Well multicast discovery isn't going to work vlan to vlan either.. And no L2 discovery doesn't work over vpn either.
I would check that you can talk to your device from lan to say opt 1 network locally, before you look to it working via a vpn..
I fired up the client on my phone.. On different wifi vlan then the vlan my camera is on... I then set it up to using IP..
There you go working just fine..
edit: I don't have wireguard installed, but just disconnected my phone from wifi, only on cell - connected to my vpn connection on pfsense openvpn... Bam - watching video stream from my phone.
edit2: possible problem with some camera's is if they do not have gateway set, ie pointing of pfsense - then you can not view them from other networks, be it a vlan or vpn. Without doing source natting.
@nornagest I would have just added another vSwitch for each new LAN. vSwitches don't need to be mapped to a physical NIC. From there, you add more NICs to your pfSense vm and map them to the new vSwitches.
The switch = Cisco WS-C3560E-48PD-SF. Also running a 2960-CG
Re: There is really no reason for it
I am well aware that what I'm doing falls in the realm of completely unnecessary for a home network. Just a learning exercise.
I figured out the answer to my convoluted post from yesterday. You touched on it in your post but I'll type it out in my words...
From what I can tell, the pfSense LAN is the only untagged network available on the router. Changing the native VLAN on a switch, for example, to VLAN 20, would require that the ip address assigned to that VLAN be in the address range of the LAN network on the pfSense box (because it also is untagged) to maintain web access to the switch.
Key takeaway - the native VLAN on switch (untagged) should not be assigned to a VLAN network (tagged) on a pfSense box (else one loses web access to the switch). Also, the ip address assigned to native VLAN on switch must be in the same subnet as the router LAN.
Please provide more insight into your design. Does that L3 Aruba switch have routing enabled and actually doing routing (i.e. is there a transit network between PFsense and the Aruba or is PFsense connected to a trunk port on the Aruba)?
The vlans are defined/created on pfsense and pfsense is connected to a trunk port on the Aruba Switch. The native and access "vlans" are both set to vlan1 (native/original LAN on pfsense).
I have been able to gain internet access, so my outbound is good. My current issue is inbound traffic now. I am unable to traceroute from the WAN or LAN interface on pfsense to the client on VLAN10. I am able to ping from the LAN to VLAN10 client though. My client can ping anything in the network (across subnets, i've allowed this just for setting up and troubleshooting).
@marvosa you have helped me a few years ago get my current network configuration set up. I wanted to say thanks again and it is good to see you!
Yeah 10.0.12/22 or 255.255.252 would be 10.0.12.0 - 10.0.15.255
What are the rules you put on these vlans?
And yes a drawing would be most helpful.. Your saying the devices pull the correct info via dhcp.. If so that would point to connectivity being good, so first thing that comes to mind is wrong rules or lack of rules on the vlan interfaces.
When you suggested to look under Interfaces > Assignments > VLANs.
So, if you want a VLAN on your WAN interface, you have to create it and configure it as needed.
Absolutely agreed, that's what I've been trying to figure out how to do all along.
For anyone else who's got this question, just go
Interfaces --> Switches --> VLANs
Edit the entry for the link you want (Click the pencil) <-- That was the part I missed until just now!
Change the VLAN ID from the default of 4090 to whatever matches your external link (eg 180), and click the box to tag the traffic for interface "3". Leave "0" ticked and don't mess with it.
Then you need to go to Interfaces -> Assignments -> VLANs as correctly observed by JKnott, create one in there with a matching number, then back to "Interface Assignments" and choose the new VLAN from the drop-down box for the WAN interface.
Why would someone not get the "plus" or smart version? As to downgrading speed - it was an example.
Be it the hardware the same or not - if you can load 3rd party on it to enable vlans and give yourself a gui/cli to get access to "smart" features - than that is great. Get a dumb one and add the gui/cli
But when someone calls it a "dumb" switch - means to me it has no gui or cli, and has no way to glean info from it or set anything at all, lack of vlans being the big thing. its DUMB!!
I run a 28 port sg300 as my main switch, and then have a 10 port sg300 in my AV cab.. I do multicast acls on mine, so no these entry level "smart" switches don't have such features.
Its not excessive - and it wasn't all that expensive, under 200 new! And uses low amount of power.. I have way too many devices to use anything else than a 24 port switch anyway.. Good luck finding a dumb version of those anyway.. And it would be pointless, because the devices are not in the same vlans. Sure not going to isolate them all physical with different switches.
Nobody is saying he has to drop $$ on a switch, and hey if you have a way for him to save a few bucks and get "dumb" model and put 3rd party on it and get vlan support, etc. etc.. Then you should really link to those details..
What is the best way to determine that?
Here is something new. I am also unable to ping the VLAN interface when the vpn is connected. I started a continuous ping from the vlan to the vlan interface and to the device on the Lan. Both were returning time outs. I disabled the VPN and both pings started working. Once I re-enabled the VPN the pings started timing out again. Why would the ping return a timeout to its own interface?
You can run the dhcpd on the same hardware you run your controller if you want.. Stuff like their USG or the UDM could provide..
The AP bridge all data from the wifi to the wire, be it dhcp or any other traffic..
As to the vlan tags, guess should of quote your whole statement
doesn't seem like. (Maybe if you're offloading to another switch?)
