced a refresh of the management interface and now it has the IP I wanted all along. I then changed the IP over to "static" on the switch. My question is why did it work via DHCP, but not via just setting it up as a static mapping? The only thing I can think of is that when I add the interface manually with a static IP it is doing something weird with the default route or not updating the default route and it's trying to access the management VLAN over a different interface. Anyone seen this before?
• 

  Browsing nfs share in other VLAN not working.
  • Herman  

  29
  0
  Votes
  29
  Posts
  217
  Views

  

  @johnpoz said in Browsing nfs share in other VLAN not working.: @herman said in Browsing nfs share in other VLAN not working.: When the family is watching a movie and I start to copy large files the movie stutters or even stops. And the kids do not appreciate that :-) If your loading up the server, might not matter if your on another interface or not if your sucking up the I/O to a shared disk or CPU of the machine. If your on a switch you doing something between A and B doesn't effect traffic between C and D.. Adding another interface on B, will only solve the problem of stuttering a streaming movie if the only problem was saturation of the interface.. But if your working with the same disk that the movie is streaming from... Your issue might not be network bandwidth it could be your hitting the I/O of the disk limits, or the cpu of the server streaming, etc.. Thank you @johnpoz for the info... I wil dig in it.
• 

  Layer 3 Switches, but VLAN routing through pfsense
  • rad  

  7
  0
  Votes
  7
  Posts
  90
  Views

  M

  You will definitely want to do a fair amount of planning and schedule an after-hours change window because there will be some downtime. You'll need to configure a transit network, configure the SVI's on your switches, if dhcp was previously coming from PFsense... you'll need to figure out where your new DHCP server is going to live, add helper addresses to each SVI, change the default gateway for all of your dhcp scopes, change the default gateway for all static devices, etc. There's quite a bit of work to do, but it will be worth it.
• C

  OpenVPN VLAN routing
  pfsense openvpn vlan unifi • • cobhc  

  3
  0
  Votes
  3
  Posts
  115
  Views

  M

  Everything depends on your setup. Would need more details. Post a network map. Are your VLANs terminated on PFsense or your switch? Post your server1.conf What are the IP's in the VLAN you're trying to access? What do the rules look like on your LAN and OpenVPN tab?
• E

  Unifi over OpenVPN
  • eidolontubes  

  2
  0
  Votes
  2
  Posts
  112
  Views

  R

  If you want to use the DHCP server from the Main Office, you need to set a DHCP Relay address on the Branch Office with the IP(s) of the DHCP Server(s) from the Main Office. So the branch office will sent the DHCP request to the Main Office.
• 

  VLAN's not working with pfSense and HP1810-24G Switch.
  • Herman  

  39
  0
  Votes
  39
  Posts
  370
  Views

  

  So set VLAN 1 on port 1 to Untagged.
• M

  VPN on VLAN working but disabling LAN traffic
  • mlaustin  

  10
  0
  Votes
  10
  Posts
  147
  Views

  M

  Thank you. That worked. I just created another rule above the IOTnet to any with this gateway. Then I can disable that rule as needed.
• R

  Attempting to L3 route limited success
  • realityman_  

  2
  0
  Votes
  2
  Posts
  90
  Views

  No one has replied

• R

  Currently router on a stick, want to go hybrid
  • realityman_  

  13
  0
  Votes
  13
  Posts
  157
  Views

  R

  Yea, I've come to the conclusion short of getting new storage and putting it squarely in each VLAN that I need to do L3 routing at the switch for VLAN 20 and 70. I guess I was just more or less asking if there was any other architecture you can think of that may have worked better, but it really seems like it is that straight forward. So to summarize my changes: Disable Snort on VLAN 20 and 70 Create 172. something /30 subnet for transit Create new VLAN tag 172 in pfSense Create new interface tied to this VLAN At both switches I will add a new VLAN for the transit network, and set that as the default route to 172.something.1 Add VLAN 20 and VLAN 30 at the core switch (sg300-10). I'll put in ACLs to block everything between the VLANs except the IP\Port combos I currently have in my firewall relating to those two subnets. Disable VLAN 20 and VLAN 70 interfaces in pfSense Create new gateway with 172.something.1 as gateway Create new static routes for 10.37.70.0/24 and 10.37.70.0/24 via the gateway created above Enable Snort rules on new Transit interface. Verify any needed VLAN 172 firewall rules that are needed (shouldn't be any as this will only be used for outbound requests, correct?) Sound about right?
• R

