@pvpaulo ???? MTU specifies how much data the frame can hold, regardless of whether there's a VLAN tag. Also, I have never heard of a L3 MTU. On both native and VLAN interfaces I don't specify MTU and just accept the default 1500. Any VLAN tags are before the EtherType, which specifies whether the frame carries IPv4 (0800), IPv6 (86dd) or other. The MTU specifies how much data is allowed after the EtherType.

@eagledtony Most will have troubles reading what you've just wrote. Your Enter key seams to be broken also ( ^^ ). As no details (images) are available, so only some general advise : If you can, remove all 'VLAN' setup, go bare bone classic "VLAN 0" or no VLAN no where. This makes the setup simpler .... and issue start to vanish fast. If an issue arrives 'suddenly' then the last think you want to do is 'upgrading'. Upgrading will not (can not) resolve sudden local issues, but can create new issues. So, first, resolve the issue, which can be as simple as : Save the current pfSense config. Now get a config from 'before 2 weeks'. Issue solved : go question the pfSense admin, torture him if needed, and you will get to the bottom of things. The 'diff' between the current and 2 weeks old config will tell you what changed. Issue not solved : get the current config back and now you'll be sure : the issue isn't pfSense related. Go have a talk with the other (VLAN) stuff, and do question the "admin" gain. edit : Your pfSense has a config history : [image: 1770288431925-99464f43-9690-4b60-ba2f-740cb54e5dc3-image.png]

Edit: I just found this draft waiting for me to post. Sorry for not sharing earlier. Solution for anyone following at home. Credit goes to ChatGPT. I am not sure why the vlanif line was missing; this was all made in the web GUI. All I can think of was this was made on version 23.01 or 23.05. ChatGPT said this became a requirement in 24.X but I had this issue while still on 23.X. --- /conf/config.xml 2025-03-23 22:02:52.977293000 +1100 +++ config.xml 2025-03-23 22:02:14.882342000 +1100 @@ -325,7 +325,6 @@ <tag>99</tag> <pcp>0</pcp> <descr><![CDATA[BackupWAN]]></descr> - <vlanif>mvneta1.99</vlanif> </vlan> </vlans> <staticroutes></staticroutes>

@johnpoz I've done some more investigation and found some weird behavior. Let me explain: These are the details I brought up the PFSENSE Web gui I navigate to "System>Advanced>System Tunables>+New" In the Tunable Field I enter: dev.ix.1.advertise_speed In the Value Field I enter: 16 In the Description Field I enter: 2.5GB I then hit save and reboot my pfsense box After pfsense comes up and from the Welcome Screen I Select "Option 8" I then enter the following SYSCTL Command: "sysctl dev.ix.1.advertise_speed" The Response is "sysctl dev.ix.1.advertise_speed: 7" This tells me my tunable did not take effect after the Boot. Now I navigate to "System>Advanced>system Tunables>" and "EDIT" the tunable I created above and click "SAVE" without changing anything. I then go back to the welcome gui and select "Option 8" Again I then enter the following SYSCTL Command: "sysctl dev.ix.1.advertise_speed" The Response is "sysctl dev.ix.1.advertise_speed: 10" Which is the Decimal equivalent of 16 Now I go To my switch and the Lan Port on the switch is now running at 2.5gb. It is my understanding that placing a tunable in "System>Advanced>System Tunables>" should relieve me of having to open the tunable and pressing save. What do you think. Is this a bug or am I missing something?

If I remember correctly, you just use the drop down to select the new Network Port, but only make the change when connected to a different network. Mine looks like this now. [image: 1768967119072-9e9ce812-7211-4592-b43f-9448abbcf1a0-image.png] Only difference is I moved to the 10Gb ports.

I assume WAN is bce0? Those bad packets it's dropping there are odd but might not be related. If you boot back into the 24.11 BE do you still see the same dropped packets and errors at boot?

To maybe make life simpler in the future, avoid common subnets like 192.168.0.0, 1.0, 2.0. These are used by many things such as ISP routers. I went with .42.0, because it is the meaning of life, the universe and everything.

