@Austin-0

Ah ok. My first time playing with vlans so I thought that as long as a vlan capable switch was in the middle I could still feed multiple vlans down one cable.

I’m currently setting up another client with windows. Once done I’ll change a port to each individual vlan only, assign it an IP from the respective pool and test then feed back. Would be great if this is working and it was just my understanding of it being lacking as I can then start asking my next questions in the appropriate threads.

Looks like its more complicated, something in my configuration is causing other issues. I have another unit to test with but if I change the lan interface to get its address from dhcp then it exhibits the same issue, interface goes off and online over and over and never stops unless I reboot. Reboot and all id fine unless I unplug and then the issue repeats. So something is going on with that interface, if I change it back to static then all is well, so I know track interface causes issues even with a static IP, never comes back unless I reboot and if you unplug it never comes back online. I get the same results when I remove the track interface and select DHCP to configure the interface.

I do know that in a default configuration I do not see the issue so it's something else going on with my configuration but not sure where or how to look, anyone have any suggestions let me know, thanks.

Thats a web browser issue. I had the same problem with "Apply Changes" button missing. Resolved with cache cleaning.

@johnpoz

Thanks for that info! I'll put in a managed switch in between the 4100 and the 2 other managed switches, then.

@CyberTend Looks like you hit a bug or have a partially installed driver.

If you're running ZFS I'd roll back to 23.05 or 23.01, if you're not go to https://go.netgate.com to open a ticket to get the 23.05.1 release image and reinstall.

@Bruce74 My pleasure!

Looks like I was missing something: no client on these VLANs were getting DHCP (IPv4) assignments. They did, however, have active IPv6 addresses. Apparently, DHCP snooping was enabled on all the switches, and disabling it solved the problem. I noticed this shortly after posting.

@DaveinTN
Without knowing how you setup the VLANS (at the console after installing PFSense fresh or from the web interface after completing a basic install and then running the first time wizard from the web interface and configuring a basic working LAN/WAN) it's hard to say what is happening.

It sounds like it didn't finish the basic setup after install and is doing that over and over, or not saving changes... What I prefer to do is install PFSense, just the standard setup through the install wizard. Then in the console, I make sure that the correct network ports are selected for LAN/WAN and set the proper network for LAN. I then go into the web interface and complete the first time wizard (verify interfaces, change admin password...). With that complete, I verify I have internet connectivity. Then I reboot and configure any other packages such as SNORT or PFBlocker. Once I have those basics UP I then go into INTERFACES/ASSIGNMENTS to create my VLANS on the VLAN tab, then assign them to the correct ports on the INTERFACES ASSIGNMENTS tab.

If you have a working PFSense already and are adding VLANS as a new feature- are you logged into the web interface, INTERFACES/ASSIGNMENTS, and does it appear to be saving the changes when you SAVE?

@soultwist Nevermind. I solved it myself. This is what happens when you don't take a break. I was making it overcomplicated. When I thought about after my break I realized I need to skip all the bullshit with bridges and laggs and just give the free 10G port on pfsense a separate interface and put the Truenas on it's own vlan there and just give all other subnets access to it thru the rules instead.
Just a smidge simpler and it works. :)

Thanks anyway.

Same here, did it once to just learn a bit.
To my knowledge bridging is the only way, but smarter people may point out some other way.

ok, so spotted the issue... the 5G router is setting the netmask to /31 and then providing a gateway in the next /31 so obviously that won't work (I'm assuming here it is the router and not actually the ISP APN). Seems pfSense has actually fixed some issues in the last two versions to correct that behaviour as the IP assignment has been the same throughout. The 5G router has 2 options for the interface subnet selection in passthrough/bridge mode - PTP (/31) which I imagine would work if the IP and gateway were on appropriate subnet boundaries or auto which in my case uses /30 so that now works. Oddly though I now don't receive the public static IP via dhcp if I also have an alias IP in the dhcp interface config on pfSense (can add an IP alias instead - need this to be able to actually connect to the 5G router locally if required on it's rfc1918 address) but removing that then all works again. Will keep investigating

@yfreiberger said in Configuring PFsense as transparent firewall over multiple interfaces between access points and vlan edge router subnets, With different filtering rules for each Existing interface:

in the sense that it effectively blocks traffic originating from the internet.

That is really any home, even a 20$ wifi router would do that..

if your current device does not have the ability to filter between vlans the way you want, then replace it with pfsense. Putting in a in between your edge router and your devices is way more complex then just using pfsense as your router that is for sure.

But you can can create multiple bridges on pfsense, one for each vlan on your network.

Most smart or managed switches, other then the cheap entry level ones would allow for ACLs to filter traffic on vlans/ports as well. There would be no need for pfsense.. I filter traffic at my switch, mostly just for broadcast and multicast - but depending on your switch you could do your "filtering" there.

But the simple solution is just use pfsense as your router..

This shouldn't involve your firewall at all. Create the vlans on the switches, set the DHCP helper/relay on the switches to point to your DHCP server, and create the scopes on your dhcp server.

@hkjarral Hey
Thank you for your fast answer.
I'm probably dumb, didn't see this thread is about PFsense...
I tried to create the bridge via GUI, but of course it is different.
Anyways, thank you.

Fixed by applying patches via system patches.