  vlan interfaces does not came up
  • Rocco83  

  1
  0
  Votes
  1
  Posts
  47
  Views

  No one has replied

• C

  Conflicting Admin VLAN requirements: UAP AC-Pro & Cisco switch
  • chris-1028  

  21
  0
  Votes
  21
  Posts
  332
  Views

  C

  at Johnpoz Thanks for that. I'll give it a go (the worst fate is that guests have no access for a while, but then I don't get a million guests a day and I have an unlimited-data 4G modem if my occasional guests are "unhappy"). I am "greenfield" in a sense -- I have total and exclusive control over my networks and report only to myself in the event of a disaster (yeah, I might get some $#1t from Madame, but there is always the 4G modem to calm her down). I have elected to move to "my-net 3.0" -- my decision was unanimous :) Why do I seek tagged admin? Most VLAN attacks go for VLAN1, or failing which, go for native-VLAN. I ask myself WHY should I have VLAN1 or native-VLAN connected to anything at all ... let alone to the admin heart of the network -- just seems a silly choice! Off to the mountains for skiing: you wont hear from me for a week or two, but I'll report back. Appreciate all the feedback so far. regards, Chris
• M

  Active - Passive Interfaces Question
  • MeCJay12  

  2
  0
  Votes
  2
  Posts
  64
  Views

  

  RTFM: https://docs.netgate.com/pfsense/en/latest/book/interfaces/interfacetypes-lagg.html
• F

  Bridged VLAN not passing parent MAC in ARP response
  • follysuperscript  

  2
  0
  Votes
  2
  Posts
  62
  Views

  F

  After thinking about how MAC addresses work on a switch, I replicated the MAC across all bridge members and the bridge itself, and things began working!
• X

  Desktop with 1 lan set for router
  • xplozia  

  12
  0
  Votes
  12
  Posts
  162
  Views

  X

  I installed with success. I set mikrotik like a Wisp AP - Bridge, I deleted DHCP rules and i create 1 vlan on eth5. In PfSense I created 1 vlan, in Interfaces / Interface Assignments I associate WAN with PPPOE0(em0) created in PPPs like a Link Type - pppoe. Now I have an Pfsense router with 1 single ethernet port for WAN and LAN. Thanks!
• N

  SOLVED: HEOS Multicast Control on different VLANs
  • nick13  

  3
  0
  Votes
  3
  Posts
  159
  Views

  N

  I had to use PIMD. IGMP Proxy wasn't routing the information properly. It sure would be nice if PIMD was default in the GUI if IGMP Proxy isn't able to route multicast for items like HEOS and Sonos. I followed this tutorial.
• T

  Cloning MAC Address
  • talon101  

  4
  0
  Votes
  4
  Posts
  132
  Views

  

  https://forum.netgate.com/topic/139859/sg-1100-running-real-vlans/8 the SG-1100 is essentially a router-on-stick in one case. You can't simply change the MAC of just the WAN port, as this is a switch port. You can assign the parent interface mvneta0 and then change it's MAC, which will affect all ports and create a conflict with the original device if it's still connected. So either get rid of the original device, put it on a different L2 if possible, register the SG-1100 MAC with your provider or return the SG-1100 and get a device with more dedicated interfaces. It really pays to research the hardware before you buy it.
• A

  VLAN Routing Issue
  • angdigi  

  8
  0
  Votes
  8
  Posts
  342
  Views

  A

  @johnpoz How should I go about troubleshooting duplicate packets? I read the following link, as well as the link about Asymmetric Routing, but not sure if it applies. https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html
• T

