@spickles Not following your entire note. Hopefully this is helpful.

First, barring hosts that can tag their own traffic, in general every host that you want to place on a VLAN requires either a switch port somewhere to tag traffic onto the desired VLAN or, for WiFi, an AP that can tag hosts on an SSID onto the desired VLAN. (There are some exceptions to this like using a VLAN-aware switch to tag all traffic from a downstream dumb switch and Ubiquiti's Virtual Network Override, but let's not go there ...)

Second, if the question is whether you can create a port on a pfSense box that can process multiple VLANs as separate subnets, the answer is yes. For example, I have a physical port, igc1, carrying 4 tagged VLANs and an untagged one between pfSense and the downstream switch fabric. pfSense routes for all of them.

The four tagged VLANs are all tied to igc1 (so, igc1.15, igc1.20, etc.) under Interfaces>VLANs as shown in the first pic. A pfSense Network Port is created for each. Once created, each can be assigned to an Interface and configured with subnets and addresses under Interfaces/Interface Assignments, have DNS, DHCP, Firewall, etc., just like a physical interface. That's the second pic (black boxes to reduce the distraction of the box's other interfaces). So, 4 tagged VLANs plus 1 untagged on a single port. The untagged interface is igc1.

dd20f6e5-e51c-4a46-9694-99dbf38bb5a0-image.png
bd53a7c6-22b9-4f41-b89e-c9838a44781c-image.png

Indeed, I have to consult the community on how to configure the captive portal, too.

Thanks! Surfshark does not support IPv6.
DHCPv6 Server is not running on Guest

Guest VLAN IPv6 Configuration Type is None.
e300cdf0-d2f6-472a-bc37-67536aa7f008-image.png

Router Advertisement Router Mode is Disabled
585e8e78-a12d-4437-8663-7ea80d8c1555-image.png

Added a Guest firewall rule at the top of the stack to block IPv6 traffic
7cf2241b-4d32-4d08-9a25-75e272d7ae31-image.png

Also tested disabling IPv6 in the APN on my phone. Didn't help.

We're still having problems with some apps/content on our phones.

I managed to solve this myself today. The reason I can't ping the client directly connected to the igc1 of pfsense is because of the Bitdefender stealth mode setting. Once I turned it off, I can now ping the client.

I came up with this solution because I tried Ubuntu on a flash drive, and I can ping it, so there is a problem with the firewall of the Windows machine.

That's why I checked all the firewall settings one by one on the Windows client.

@Dobby_ Thought I'd be the only one who would ever use a number like 300 in an IP address. 😂

Ok I tried your solution, and it's ok. Really thank you, for the solution and for the explaination. I really don't like doing thing without understanding what I'm doing and why.

One more time Thank you

@Bob-Dig said in CANNOT PING VLAN INTERFACE IP FROM SAME VLAN:

@HHUBS said in CANNOT PING VLAN INTERFACE IP FROM SAME VLAN:

Or I should ping it from the same VLAN even if no rules are added?

No, it is the firewall and with that, it is able and will block the connection without rules. Different would be to ping a host on a switch, which is in the same LAN. Then the connection is not hitting the firewall in the first place and the firewall can do nothing about it.

@johnpoz said in CANNOT PING VLAN INTERFACE IP FROM SAME VLAN:

@HHUBS out of the box the only interface with default rule to allow is lan that defaults to an any any rule, anti-lockout.. If you create a new interface be it vlan or native you would have to add the rules you want.

Yes by default no rules would hit the default deny and yes block ping, or any other access.

Thank you so much for your help. 👍

I got it to work. It had to do with not setting mtu of 1400. I can now do dns lookup and it works! Thank you for your suggestions.

@scottlindner if the goal is leverage 2.5ge connection - yeah a small 2.5ge seems like a good solution.

You could then if enough ports on this new switch - leverage lacp from the 1 gig switch to provide for more bandwidth to the router.

This wont help with a single connection, but it would provide for more bandwidth for multiple devices on the 48 port to the router interface through the 2.5ge switch.

Yeah a 48 port 2.5ge managed is prob not all that cheap ;)

You could then also move a vlan or both off your current lan interface onto their own 2.5ge interface. Maybe a 16 port 2.5ge switch price is more budget friendly? This would give you plenty of ports to work with - you could have 3 different uplinks for your networks, and then 2 or more as lacp to your 1 ge switch, and leave plenty of ports for 2.5ge APs into the new switch. Or maybe 8 port is enough?

@Gblenn
I would have followed up earlier but have been busy with both the network and other stuff.
I still appreciate your advice. And I have been reading more about the concept of VLANs.
The old D-Link is still in the rack and I use it for a "backup" so I can go back to this if the Unifi switch does not work.
Theres is another problem that I haven't been able to solve.
The Unifi controller holds all the configured wired and wireless networks even if I use hardware reset on the switch. But no matter what I do, the switch appears to be offline after a few moments.
And even if it still handles the traffic according to the configuration, it is offline in the sense that I can't ping it or log in with ssh.
When I use the old switch and just connect the new one through a single cable, the switch can be adopted and configured.
I have read a lot of post about similar issues at the Ubiquiti Forum. Some suggests to manually change the inform host like this set-inform http://ip-of-controller:8080/inform. This seems not to change anything.
Other suggestions are to add an 43 option to the DHCP server (pfSense) or make a host override at the same place.
Do you have any suggestions?

@dj_jc_jase glad to hear sorted.. Possible something got messed up with during the double change at same time? I don't have anything on poe switch from unifi - so not sure if AP might reboot on switch IP change because of loss of poe? And then possible loss of talking to the controller to get info.. Something was not right.

But from a actual network pov - the management IP of the switch and ck has zero to do with anything.

@Antonio1971 if you setup a bridge - then your firewall rules would have to allow the traffic over your bridge..

While bridging can "some what" simulate the actions of a switch - it is not a switch.. A 20$ gig switch would solve your issue ;) shoot if your only after 3 connections a 10$ 5 port gig switch solve your problem

The time you have spent on this clearly exceeds the cost of a switch - I can tell you for sure if I charged for my time in answering you could of gotten multiple smart switches, and I have spent only a couple of minutes - hehehe

A bridge does have specific uses cases.. Trying to turn 2 discrete interfaces into a switch is not one of them. The only time I would even think of doing it would be if production was down and it needed to be up NOW.. And the switch won't be here til tmrw..

Got it sorted. For anyone reading, the main issue was I have manual outbound NAT rules setup. I had to set up a NAT rule for the VLAN IP address range and the WAN as the interface (thanks ChatGPT for correcting my mistake of putting the VLAN assignment as the interface). All is now working and bypassing NordVPN

@patient0

Thank you very much for your help.

@louis2 These are the only 2 machines talking to each other at the same time? Then it isn't a problem, your acks are going to go on the same wire as well now.. So you would never be able to see full throughput. be it that small.

Your talking about a optimization of jumbo, but then are not caring about your overall bandwidth being reduced.

What if you have machines C and D talking to each other on a completely different vlans - but they share the same wire now. Or could be.

If your happy with your setup.. Have at it.

All of that aside - you still haven't shown that your disks can read/write at the extra throughput jumbo could bring.. If the disks can not write/read even bandwidth X (standard 1500).. Does it make any sense to complex up the network with jumbo to gain that extra speed jumbo could provide?

There is no freaking way jumbo gives you this sort of boost

speed.jpg

You have something else going on there.. If you are only seeing 3.2 on 1500, and 9.4 on jumbo.