@getcom i have 7 vlans over lagg since 2.6x

@Jarhead exactly - an IP is always 32 bits in length, it can be nothing other than that.. if wouldn't be a IP if wasn't - that you would have to call out that hey this IP is 32 bits makes zero sense.. In 30 some years working in IT, even before there was IPs.. Have never seen anything that would require you to call out that your IP address you is 32 bits, because well its a given that it is.. When you set the mask your setting what network this IP is on.

While that switch is not layer3, it does seem to support VLAN tagging. This means that you can use VLANs with this switch. However the VLAN management (rules, routing, etc) will be handled on the firewall.

For anyone that needs it, I was finally able to get this working again by loading a new firmware image to pfsense and reloading the config. Once it was all back up again, the interfaces were working. No idea what caused it or why, I was never able to track that down, but at least it's functioning properly.

@viragomann said in first VLAN setup - need help: @stimpe Looks well to me so far, but I don't know this switch. However, for clear segmentation I'd recommend to run all SSIDs on the AP over VLANs. To verify if the switch is configured properly, connect a VLAN capable computer to port 7 instead of the AP, configure its interface for VLAN3 and set an IP outside of the DHCP range. On pfSense add a rule to OPT1 to allow access and try to ping its interface IP then from the computer. Thanks for your input. I will definitely try swapping the AP for a computer on port 7 to see if VLAN3 works there.

@sysadminfromhell I suppose it's possible it could have been a cheap/fake x710 giving you the problems. I'd have probably looked at the firewall rules or checked if there was any rate limiting in place but it sounds like the replacement nic has put you right.

Hello all! For anyone who finds this thread in the future, I figured it out and wrote up a guide on how to do it with a UniFi USW switch here. A similar process applies when using UniFi WAPs, and i've done as such, and may write a future guide on that if desired/needed. But the aforementioned article should give you enough to apply it to a UniFi WAP :3 have a lovely day! <3

@bfostyvr You have to look at the protocol stack. Ethernet is layer 2 and IP is layer 3. VLANs are often called layer 2.5, as they are applied to an Ethernet interface. VPNs are layer 3. You cannot add layer 2.5 to layer 3. Again, you have to route the subnets over the VPN and recreate the VLAN at the other end.

@keyser connect the 2.5Gbit switch to a 1Gbit port is only to pass trough tagging... On the 2.Gbit switch it would have one port to de 1GB VLAN Switch, one to the EAP670 (2.5GB) and the other ports to others 2.5Gb devices.. NAS, Proxmox server, etc... And the LAG upgrade to 3 ports would be to increase troughput to PFSense <-> WAN.

Thank you both

Hi SteveITS, I have turned off FW in windows and no other FW in the VLAN. I have managed to resolve the issue by enabling "Asymmetric VLAN" on DLINK switch. Now I can ping between VLAN and also access the resource.

@Octopuss Don't put any devices on that network other than your Admin PC or laptop or phone, etc.. Ie that is say the network you could talk to the pfsense web gui from.. My 192.168.9.0/24 which is the default vlan on the switch, I just changed it from ID 1 to 9.. is my management/trust network.. My box is on it, an my nas.. This is the network my 3 switches management IPs are on, via their default vlan.. All my other devices - lets call them "users" on on other vlans - which are not the default vlan of the switches, etc. Tvs, printer, iot stuff like all my lightbulbs, my garage door opener, my thermostat, etc.. all on different vlans.. Not even the same vlan.. I have a roku vlan - which is TVs, rokus, directTV box, etc. Then there is an iot vlans where like my lightbulbs and thermostat and alexas are on, etc. Trusted wifi devices, are on a different vlan all together. Then there is a "guest" wifi, etc again a different vlan.. None of those vlans are the default vlan of the switches.. The default vlan of the switch is what I call my management/trust/infrastructure vlan, etc. If you really wanted to get paranoid - you don't have to put anything on it.. Other than the switches management IPs, which you could allow other devices from other vlans to get to.. A layer 2 switch is normally not going to let you put an IP on another vlan (SVI) that you could access its management functions from. None of the entry level switches for sure would even allow you to change the ID of the default vlan, or create a svi on another vlan, etc. So if you want to "manage" that switch your going to need to be able to get to that vlan, even if you don't have any other devices on it other than that switch or other switches, etc.

@skullnobrains , its possible share your script in github? Thanks!!!

@Bob-Dig Yeah silly me. Removing the VLAN and put the OPT3 port directly into an interface solved the DHCP problem. A big thank you for your advice. :)