It works just fine.
I spent 4 hours scratching my head and troubleshooting almost everything technical about this and not seeing the VLAN tagging packets coming from What I thought was the otehr end of a cable on the LAN interface.
This because I was trusting which very obvious and only cable of its color was feeding the uplink port on the main switch.
I even drove a couple hours and back to go grab another server (different hardware) that I knew was working.
Just as I went to rack and connect the different server, I could see that we had been on the wrong cable all along SMH.
Heat and dehydration were factors and just trying stuff trying to figure it out totally trusting the information I was given about the cable feeding the switch.
Which is usually a solid accurate and trusted source on a normal day :)
Sorry for the false alarm.
I really need to kick myself harder this time.
No excuse for this crap. I'm usually better than that.

@tigerT well I checked what happens when you don't have a specific host override set for one pfsense vlan interfaces..

> server 192.168.3.253 Default Server: [192.168.3.253] Address: 192.168.3.253

Which makes sense when you think about it. I prob going to start changing my stuff to reflect new home.arpa domain.

> server 192.168.3.253 Default Server: sg4860.dmz.home.arpa Address: 192.168.3.253

Hi,

I have had another look at this but am getting nowhere, probably my lack of knowledge.

Did find this post which seems similar and have tried to follow the suggested resolution but dont think I have got that right:

https://forum.netgate.com/topic/152523/pfsense-and-ubiquiti-usg-working-together

The suggested resolution was:

***stephenw10 Netgate Administrator
Aug 11, 2020, 1:13 AM

You don't. You need a route from pfSense to the USG LAN. Otherwise pfSense has no idea how to reach it and traffic that it gets for a client in the USG LAN will not be routed correctly. If you don't have a statuc route back to the USG LAN the NAT allows it work by translating all the traffic to the USG WAN address which pfSense does know how to reach.

1x NAT is better so add the static route to pfSense. Disable NAT on the USG.

Steve

stephenw10 Netgate Administrator
Aug 11, 2020, 1:41 AM

The static route has to be on pfSense itself. You have to add a static route via a gateway so first go to System > Routing > Gateways and add a new gateway.

Set the USG WAN IP as a gateway and on the pfSense LAN interface which will be in the same subnet.
Now go to the static routes tab. Add a new static route to the USG LAN subnet via the new gateway you just added.

With that in place pfSense can reach the clients without the USG having to NAT.

Steve***

So the IP's I have are:
pfSense 192.168.2.1
USG WAN from pfSense 192.168.2.10
USG LAN 192.168.1.1 Providing DHCP to LAN Clients

This is what I have tried:
Screenshot 2023-08-03 161807.png

Screenshot 2023-08-03 161933.png

Screenshot 2023-08-03 162031.png

Any help wpuld be really appreciated.

@orangehand Without more info the best I can do is suggest that you watch this video. https://youtu.be/WMyz7SVlrgc

I followed this to setup VLANs on my pfsense and unifi equipment. Note that is you have a SG-1100 or SG-2100 there are extra steps.

After some research, I found out about arpwatch.

Sorry.

@Austin-0

Ah ok. My first time playing with vlans so I thought that as long as a vlan capable switch was in the middle I could still feed multiple vlans down one cable.

I’m currently setting up another client with windows. Once done I’ll change a port to each individual vlan only, assign it an IP from the respective pool and test then feed back. Would be great if this is working and it was just my understanding of it being lacking as I can then start asking my next questions in the appropriate threads.

Looks like its more complicated, something in my configuration is causing other issues. I have another unit to test with but if I change the lan interface to get its address from dhcp then it exhibits the same issue, interface goes off and online over and over and never stops unless I reboot. Reboot and all id fine unless I unplug and then the issue repeats. So something is going on with that interface, if I change it back to static then all is well, so I know track interface causes issues even with a static IP, never comes back unless I reboot and if you unplug it never comes back online. I get the same results when I remove the track interface and select DHCP to configure the interface.