  Add NIC as extra LAN-port?
  • truetype  

  3
  0
  Votes
  3
  Posts
  94
  Views

  T

  @derelict said in Add NIC as extra LAN-port?: Get a switch. Leave igb3 available for use as a router port. If you insist on doing that look at bridging igb1 and igb3 into a bridge and use the bridge for LAN. I got a 5-port switch today which is in LAN but it's full, and I want to buy a Ubiquiti PoE switch 8-60W (about $100) but I only need 1 port so therefore it's not really negotiable to buy one just for I need one extra port lol So I thought if it's easy to use it as a LAN-port in the meantime...
• N

  Connect 4 physical ports to the same switch
  • njanja  

  9
  0
  Votes
  9
  Posts
  326
  Views

  

  If you want all 4 ports to go to the same switch on 4 different broadcast domains then just connect all 4 ports to 4 untagged switch ports on 4 separate switch VLANS. Pretty much nobody would do that because VLANs are much more flexible but if that's what you want, knock yourself out.
• K

  Moving device to new VLAN setup not working
  • kiekar  

  17
  0
  Votes
  17
  Posts
  291
  Views

  K

  @johnpoz said in Moving device to new VLAN setup not working: you don't have any vlan 2 setup on your switch from what you posted You're right I don't have any vlan 2 setup now but from my readings for best practice if a vlan is created e.g.for port 3 for NAS then any other connection e.g. port 2 wlan interface 192.168.2.XXX should also have a vlan setup made. Correctly if I'm wrong. If i want the NAS device to go outside the network (e.g. internet) how will this work if it no longer has a wifi connection since the wifi router in on subnet 192.168.2.2 Do I have to NAT the NAS device to the wifi router? You have to create rules on those to allow what you want. I have a all open rule setup on the NAS interface but still was't able to ping the device using pfsense box under diagnostics however the gateway 192.168.30.1 succeeded. It may be my NAS device (wd mycloud ext2 ultra) giving me the problem. DHCP leases is displaying an ip for the device but it is showing it as offline. The unit itself is showing 3 blue lights indicating all is online.
• N

  Build router with pfSense
  • njanja  

  2
  0
  Votes
  2
  Posts
  113
  Views

  

  @njanja said in Build router with pfSense: What is the purpose of buying a network card with multiple ports.On almost every forum they recommend to me Use VLANs Link aggregation, to increase available bandwidth. You might also want physically separate networks.
• M

  1WAN & 2 LAN on SG-1100?
  • markchen  

  4
  0
  Votes
  4
  Posts
  161
  Views

  

  Not really. It works fine. The default configuration is DHCP WAN and 192.168.1.1/24 on LAN. All you have to do is edit Interfaces > OPT1, enable it, and number it with something other than what is on any other interface (like 192.168.2.1/24), add firewall rules to OPT1 to pass the traffic you want to allow, and enable a DHCP server on OPT1.
• P

  IGMP Not working
  • PlzHelp  

  1
  0
  Votes
  1
  Posts
  81
  Views

  No one has replied

• J

  Sanity Check - VLAN or Subnets to seperate a single WiFi computer
  • joeschmuck  

  8
  0
  Votes
  8
  Posts
  189
  Views

  J

  Thanks for the advice. I found some of it before I read your message but your message was right to the point. I had to read your message a few times to understand, the third rule was kicking my butt because I didn't include the DNS in the first rule. While this type of stuff is probably easy for many people, my goodness it's a lot to think about and keep track of. I mean, I do understand it but dang! So it looks like I have a VLAN that is isolated from everything except the printer. I will still use that 8 port switch as I desire to run some VM's on my ESXi machine on a separate VLAN and I need the switch that handles VTAGS to go between the pfSense computer and ESXi computer, so there was a benefit to having purchased it.
• I

  [RESOLVED] rate of data transfer between different vlans is extremely low
  • ivanildolb  

