I solved the issue a while ago and forgot to answer here.
After entering the IP in Captive Portal / Allowed IP Addresses, everything was perfect.
As my CP is authenticated, so I believe that the question was precisely at that point. The other end had no way to authenticate itself to be able to pass and from the moment I released the IP there, he started to communicate. I even thought about doing a test of this type, taking the CP's authentication to see if it worked directly, but I ended up not having time.
Anyway ... it's resolved.
Thanks to everyone who was willing to try to help.
Getting Deja Vu, I feel like I've seen this question posted a while back.
(my assumption is that they plugged into the layer 3 switch instead)
I doubt it. They most likely did one of two things... they either spanned the appropriate VLAN out to that switch or put the end-users on a different VLAN and forced them to re-address their equipment.
Are the layer 3 switches allows the VLANS to pass traffic across a trunk through routing but the layer 2 switch can't do that feature?
A layer 3 switch is a switch that also has routing functionality. However, it would need to be configured and implemented properly to actually route traffic. The fact that the switch has layer 3 functionality doesn't necessarily mean it's routing traffic. So, the short answer to your question is no. A layer 3 switch will pass the same VLANs over a trunk that a layer 2 switch will. The difference is layer 3 switches can also do static routing, dynamic routing, etc.
Best practice is for every closet to have unique VLANs. So, if the VLAN you're looking for isn't on the switch, it was probably left off by design. So, someone had to make a decision whether to span that VLAN out to that switch or force the end-users to re-address their equipment on a subnet that exists in that closet.
It currently tags all traffic as vlan10 unless it is changed on the switchport.
Well change it if you don't want what you want.. If you want to use just native lan as vlan 10 - then just set the port to connected to lan port of pfsense to not tag vlan 10. So your saying if you put some pc connected to port X, that you have to set the PC to understand the vlan, ie the tag.. PCs sure do not do that out of the box.
Thanks for the reply. usually i would, but being a consultant and working with various clients and projects the risk of running into an overlapping IP is high and need a permanent solution to allow me to "adapt" and was thinking i could have a vlan that i can change as needed rather than continuously changing my home subnet - if that makes sense.
Use 172.31.255.0/24, most of your customers if they have their heads screwed on won't allow split tunnels.
How are you determining that? If you want VLANs, you configure them wherever you need them and you won't be able to see if you get the addresses, without something to connect to the VLAN. Also, did you configure a DHCP server on the VLAN?
i found it. after days. works now.
this here https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html
is not suitable for my config, because i need the 210 VLAN to terminate, so i dont need a dedicated Switch port, just a VLAN interface.
this is the right tutorial: https://mitky.com/pfsense-virtual-lan-setup-vlans/
there it works.
now the other VLANs should be working as well like this one.
@marvosa Thank you! It took me some time and a little nudge from a friend to translate your sentence but eventually I figured it out.
I now have the gateway online and the interface up and learned some things in the process.
@hieroglyph Also, pfsense is not going to be able to move packets faster at layer3 than a switch can at layer2. If you want pfsense to be efficient, let the switches handle all inter-LAN traffic (i.e. LAN10 to LAN10. LAN20 to LAN20. Etc...). That way pfsense only needs to handle cross-LAN traffic (LAN10 to LAN20. LAN20 to LAN30, Etc...) and traffic headed out of WAN.
@nevar i was able to figure out the issue. it is noob mistake. i forgot that starting windows10, ping is disable by default argh. after realizing that, i install portable ftp server on my pc that is on vlan and then try connect to it from my lan. i was able to connect to it. i also do couple test with the rule set to disable/enable and it work as expected.
I ended up using LibreOffice Draw, the start was clunky but once I got the hang of its drawing toolbar it became a breeze. Also realized that by documenting details, it took that extra level of time and scrutiny made me think through the topology functionally and not use my standard "do first then think later" approach 😁
It is also easy to edit and make changes so for a free solution and a simple network like mine it worked out great, here is a blurred screenshot for your delight!!!
TL;DR: Could not understand why pfsense was not passing and/or routing untagged traffic to switch UI's via tagged interfaces, but no problems with any untagged<-vlan->untagged device traffic. solution: my ID10T mistake: uncheck "Enable Static ARP entries" in DHCP on the interfaces of the devices, or add the static APR entries necessary for all devices (hosts and switches...) to talk. Look for states in state table.
Dumb*** move on my part. Posted for all to read and groan/laugh at the noob...as the saying goes "KISS"...but, it's as much about learning as doing. And, I now have SSH for all my devices installed, putty/mobaXterm/wireshark installed on all my machines, and also WSL with ubuntu to help me out in the future :)
Ok, after i tried a ton of reading, pinging, capturing, triple checking/disabling rules and trying the outbound NAT, and that didn't work either, in the process I noticed something else recently changed: whereas before I could ping "just fine" from any of my vlans, well, my primary vlan stopped seeing the switches also... I like these types of failures!
So, resetting my assumptions, after more google-fu, I looked at the state tables (recommended in other posts), and realized there were no states in pfsense for switch-1. Well, if pfsense can't see it, pfsense won't route to it, but the other devices were present.... hmmm....as if the switch(es) weren't allowed....
I thought I'd try to add a static ARP for switch-1 - and... that's when I noticed that at some point in my former brilliancy, I happened to check the "Enable Static ARP entries" in DHCP on the VLAN10 interfaces. Now that's all fine and good as it had the machines I wanted to connect with, BUT no entries for switch-1 (or 2)! Added them to the VLAN10 interface since that is what they communicate to, and EVERYTHING is groovy again! Now I can use the firewall rules to fine tune access, and avoid NAT for now, as future challenge will be VPN's....I may be back...
Anyhoo, thank you again @hieroglyph and @JKnott for your time and help giving me direction!
That is what I do as well, some interfaces run multiple vlans. Others have only single interface. My high volume vlans have their own uplink. Other vlans like my wireless ones share an interface. Wireless clients not going to be able to use a full gig interface anyway - not a single device for sure.. Maybe as you move to AX.. But until that time with wifi 5, not really possible for a wireless client to use full gig. So yeah they can share an interface, and rare that any wifi vlan would ever talk to another wifi vlan, etc.
This is what is nice about having multiple interfaces on your router. One of the reasons went with the 4860... Lots of discrete interfaces, gives you more options. I don't really have any use for switch ports in my router ;) That is why I have switches... heheh
Now what I would love to see, would be a netgate box that has multigig interfaces - support for 802.3bz.. Love to have interfaces that can do 10/100/1000/2.5/5/10ge
Multigig switch ports be great.. This could allow for say future connection of AX APs that support say 2.5ge uplink into the router, when you don't actually have a muligig switch, etc.
@marvosa yea, unfortunately my switches are L2 only, so I don't think inter-vlan routing on the switch is going work for me. Interesting to note VLAN overhead. I didn't think it was that much, but frankly I don't have much experience with VLANs and this is my first attempt at VLANs on a network I control. Thanks for your feedback. Definitely helps me understand and have some base expectations with routing VLANs through pfSense :)
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.