@luckman212 bingo! Thank you for so succinctly saying what I was fumbling around trying to say! Yes, primarily security. Google VLAN1 tons of articles and whatnot advising to turn it off for security reasons (primarily for large enterprise). Secondarily (especially at this point), is a little academic - I am kind of frustrated at myself for not figuring this out so would like to accomplish for my personal satisfaction (though I am busy like everyone else and don't want to be doing purely stupid things). I will look into the UniFi thing, their controller software is unusual but it does seem to allow configuring a default VLAN simply clicking on the default network in the controller software and entering the VLAN id however during hard reset it goes back to VLAN1 of course which could be issue if that becomes necessary. I think your "Secure Enough" strategy sounds more sensible given my limited experience (I did try to configure from another subnet but got locked out and required a reset of the router). I think I will try this first. Thank you for the out-of-da-box thinking!

@louis2 Why? Bridges bridge Interfaces. Vlans in pfsense are not interfaces. So yes, it takes a few more steps, but it works. And as a matter of fact is also performant. You can also try vxlan if you wish which is a new feature in pf plus.

@big_blue oh! Well good job me then.

@Hoser7632 no connection like link would have nothing to do with what networks you might pass over this wire. Not exactly sure what you mean when light just flashes red, on your AP, on the interface? I take it your powering this via ac adapter since I doubt your x550-t2 interface is going to provide poe. Why would you tag traffic over this interface to your AP, unless you were going to carry more than 1 network on the wire? Seems kind of pointless to me to tag this traffic if only 1 device is going to be connected to this port.

Architecturally similar to my installation. I have a "core" switch which connects to the firewall, but with one switch port with half the VLANs going from the core switch to the firewall and another switch port with the balance of the VLANs going to another firewall port. Then, the core switch connects to my two remote switches (analogous to your switch by the firewall and your garage switch). Without bridging the firewall ports, I don't think you can home-run both switches to the firewall and route all VLANs to both. And Netgate here has repeatedly discouraged using bridging on the firewall. Thus, a "core" switch is necessary, or, daisy-chain your switches. A couple of down-sides to daisy chaining switches is the single-point of failure in the daisy chain. If your top switch fiber goes bad, or the top switch goes bad, your entire LAN goes down. Also, all your traffic then has a single collision domain between your top switch and your firewall. Probably not a real issue on a 10G fiber, but if you have tons of traffic on that fiber it could degrade performance. A core switch could alleviate the collision domain issue, and if you connect the core switch to your firewall with two fibers, one for half your VLANs and the other for the rest of your VLANs, you'd remove a single point of failure for your entire LAN at least as far as the fibers go. If the core switch fails then everything fails*, but that would be easy to diagnose. If just one fiber or fiber port goes down, only half your LAN (one of your two switches) would go down and that would be easy to diagnose. YMMV. *You could certainly design some kind of redundant core-switch arrangement with spanning-tree protocol and multiple switches and fibers and so on, but that's out of my league.

Hi all! Thank you for your quick answers! It was connected to the PFBlocker NG; once it has been deactivated and reactivated, it works. cheers!

@patient0 Not a production environment just home environment. Thanks for your suggestion I'll give it a try. Best Regards and thanks again....

Thank you for the replies, I was sort of able to figure it out and get it/them working But its not how I expected? I setup the VLAN's on the switch and according to everything I could figure and you guys too it should have worked but it didnt? After going back-n-forth with this for a few days I decided to give it a rest for a couple days. When I got back to it I went to login to the switch and was unable? No matter what I tried couldnt get it so I did a hard reset (unplug) and tried to log back in, I was able to get into the switch and all the config was there so I plugged my laptop in and it pulled the .20 IP??? More testing and it did what it is supposed to do? Best I can figure is that the switch didnt like what I was telling it and decided it needed a refresh to then give what I was telling it? IDK but its working now. To all Thank You especially johnpoz , theother, and patient0! :-)