  4
  0
  Votes
  4
  Posts
  159
  Views

  I

  [RESOLVED] The problem was in Traffic Shaper .. When I prioritized the traffic on the network using the wizard, I reported the speed of the WAN link, in this case, 20 mbps. So, as I checked, pfsense limited the network bandwidth to 20 mb (2.5 MB), including LAN and WAN. As this information is not made explicit in pfsense, I only notice when I deleted Traffic Shaper and set it up again. The solution I found was to report the maximum capacity of the circuit (1 Gb) to use the entire internal network bandwidth. Otherwise, the entire network is limited to the speed of the WAN link. I had done this configuration for a long time, but since the network was not segmented, the internal traffic was not through pfsense, so when I created vlans, pfsense limited the band ..
• S

  Post Installation , LAN not working
  • satnar  

  1
  0
  Votes
  1
  Posts
  75
  Views

  No one has replied

• D

  New to networking; can't get traffic over VLAN
  • david_g17  

  7
  0
  Votes
  7
  Posts
  204
  Views

  

  Yes. The rules are the same whether they are on em3 or em3.2
• 

  Interfaces for LAN vs VLAN
  • ARAMP1  

  6
  0
  Votes
  6
  Posts
  202
  Views

  

  its a good obfuscation then - looks like actual screen shot! Better to mention you obfuscated or use documented example networks and mention that ;) 192.0.2/24 198.51.100/24 203.0.113/24 2001:DB8::/32 Just saying ;) You would be surprised at some of the stuff you see around here people doing for real ;) Or just block out part of the actual address so its clear is obfuscation..
• T

  make pfsense box a 10GbE switch
  • tiro_uspsss  

  21
  0
  Votes
  21
  Posts
  534
  Views

  

  Oh I see he was put on a time out ;) I would of made it longer.. Maybe he can go demand info on how to do something that makes no sense on facebook or reddit.. But with such a demanding attitude he won't get much help over there either..
• 

  pfSense SSH connection between 2 different LAN's dropping after 1 minute
  • chippey5  

  4
  0
  Votes
  4
  Posts
  113
  Views

  

  Solved It was a layer 8 issue - between the chair and the monitor. Static routing on LAN2 was incorrect. Reconfigured the static route (as per the settings in my previous reply) and connections are not dropping anymore.
• C

  Routing out to Internet through pfSense HW
  routing dns resolver rules internet • • Coops  

  4
  0
  Votes
  4
  Posts
  167
  Views

  

  Using LAN is OK as long as you understand that you almost certainly shouldn't put anything but other routers with full infrastructure routing knowledge on LAN.
• N

  Convert Current Network to VLANs
  • NasKar  

  8
  0
  Votes
  8
  Posts
  406
  Views

  

  If you tell pfSense to tag on VLAN 5, and the switch port connected to that has tagged VLAN 5, then your workstation needs to be connected to an untagged VLAN 5 port on the switch to have layer 2 connectivity to pfSense. That's the whole point.
• K

  LAGG (LACP) - UniFi Switch (16XG)
  lagg lacp unifi • • kklouzal  

  43
  0
  Votes
  43
  Posts
  1487
  Views

  

  OK then the MAC address should be spoofed. The MAC address on the LAGG should also be the spoofed MAC. That is exactly what would be expected.
• J

  Access for one host to VLAN
  • JohanÅ  

  6
  0
  Votes
  6
  Posts
  232
  Views

  

  Please post your rule set not a summary of what you think is there. You left out a lot of key information.
• A

  Motorola MB8600 LAGG / LACP direct from pfSense WAN not recognized by modem (?)
  • AveryFreeman  

  6
  0
  Votes
  6
  Posts
  229
  Views

  

  Figure this out yet? While screwing around with this I remembered I had to set a MAC address on the WAN page..
• J

  7100-1U - Switch ports LAGG problem
  lagg switch bug • • joesxs  

  3
  0
  Votes
  3
  Posts
  168
  Views

  

  @Asamat: Your 'this Bug' URL is this thread here. -Rico
• D

  Losing connection
  • doqu  

  5
  0
  Votes
  5
  Posts
  202
  Views

  D

  @derelict Thank you for pointing us in the right direction. Eventually found in the switch a different ARP the in the pfsense. Eventually followed those issue around in the network and solved the issue. Thank you for the advice.