@viragomann Thank you so much, that is what I was doing wrong: So it should be: using SSH: login, reset to factory defaults, reboot and login on webinterface enabling SSH Interfaces -> Assignments -> VLANs / Add VLAN tag = 112 Description = "GUESTVLAN" Save Interfaces -> Interface Assignments -> Available ports: Select "VLAN 112 on mvneta0" / Add -> OPT2 Thanks again. @KaschiFL: Yes solved

So I installed the pimd package Added the two VLANs to the PIMD interfaces list and enabled them Add one pfsense interface as RP address for PIMd (192.168.12.1) left all other pimd configuration options at defaults In addition, I add on each of the interfaces a firewall rule to pass everything, also checked the "Allow IP options" on those rules. Logging enabled. In addition, I add on each interface at the very end a "catch all" blocking rule, also with logging enabled. This is so that I can see if my "pass" rule misses anything. Then I started VLC multicast streaming server on 192.168.12.101 (vlan12): cvlc BigBuckBunny_320x180.mp4 --sout "#rtp{dst=239.255.1.2,port=5004,ttl=10,mux=ts,sap,name=Bunny}" --no-sout-all --sout-keep --loop PIMD status shows the server in its routing table: Virtual Interface Table ====================================================== Vif Local Address Subnet Thresh Flags Neighbors --- --------------- ------------------ ------ --------- ----------------- 0 192.168.1.1 192.168.1 1 DR NO-NBR 1 192.168.2.1 192.168.2 1 DR NO-NBR 2 192.168.10.1 192.168.10 1 DISABLED 3 192.168.12.1 192.168.12 1 DR NO-NBR 4 79.239.182.225 79.239.182.225/32 1 DISABLED 5 192.168.1.1 register_vif0 1 Vif SSM Group Sources Multicast Routing Table ====================================================== ----------------------------------- (S,G) ------------------------------------ Source Group RP Address Flags --------------- --------------- --------------- --------------------------- 192.168.12.101 239.255.1.2 192.168.12.1 CACHE SG Joined oifs: .....j Pruned oifs: ...... Leaves oifs: ...... Asserted oifs: ...... Outgoing oifs: .....o Incoming : ...I.. TIMERS: Entry JP RS Assert VIFS: 0 1 2 3 4 5 205 60 0 0 0 0 0 0 0 0 ----------------------------------- (S,G) ------------------------------------ Source Group RP Address Flags --------------- --------------- --------------- --------------------------- 192.168.12.101 239.255.255.255 192.168.12.1 CACHE SG Joined oifs: .....j Pruned oifs: ...... Leaves oifs: ...... Asserted oifs: ...... Outgoing oifs: .....o Incoming : ...I.. TIMERS: Entry JP RS Assert VIFS: 0 1 2 3 4 5 205 60 0 0 0 0 0 0 0 0 --------------------------------- (*,*,G) ------------------------------------ Number of Groups: 4 Number of Cache MIRRORs: 8 ------------------------------------------------------------------------------ Then I start client on 192.168.1.196 (vlan1): vlc rtp://239.255.1.2:5004 but dont get a video. This works fine, if client and server are on the same VLAN. Packet capture on pfsense vlan1 interface shows that the client is trying to join the group: 22:31:55.963481 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.255.1.2 to_in { }] 22:31:56.735594 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.255.1.2 to_in { }] 22:31:57.327523 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.255.1.2 to_ex { }] 22:31:57.827784 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 48, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 239.255.1.2 is_ex { }] [gaddr 224.0.0.251 is_ex { }] 22:31:57.955683 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.255.1.2 to_ex { }] 22:32:11.647572 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 48, options (RA)) 192.168.1.196 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 239.255.1.2 is_ex { }] [gaddr 224.0.0.251 is_ex { }] But I can't see anything in the firewall logs, though logging is enabled (see above). Any ideas how to further debug this problem?

@stephenw10 Thanks very much for the confirmation and guidance. I have changed the Proxmox bridge for 40 to include port 0, 2 and 3 and plugged a computer into port 2 - and it is acting like it would if it were plugged into the hub it was in (that as plugged into port 0 (LAN)). Now to do some more reading on vLAN setup.

@Octopuss it is quite possible that kea disabled them.. Pretty sure the dhcp register is enalbed out of the box. If I recall correctly dhcp reservation or static dhcp as sometimes called is not enabled out of the box. But since kea doesn't currently do either of those, its quite possible when moving to key those get disabled.. it is often recommended to disable dhcp registration, because it causes a restart of unbound on every dhcp thing.. If you have a lot of devices and short lease time, etc.. its possible that the constant restart of unbound can cause problems. It is hoped that the move to kea will once and for all remove the restarting of unbound on dhcp changes.

