@Jarhead Thank you man! I wasted a lot of time without trying the most banal thing. Thank you again!

@BigA said in VLAN/Firewall Access for Admin Only on any of the firewalled Vlans: to access Pfsense from another area that only has access to the internet (PrivateIP Block rule) Rules are evaluated top down, first rule wins, no other rules are evaluated. If what your asking is how to allow some device or network that is limited to talking to other rfc1918 address (ie your other networks).. Just create a rule that allows who (what IP or network) to talk to your pfsense gui.. Be it the pfsense address on this network, or another pfsense IP, the built in alias "this firewall" could be used to be any IP address. So for example here is example locked down rule that prevents access to pfsense IPs other than specific (dns, icmp, ntp) etc.. And blocks all other access to any other rfc1918 address space. [image: 1705679940752-rules.jpg] So while these rules only allow this network "test subnets" which is 192.168.200/24 in my case.. To access icmp, dns and ntp on pfsense IP address in this network 192.168.200.253 for me. It blocks access to any other pfsense IP and rfc1918... I could if I wanted create say a rule that allows access to the pfsense IP on this network "test address" on the port my webgui listens on 8443 [image: 1705680344453-allowrule.jpg] This rule could be adjusted for your needs, only say a specific IP on this network, say 192.168.200.x for my network. if you want multiple ports say 80,443,22 etc.. you could create an alias that contains these ports. Or just create multiple rules. As long as the rule(s) are above where you block rfc1918 you would be able to access the web gui. Rules are evaluated in order, so if you don't hit a rule that matches be it allow or deny then you fall all the way through to the bottom and are denied by the default deny rule (that isn't shown in the gui).

@ChrisJenk What he meant was of course it's tagged. The parent (or trunk port if you're more familiar) will carry the untagged traffic. Any vlan on it will have to be tagged.

@jahnieboi after restart switch, it will work. :)

@viragomann You are correct, the solution was to create a outbound nat. I had tried this before but I made a mistake for the interface I selected VLAN30, but this was not the correct interface. The interface should have been LAN. Your solution pointed out that mistake. Thank you.

@Jarhead Color me confused. Before doing the screen shots, I rebooted the 2100 and plugged a device into Port 2 (which) is where I had set up the VLAN. Still no DHCP, then, set a Static address on the device in the range and it worked! I could get to the 2100 on the primary IP for that VLAN. Switched the device BACK to DHCP and, then, DID get an IP. When in doubt, reboot, eh? Thanks for your responses, they did help my thinking process and confirmed I was not completely crazy.

Are you switches the same brand/model? Depending on the switch, you might be able to "stack" the switches together which physically connects them and provides a single point of management for both switches. Not all switches offer this functionality however.

@jamcallis well your not going to be able to get to them are you, so guess it could cause some delay in connecting as it tries all the ones that wont work..

@caramel_juni also noticed that your using a LAGG network make sure your unifi supports it (sure it does) and I think aggregation is the unifi setting- I also assign all my unifi devices a static IP address- otherwise I have seen my cloudkey list my trunk port gateway address as on of the vlans rather than the parent interface address-

All sorted, can you believe a simple reboot fixed it. Thanks all for you input

@JonathanLee Ok, Already tried to change the MTU from the single interface. Thing is: my interfaces, apart from vtnet0 (wan) are all vlans on the same trunk interface (vtnet0). Now, I only assiged the vlans, not the base interface, so I couldn't go to the interface from the gui. Solution: I assigned momentarily the base interface (vtnet1), changed the MTU -> automatically changed in all of the vlans, then deleted the assignment (as I only actually need the vlans on that one). Thank you very much.

@Aved590 What happens if you do a traceoute out from one of the devices on that vlan to a public address. I normally use Hybrid NAT to have more granular control over scenarios like this.

I would definitely use a static IP address (or at least reserve a static IP address in the DCHP service if you still want to set you equipment up for DHCP connections) for any network hardware (switches, APs, etc). Does the AP support VLAN tagging? (Usually it does if the AP supports transmitting several different networks/SSIDs). If it does, I don't think it really matters what subnet the device falls on because it will use VLAN tagging in conjunction with your VLAN aware switch to break up the different segments. In that case I would probably have it assigned to the same subnet as all of my other network gear (switches etc) to keep the management of those devices all on the same network subnet. If the AP doesn't support VLAN tagging, then you want to make sure the hardware as an IP address in the VLAN you expect it's traffic to use.

@Viper_Rus said ...As they already wrote to you, using bridges to connect different segments of the same VLAN is not very good, because The processor's performance is wasted, but if there is no other option (buying a smart switch), I don't see anything very bad about it. Thank you, that is what i needed to know. @johnpoz sometimes money is not the only factor for deciding whether you should buy another piece of gear or not. Adding a switch is simple and inexpensive but it involves finding a spot for it, finding a receptacle for it, finding/making patch cables, labeling, documenting, etc... In this case, i wanted to explore if i could make use of the unpopulated ports in my firewall to connect my VLAN compatible AP without having to make physical changes to the network infrastructure. Based on your response, and the opinion of some others i have talked to, this might be possible but is not recommended in the long run if you want a stable network. So, we have determined that a managed switch is the recommended way to go forward. This has created a snowball effect in me since a single 16-port managed switch could replace my other 2 dumb switches (making my network infrastructure simpler). ...and, if its provided with POE it could power AP and IP-Phones? ...and, if i buy a switch form the same manufacturer as the AP i might as well use their central managing controller software. So, in order to setup VLANS on my single AP I ended up buying a software managed, 16-port, POE switch. I should get it by the end of this week. This is very far from the original idea of just changing some settings in PFsense. But, all in all I'm happy that you guys guided me on how to do it properly as this network is extremely important for my business operations.

@eykalzz said in how to make multiple ip: I want protect from ddos attack Firewalls are not much use against a volumetric ddos attack.. Use a host only VM network and put it attached to your pfsense lan you create on the VM host.. Are you just making up IP ranges here, and trying to express a public IP range?

Ok I seemed to have solved the problem, tho i dont understand exactly why it was an issue. In my pfSense i had created a WAN failover group, that basically in the event igc0 WAN goes down, it will automatically fail over to igc2 (4G router). In the firewall rules for the Server, i had set the gateway from "Default" to this gateway group. However, for some reason this wouldnt allow the server to ping anything on the LAN, except the 192.168.1.1 gateway So i changed the server firewall rule back to default gateway, but under System/Routing/Gateways i already had the failover gateway group set as the default. Now with the appropriate firewall rule allowing IMCP with default gateway set, i can ping from Server to LAN PCs. And with another rule, i have managed to get the service on my LAN (wazuh), to communicate with the server.

@gwaitsi you're consulting L2 specs to assess L3 throughput performance? apples to oranges. My question is; 6ms does that seem long for a switch and/or lagg interface? short answer: no.