Hello all!

For anyone who finds this thread in the future, I figured it out and wrote up a guide on how to do it with a UniFi USW switch here.

A similar process applies when using UniFi WAPs, and i've done as such, and may write a future guide on that if desired/needed. But the aforementioned article should give you enough to apply it to a UniFi WAP :3

have a lovely day! <3

@bfostyvr

You have to look at the protocol stack. Ethernet is layer 2 and IP is layer 3. VLANs are often called layer 2.5, as they are applied to an Ethernet interface. VPNs are layer 3. You cannot add layer 2.5 to layer 3.

Again, you have to route the subnets over the VPN and recreate the VLAN at the other end.

@keyser connect the 2.5Gbit switch to a 1Gbit port is only to pass trough tagging...
On the 2.Gbit switch it would have one port to de 1GB VLAN Switch, one to the EAP670 (2.5GB) and the other ports to others 2.5Gb devices.. NAS, Proxmox server, etc...
And the LAG upgrade to 3 ports would be to increase troughput to PFSense <-> WAN.

Thank you both

Hi SteveITS,
I have turned off FW in windows and no other FW in the VLAN.
I have managed to resolve the issue by enabling "Asymmetric VLAN" on DLINK switch.
Now I can ping between VLAN and also access the resource.

@Octopuss Don't put any devices on that network other than your Admin PC or laptop or phone, etc.. Ie that is say the network you could talk to the pfsense web gui from..

My 192.168.9.0/24 which is the default vlan on the switch, I just changed it from ID 1 to 9.. is my management/trust network.. My box is on it, an my nas.. This is the network my 3 switches management IPs are on, via their default vlan..

All my other devices - lets call them "users" on on other vlans - which are not the default vlan of the switches, etc. Tvs, printer, iot stuff like all my lightbulbs, my garage door opener, my thermostat, etc.. all on different vlans.. Not even the same vlan.. I have a roku vlan - which is TVs, rokus, directTV box, etc. Then there is an iot vlans where like my lightbulbs and thermostat and alexas are on, etc.

Trusted wifi devices, are on a different vlan all together. Then there is a "guest" wifi, etc again a different vlan.. None of those vlans are the default vlan of the switches..

The default vlan of the switch is what I call my management/trust/infrastructure vlan, etc. If you really wanted to get paranoid - you don't have to put anything on it.. Other than the switches management IPs, which you could allow other devices from other vlans to get to..

A layer 2 switch is normally not going to let you put an IP on another vlan (SVI) that you could access its management functions from. None of the entry level switches for sure would even allow you to change the ID of the default vlan, or create a svi on another vlan, etc. So if you want to "manage" that switch your going to need to be able to get to that vlan, even if you don't have any other devices on it other than that switch or other switches, etc.

@skullnobrains , its possible share your script in github? Thanks!!!

@Bob-Dig Yeah silly me. Removing the VLAN and put the OPT3 port directly into an interface solved the DHCP problem.
A big thank you for your advice. :)

@johnpoz So I checked the settings and the following are how the switch is set up and the packet capture I did when trying to connect to vlan 10 on port 5 of the switch while it was looking for an address assignment:
![alt text]3da348ce-18db-464a-8c78-8d961cd08423-image.png

0f152dc9-ff6b-4451-8eb6-e16b8de65cfe-image.png

4971b310-2b0e-414a-bb4c-f0ed8e08c7c7-image.png

It still isn't working.

@Bob-Dig I configured mine to look like yours and it worked like before. However I managed to fix the issue by not using VID 20 and instead used VID 30. I ended up creating a new VLAN in pfSense while doing this, so maybe something was broken in the settings of VLAN with the 20 tag or some other device messed with VID 20.

Nonetheless my config now works but it still leaves me confused because I went through the same process creating the VLAN with tag 20 and tag 30. And I double checked every setting and rule.

In pfSense

Created the VLAN with the LAN-port as the parent interface and assigned it as an interface Setup firewall rules for DNS and blocking local IPs Enabled the DHCP server for the VLAN interface and assigned the IP address range.

Then on my smart switch I configured it like in my pictures in my first post.

And in FreshTomato I configured it exactly the same as in the pictures of the first post with the exception of my LAN setup which looks like this instead:

alt text

Hope my confusion can help someone else setting up VLANs atleast, thanks for the response @Bob-Dig

@ntgteuser1 The 8200 doesn’t have a switch. If you open a free ticket with Netgate they will convert your config for you, just explain what you want where.

@eeebbune
VRRP requires that the interfaces of both nodes are connected via layer 2. But pfSense works on layer 3.
So get a small dumb layer 2 switch and put it in between the ISP boxes and pfSense. On pfSense you have to configure only one WAN Interface.

@rajukarthik said in Internet is not working if i change LAN IP:

I am not able to ping pfsense IP

Are your lan rules set to lan net, or had you manually adjusted the rules to be specific IP range. out of the box the rule on lan is any any, with source of "lan net" so if you change the lan IP.. This rule would be adjusted to your new network.

If you can not ping the new pfsense lan IP, then your firewall rules have been adjusted from the default? your client didn't get new IP from dhcp or maybe you didn't adjust the dhcp when you change the IP.

For example I just changed one of my interfaces IP, and since I had set specific dhcp range - it now invalid.

dhcp.jpg

So while changing the lan IP should be straight forward, there are things that could bite you. Mask wrong? pfsense likes to default to /32 when you set an IP, which isn't going to work ;)

So what we need to do is figure out what is going wrong in your change..