@chrisd you would need nat between each of those devices with the same IP.. But pfsense is not going to let you create multiple vlans with the same IP range. What devices are these that don't allow you to change its IP? That seems insane.. You could do what your asking with Virtual Routers on host.. Or you could use something like raspberry pi with dual nics, or https://www.gl-inet.com makes some cheap wifi router, you could always turn off the wifi if you don't need it, they are small, and like $30 I think..

Nevermind. My issue was the built in firewall on my server.

@viragomann Thank you, that did it. I really thought that I had tried that last night... :)

@jebzit Did you find a solution to this issue? I'm having the exact same issue with my pfSense box and Cisco 2960x Switch.

go to the proxmox forum

@John-Willard The switch cannot know, which VLAN to assign to the Windows PC. You have to configure it accordingly. On pfSense you add a VLAN to the network port, which the switch is connected to. Then add an interface and configure it. On the switch you have to configure the port, which is connected to pfSense as tagged for the respective VLAN. The port, which the PC is connected to, has to be added to the VLAN as untagged and also set the proper PVID.

Updates: If I enable SSH and type ifconfig interface >ip< netmask >mask< it works as expected, so it looks like it's working but it's not applying the configuration from the web or something. Resetting states does not change anything. Using ifconfig interface down/up does not change anything. I will continue looking for logs to try to see something

@wayneflittner You're welcome. Presumably it had not seen/attached to the new interface. Run "nslookup netgate.com" at a command line to do a DNS lookup.

@johnpoz Yes, I managed a larger Cisco network many years ago when I worked. I run the same setup basically. We all called it L3 switching back then. You are moving traffic from port to port in a switch. It just happens to be network to network. Routing does not fit. We used eigrp routing from routers and L3 switches. L3 switching seems to fit vs just routing because it is happening at line speed not like regular slow routing. What would you call it to signify line speed routing? I think L3 switching works. Yes, you get a lot of users thinking they are doing L3 but really, they are doing L2 switching. Most people don't understand L3 switching. You need to be more a Cisco person. And now with 10gig and greater NICs needing L3 switching is getting farther out than it was 20 years ago. But when you push the edge a router and a L2 switch will break down compared to using a L3 switch. Oh, about your drawing mine is a little different my connecting L3 switch network is a VLAN port 192.168.0.2, not real IP address, but close which plugs into a NIC in Pfsense 192.168.0.1, VLAN not defined. So, both ports are defined in the same network 192.168.0.0/24. All network ports are defined as a VLAN but not the NIC which is not defined as a VLAN just regular IP address. Gateway for NIC IP address 192.168.0.1 is WAN. This I think is the default gateway on Pfsense but I am not sure as we are into the GUI and I am no expert on Pfsense. Gateway for VLAN on switch is the VLAN gateway on the L3 switch. All local traffic is routed by my L3 switch. Unknown traffic is routed to Pfsense NIC 192.168.0.1 my defualt route on my L3 switch. There are Pfsense firewall rules that allow networks on my L3 switch to pass. I don't use a network to pass traffic on. I did on an older Pfsense setup but I decided it was not need for me and my home. My way is easier to setup. You just add the L3 switch to the network and what ever DHCP IP address is assigned is used. So, when I got a new Cisco L3 switch I went this way. It is easier to change switches for me. The best DHCP server I have used is Microsoft's DHCP server. We used it at work and I used it at home before I turned off my rack. I tought it worked well.

@Nismos4Life87 I have a very similar setup - my ix1 (10Gb fiber) has all my internal VLANs, and is native VLAN 1 for LAN. This works just fine. The only oddity I've found is mentioned in https://forum.netgate.com/topic/185889/vlan-traffic-showing-up-on-the-wrong-vlan, but is really cosmetic. Basically, LAN is ix1. All VLANs are defined with ix1 (lan) as the parent interface. No problems at all. My switch has the default (PVID) of 1 for the port attached to ix1, and all other internal VLANs are passed tagged to the same port.

I believe, dup of https://redmine.pfsense.org/issues/12401

@sic0048 Skimmed it out of curiosity. It says "In particular, Unify Phone signaling, and media connections are always established in the outbound direction from the corporate network to the cloud." Don't see anything about a public IP...? The only firewall rules mentioned are outgoing. I think this is that case of "say thank you, hang up, and call back to get another tech." FWIW we're 3CX partners. They have a concept of an SBC or router phone that tunnels/proxies connections out to a remote 3CX server.

@Jarhead: See my last post in a thread specifically about the firewall rules from this interface. The problem had been in the DNS rules for this interface’s firewall.

I have figured out the issue. I am going to leave the solution here if someone is facing the similar issue. You have to change the VLAN id in under the switch ports. The numbers look like they cannot be edited. But if you click on them, they become a text box. I figured it out from this video. https://www.youtube.com/watch?v=NgRy14rYhV8 [image: 1706236896916-7b1fe0a2-c2c2-489e-8694-b254fcb16cc5-image.png]