I do know that in a default configuration I do not see the issue so it's something else going on with my configuration but not sure where or how to look, anyone have any suggestions let me know, thanks.

Thats a web browser issue. I had the same problem with "Apply Changes" button missing. Resolved with cache cleaning.

@johnpoz

Thanks for that info! I'll put in a managed switch in between the 4100 and the 2 other managed switches, then.

@CyberTend Looks like you hit a bug or have a partially installed driver.

If you're running ZFS I'd roll back to 23.05 or 23.01, if you're not go to https://go.netgate.com to open a ticket to get the 23.05.1 release image and reinstall.

@Bruce74 My pleasure!

Looks like I was missing something: no client on these VLANs were getting DHCP (IPv4) assignments. They did, however, have active IPv6 addresses. Apparently, DHCP snooping was enabled on all the switches, and disabling it solved the problem. I noticed this shortly after posting.

@DaveinTN
Without knowing how you setup the VLANS (at the console after installing PFSense fresh or from the web interface after completing a basic install and then running the first time wizard from the web interface and configuring a basic working LAN/WAN) it's hard to say what is happening.

It sounds like it didn't finish the basic setup after install and is doing that over and over, or not saving changes... What I prefer to do is install PFSense, just the standard setup through the install wizard. Then in the console, I make sure that the correct network ports are selected for LAN/WAN and set the proper network for LAN. I then go into the web interface and complete the first time wizard (verify interfaces, change admin password...). With that complete, I verify I have internet connectivity. Then I reboot and configure any other packages such as SNORT or PFBlocker. Once I have those basics UP I then go into INTERFACES/ASSIGNMENTS to create my VLANS on the VLAN tab, then assign them to the correct ports on the INTERFACES ASSIGNMENTS tab.

If you have a working PFSense already and are adding VLANS as a new feature- are you logged into the web interface, INTERFACES/ASSIGNMENTS, and does it appear to be saving the changes when you SAVE?

@soultwist Nevermind. I solved it myself. This is what happens when you don't take a break. I was making it overcomplicated. When I thought about after my break I realized I need to skip all the bullshit with bridges and laggs and just give the free 10G port on pfsense a separate interface and put the Truenas on it's own vlan there and just give all other subnets access to it thru the rules instead.
Just a smidge simpler and it works. :)

Thanks anyway.

Same here, did it once to just learn a bit.
To my knowledge bridging is the only way, but smarter people may point out some other way.

ok, so spotted the issue... the 5G router is setting the netmask to /31 and then providing a gateway in the next /31 so obviously that won't work (I'm assuming here it is the router and not actually the ISP APN). Seems pfSense has actually fixed some issues in the last two versions to correct that behaviour as the IP assignment has been the same throughout. The 5G router has 2 options for the interface subnet selection in passthrough/bridge mode - PTP (/31) which I imagine would work if the IP and gateway were on appropriate subnet boundaries or auto which in my case uses /30 so that now works. Oddly though I now don't receive the public static IP via dhcp if I also have an alias IP in the dhcp interface config on pfSense (can add an IP alias instead - need this to be able to actually connect to the 5G router locally if required on it's rfc1918 address) but removing that then all works again. Will keep investigating

@yfreiberger said in Configuring PFsense as transparent firewall over multiple interfaces between access points and vlan edge router subnets, With different filtering rules for each Existing interface:

in the sense that it effectively blocks traffic originating from the internet.

That is really any home, even a 20$ wifi router would do that..

if your current device does not have the ability to filter between vlans the way you want, then replace it with pfsense. Putting in a in between your edge router and your devices is way more complex then just using pfsense as your router that is for sure.

But you can can create multiple bridges on pfsense, one for each vlan on your network.

Most smart or managed switches, other then the cheap entry level ones would allow for ACLs to filter traffic on vlans/ports as well. There would be no need for pfsense.. I filter traffic at my switch, mostly just for broadcast and multicast - but depending on your switch you could do your "filtering" there.

But the simple solution is just use pfsense as your router..