I would definitely use a static IP address (or at least reserve a static IP address in the DCHP service if you still want to set you equipment up for DHCP connections) for any network hardware (switches, APs, etc).

Does the AP support VLAN tagging? (Usually it does if the AP supports transmitting several different networks/SSIDs).

If it does, I don't think it really matters what subnet the device falls on because it will use VLAN tagging in conjunction with your VLAN aware switch to break up the different segments. In that case I would probably have it assigned to the same subnet as all of my other network gear (switches etc) to keep the management of those devices all on the same network subnet.

If the AP doesn't support VLAN tagging, then you want to make sure the hardware as an IP address in the VLAN you expect it's traffic to use.

@Viper_Rus said

...As they already wrote to you, using bridges to connect different segments of the same VLAN is not very good, because The processor's performance is wasted, but if there is no other option (buying a smart switch), I don't see anything very bad about it.

Thank you, that is what i needed to know.

@johnpoz sometimes money is not the only factor for deciding whether you should buy another piece of gear or not.

Adding a switch is simple and inexpensive but it involves finding a spot for it, finding a receptacle for it, finding/making patch cables, labeling, documenting, etc...

In this case, i wanted to explore if i could make use of the unpopulated ports in my firewall to connect my VLAN compatible AP without having to make physical changes to the network infrastructure.

Based on your response, and the opinion of some others i have talked to, this might be possible but is not recommended in the long run if you want a stable network.

So, we have determined that a managed switch is the recommended way to go forward.

This has created a snowball effect in me since a single 16-port managed switch could replace my other 2 dumb switches (making my network infrastructure simpler).
...and, if its provided with POE it could power AP and IP-Phones?
...and, if i buy a switch form the same manufacturer as the AP i might as well use their central managing controller software.

So, in order to setup VLANS on my single AP I ended up buying a software managed, 16-port, POE switch. I should get it by the end of this week.

This is very far from the original idea of just changing some settings in PFsense. But, all in all I'm happy that you guys guided me on how to do it properly as this network is extremely important for my business operations.

@eykalzz said in how to make multiple ip:

I want protect from ddos attack

Firewalls are not much use against a volumetric ddos attack..

Use a host only VM network and put it attached to your pfsense lan you create on the VM host..

Are you just making up IP ranges here, and trying to express a public IP range?

Ok I seemed to have solved the problem, tho i dont understand exactly why it was an issue.

In my pfSense i had created a WAN failover group, that basically in the event igc0 WAN goes down, it will automatically fail over to igc2 (4G router). In the firewall rules for the Server, i had set the gateway from "Default" to this gateway group. However, for some reason this wouldnt allow the server to ping anything on the LAN, except the 192.168.1.1 gateway 🤷

So i changed the server firewall rule back to default gateway, but under System/Routing/Gateways i already had the failover gateway group set as the default.

Now with the appropriate firewall rule allowing IMCP with default gateway set, i can ping from Server to LAN PCs. And with another rule, i have managed to get the service on my LAN (wazuh), to communicate with the server.

@gwaitsi you're consulting L2 specs to assess L3 throughput performance? apples to oranges.

My question is;
6ms does that seem long for a switch and/or lagg interface?

short answer: no.

@getcom i have 7 vlans over lagg since 2.6x

@Jarhead exactly - an IP is always 32 bits in length, it can be nothing other than that.. if wouldn't be a IP if wasn't - that you would have to call out that hey this IP is 32 bits makes zero sense..

In 30 some years working in IT, even before there was IPs.. Have never seen anything that would require you to call out that your IP address you is 32 bits, because well its a given that it is.. When you set the mask your setting what network this IP is on.

While that switch is not layer3, it does seem to support VLAN tagging. This means that you can use VLANs with this switch. However the VLAN management (rules, routing, etc) will be handled on the firewall.

For anyone that needs it, I was finally able to get this working again by loading a new firmware image to pfsense and reloading the config. Once it was all back up again, the interfaces were working. No idea what caused it or why, I was never able to track that down, but at least it's functioning properly.

@viragomann said in first VLAN setup - need help:

@stimpe
Looks well to me so far, but I don't know this switch.
However, for clear segmentation I'd recommend to run all SSIDs on the AP over VLANs.

To verify if the switch is configured properly, connect a VLAN capable computer to port 7 instead of the AP, configure its interface for VLAN3 and set an IP outside of the DHCP range.
On pfSense add a rule to OPT1 to allow access and try to ping its interface IP then from the computer.

Thanks for your input. I will definitely try swapping the AP for a computer on port 7 to see if VLAN3 works there.

@sysadminfromhell I suppose it's possible it could have been a cheap/fake x710 giving you the problems. I'd have probably looked at the firewall rules or checked if there was any rate limiting in place but it sounds like the replacement nic has put you right.

Hello all!

For anyone who finds this thread in the future, I figured it out and wrote up a guide on how to do it with a UniFi USW switch here.

A similar process applies when using UniFi WAPs, and i've done as such, and may write a future guide on that if desired/needed. But the aforementioned article should give you enough to apply it to a UniFi WAP :3

have a lovely day! <3

@bfostyvr

You have to look at the protocol stack. Ethernet is layer 2 and IP is layer 3. VLANs are often called layer 2.5, as they are applied to an Ethernet interface. VPNs are layer 3. You cannot add layer 2.5 to layer 3.

Again, you have to route the subnets over the VPN and recreate the VLAN at the other end.

@keyser connect the 2.5Gbit switch to a 1Gbit port is only to pass trough tagging...
On the 2.Gbit switch it would have one port to de 1GB VLAN Switch, one to the EAP670 (2.5GB) and the other ports to others 2.5Gb devices.. NAS, Proxmox server, etc...
And the LAG upgrade to 3 ports would be to increase troughput to PFSense <-> WAN.

Thank you both