Is not a maybe.. If your going to carry more than 1 vlan over the same wire then they NEED to be tagged.. They would need to be tagged on the port going to your AP, if your going to run more than SSIDs with different vlans.. Because the traffic coming out of the AP to the wire would be tagged with the vlan that clients traffic is on based upon the SSID they joined.
@johnpoz I think I do have the VLANs setup and traffic working between them. I can ping back and forth etc. Workstations can access the internet. Workstations can print to the printer (although they can't auto discover it). Things are failing when I want to cast from a phone to a smart tv. Right now we have to use the "enter a code" method to connect to the TV instead of being able to discover it and connect to it more easily.
I'm specifically looking for the YouTube app to work for device discovery when casting.
I'm using a Pixel 5 and my wife is using an iPhone XR. The TV in question is a Sony Bravia running Android OS.
From the videos and reading i've found, Avahi is supposed to help enable this (unless i'm misunderstanding something).
@stephenw10 I am going to call D-Link biz support at my leisure to ask them about this. If untagged is ok on a trunk port, then why doesn't it save? If untagged isn't ok, then why does it allow the setting (and work as expected)? My guess is it is a GUI/Save bug. If it was not allowed, then it is unlikely it would have worked, saved or otherwise.
As for changing the tagged ports to untagged -- yeah, I'll try to remember to mention that too.
I know this is not exactly the same. But it sound like Google is still involved via YouTube so it may be helpful. I fought this for a while with trying to cast from my phone on one VLAN to the chromecast on different VLAN. Eventually I came across a post suggesting to do a NAT redirect on pings to Google's DNS addresses.
Firewall > NAT > Port Forward > Create A New Rule
Screenshot 2021-06-26 at 11-41-02 Firewall NAT Port Forward Edit - AlphaTrion tld.png
All_Admin_VLAN_VPN_Networks = My VLAN IP ranges (i.e. 192.168.1.0/24, 10.20.30.0/24, etc...)
3_Device_DNS_Google = dns.google (For this, I only care about IPv4 so this is basically 126.96.36.199 and 188.8.131.52)
This will create a Port Forwarding rule on the NAT > Port Forward tab. AND...
It will create a firewall rule called "NAT Redirect Pings To Google DNS Back To Router" on the interface tab selected in the image above.
You will want to go to that firewall tab and drag the new rule to the correct place.
After you have saved the rule.
Now when you ping 184.108.40.206 or 220.127.116.11 pfsense should respond back and not Google's servers.
For good measure I also made sure to allow access to the chomecast discovery ports (8008, 8009, and 8443). FireTV may have different ports.
Restarted my phone and chromecast; then things started working.
VLANs on em(4) work fine in general, I'm using them on both real hardware and VMs in my lab.
Odds are that it's something with either that specific variant/chipset or that hardware implementation. Not saying it's this, but we've seen similar things in the past when the driver detected that the hardware is advertising a capability the OEM didn't implement or enable. Sometimes doing a BIOS or firmware update from the OEM can help.
There may be some ways to fiddle with the interface flags for things like VLAN checksums or hardware filtering but I wouldn't trust those long-term. You're better off replacing the hardware with something much more recent.
Thank you for the explanation. I just did not expect such an odd behaviour. I have two other pfSense boxes that use the em driver, but neither of them deals with VLAN tags.
The solution is to lower the mtu on all partitipants of the vlan. Not on the Switches or the physical network adaper of the pfsense. I lower client1 client2 an vlan interface on pfsense on MTU 8800. With that i have no broken packats.
I transmit 8772 Data Bytes + 28Bytes header = MTU 8800. If i send one over it it gets fragmentet.
The Problem is that the switch added the 4byte VLAN header. So the packag was greater then 9000 (9004). The physical network adapter on the PFsense throw the package away and it gets lost in the VLAN.
by the way you can set this on windows also with the folowing command:
netsh interface ipv4 set subinterface "interface name" mtu=8800 store=persistent
@gabacho4 anyone (users or Netgate team members)? I got a response on Reddit indicating that this is a problem on 2.5.2 as well and that the only way to change things is via the console/ssh. Sure enough, it works if I do interface assignments there. However, even after going that route, I have weird vlan 4, 6, and 8 that show up on the GUI now on the available interfaces drop down. They have no MAC addresses or interfaces associated with them. I’ve never used vlans 4,6, or 8 so no idea where those came from. When I exported my config and searched for them, they are nowhere to be found. Not sure what more to do to troubleshoot. I’m happy to file a bug report but was hoping for someone else to validate my findings.
As I stated, assigning multiple subnets to a single interface is not a convenient way to separate network segments. Therefor I suggested to do this on the wifi.
However, filtering should be possible.
Configure the subnet you want to run DHCP on as the primary in the interface settings. Then add the additional as IP alias in Firewall > Aliases. Remind to set a proper mask for the subnet. This IP can be used as gateway on the devices.
Then configure your firewall rules on that interface advisedly.
Hello.. My issue was the PVID setup was incorrect. Don't focus on MAC address assigning a VLAN until the PVID is configured correctly. Lets say the router to the switch plugs into port 1 and the switch to the AP leaves from port 8 (on the switch).
lets use Vlan 1 and 10 from the images above where 1 is default and 10 is trusted; lets put the AP on Vlan 10
Vlan 1 for the router and switch needs to be untagged on the switch side (port 1). Configure the PVID for port 8 to be vlan 10. Finally on Vlan 10 set port 1 tagged and port 8 untagged.
After you can get the PVID setup you can then move onto assign MAC addresses in the switch to assign a different downstream Vlan.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.