@Zak-McKracken yeah you can have untagged or native vlan along with tagged vlans.. Unless your wanting to have a hard time, you can only have 1 untagged vlan..

Keep in mind a anything connected a port that sends out tagged traffic can be seen by the other end.. So they would be able to see broadcast and multicast traffic that is on those vlans.. But that seems fine from your info.. if you want to get to the management Ip that is not on a specific vlan, you would just need to add an untagged/native network on this interface that matches up with whatever IP scheme they are using.

@submitform said in Issues with 2 VLANS:

Any Ideas on what the issue is?

I think I know the answer.

@provels said in Cannot print over wifi to hardwired printer ... vlan issues ?:

o print to the printer's Wi-Fi directly?

That is not how I read that.. But maybe - I took it had a wireless vlan X, and a wired Y, and was printing from X IP to Y..

If its a true OS, like mac OS then he should be able to print even if the printer is on another vlan, because discovery is not involved.

@brannenj that screams firewall on the device..

Simple test.. from your wireless vlan ping the IP of the server, when you sniff on pfsense interface on the server interface.. Do you see pfsense send on the ping? If so - and no response then there is something on that device not answering the ping, ie firewall..

Here... pinging another on one of my vlans 192.168.2.50, from my 192.168.9.100 device.. While sniffing on the interface the 2.50 device is on..

request.jpg

If you only see the request, then pfsense sent on the traffic, but the device your pinging is not answering.

If you don't even see the ping requests go out, then pfsense never saw it? Your policy routing traffic, or your rules are not actually any any.. If you dont even see the requests go out on the interface for the server, validate the traffic gets there by sniffing on the pfsense wifi network interface.

@viragomann Hmmm. I could access it when it was on 10.0.0.1 as 10.0.0.3 from other 10.0.0.x addresses.

Investigated a bit more, and just installed a new pfsense 2.7.2, and everything works ok.
So the issue is most likely in old pfsense configs, but I think I'll just migrate all services to the new one and call it a day.

@lrqnet

Oh, good that I do inter-VLAN routing on my routing switch.

@the-other Thanks. the interface is set to auto... the TrendNet will auto negotiate at whatever is needed up to GB speeds

Bouncing the TrendNet makes everything work...for about 5 minutes... this is driving me crazy

@viragomann
Thank you so much, that is what I was doing wrong:
So it should be:
using SSH: login, reset to factory defaults, reboot and login on webinterface enabling SSH
Interfaces -> Assignments -> VLANs / Add
VLAN tag = 112
Description = "GUESTVLAN"
Save
Interfaces -> Interface Assignments -> Available ports: Select "VLAN 112 on mvneta0" / Add -> OPT2

Thanks again.
@KaschiFL: Yes solved

So I installed the pimd package

Added the two VLANs to the PIMD interfaces list and enabled them Add one pfsense interface as RP address for PIMd (192.168.12.1) left all other pimd configuration options at defaults

In addition, I add on each of the interfaces a firewall rule to pass everything, also checked the "Allow IP options" on those rules. Logging enabled.
In addition, I add on each interface at the very end a "catch all" blocking rule, also with logging enabled. This is so that I can see if my "pass" rule misses anything.

Then I started VLC multicast streaming server on 192.168.12.101 (vlan12):

cvlc BigBuckBunny_320x180.mp4 --sout "#rtp{dst=239.255.1.2,port=5004,ttl=10,mux=ts,sap,name=Bunny}" --no-sout-all --sout-keep --loop

PIMD status shows the server in its routing table:

Virtual Interface Table ====================================================== Vif Local Address Subnet Thresh Flags Neighbors --- --------------- ------------------ ------ --------- ----------------- 0 192.168.1.1 192.168.1 1 DR NO-NBR 1 192.168.2.1 192.168.2 1 DR NO-NBR 2 192.168.10.1 192.168.10 1 DISABLED 3 192.168.12.1 192.168.12 1 DR NO-NBR 4 79.239.182.225 79.239.182.225/32 1 DISABLED 5 192.168.1.1 register_vif0 1 Vif SSM Group Sources Multicast Routing Table ====================================================== ----------------------------------- (S,G) ------------------------------------ Source Group RP Address Flags --------------- --------------- --------------- --------------------------- 192.168.12.101 239.255.1.2 192.168.12.1 CACHE SG Joined oifs: .....j Pruned oifs: ...... Leaves oifs: ...... Asserted oifs: ...... Outgoing oifs: .....o Incoming : ...I.. TIMERS: Entry JP RS Assert VIFS: 0 1 2 3 4 5 205 60 0 0 0 0 0 0 0 0 ----------------------------------- (S,G) ------------------------------------ Source Group RP Address Flags --------------- --------------- --------------- --------------------------- 192.168.12.101 239.255.255.255 192.168.12.1 CACHE SG Joined oifs: .....j Pruned oifs: ...... Leaves oifs: ...... Asserted oifs: ...... Outgoing oifs: .....o Incoming : ...I.. TIMERS: Entry JP RS Assert VIFS: 0 1 2 3 4 5 205 60 0 0 0 0 0 0 0 0 --------------------------------- (*,*,G) ------------------------------------ Number of Groups: 4 Number of Cache MIRRORs: 8 ------------------------------------------------------------------------------

Then I start client on 192.168.1.196 (vlan1):

vlc rtp://239.255.1.2:5004

but dont get a video. This works fine, if client and server are on the same VLAN.

Packet capture on pfsense vlan1 interface shows that the client is trying to join the group:

22:31:55.963481 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.255.1.2 to_in { }] 22:31:56.735594 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.255.1.2 to_in { }] 22:31:57.327523 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.255.1.2 to_ex { }] 22:31:57.827784 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 48, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 239.255.1.2 is_ex { }] [gaddr 224.0.0.251 is_ex { }] 22:31:57.955683 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.255.1.2 to_ex { }] 22:32:11.647572 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 48, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 239.255.1.2 is_ex { }] [gaddr 224.0.0.251 is_ex { }]

But I can't see anything in the firewall logs, though logging is enabled (see above).

Any ideas how to further debug this problem?

@stephenw10

Thanks very much for the confirmation and guidance.

I have changed the Proxmox bridge for 40 to include port 0, 2 and 3 and plugged a computer into port 2 - and it is acting like it would if it were plugged into the hub it was in (that as plugged into port 0 (LAN)).

Now to do some more reading on vLAN setup.

@Octopuss it is quite possible that kea disabled them.. Pretty sure the dhcp register is enalbed out of the box. If I recall correctly dhcp reservation or static dhcp as sometimes called is not enabled out of the box.

But since kea doesn't currently do either of those, its quite possible when moving to key those get disabled..

it is often recommended to disable dhcp registration, because it causes a restart of unbound on every dhcp thing.. If you have a lot of devices and short lease time, etc.. its possible that the constant restart of unbound can cause problems.

It is hoped that the move to kea will once and for all remove the restarting of unbound on dhcp changes.

@chrisd you would need nat between each of those devices with the same IP.. But pfsense is not going to let you create multiple vlans with the same IP range.

What devices are these that don't allow you to change its IP? That seems insane.. You could do what your asking with Virtual Routers on host.. Or you could use something like raspberry pi with dual nics, or https://www.gl-inet.com makes some cheap wifi router, you could always turn off the wifi if you don't need it, they are small, and like $30 I think..

Nevermind. My issue was the built in firewall on my server.

@viragomann Thank you, that did it. I really thought that I had tried that last night... :)

@jebzit Did you find a solution to this issue? I'm having the exact same issue with my pfSense box and Cisco 2960x Switch.

go to the proxmox forum

@John-Willard
The switch cannot know, which VLAN to assign to the Windows PC. You have to configure it accordingly.

On pfSense you add a VLAN to the network port, which the switch is connected to. Then add an interface and configure it.

On the switch you have to configure the port, which is connected to pfSense as tagged for the respective VLAN.
The port, which the PC is connected to, has to be added to the VLAN as untagged and also set the proper PVID.

Updates:

If I enable SSH and type ifconfig interface >ip< netmask >mask< it works as expected, so it looks like it's working but it's not applying the configuration from the web or something.
Resetting states does not change anything.
Using ifconfig interface down/up does not change anything.
I will continue looking for logs to try to see something