@DaveinTN Without knowing how you setup the VLANS (at the console after installing PFSense fresh or from the web interface after completing a basic install and then running the first time wizard from the web interface and configuring a basic working LAN/WAN) it's hard to say what is happening. It sounds like it didn't finish the basic setup after install and is doing that over and over, or not saving changes... What I prefer to do is install PFSense, just the standard setup through the install wizard. Then in the console, I make sure that the correct network ports are selected for LAN/WAN and set the proper network for LAN. I then go into the web interface and complete the first time wizard (verify interfaces, change admin password...). With that complete, I verify I have internet connectivity. Then I reboot and configure any other packages such as SNORT or PFBlocker. Once I have those basics UP I then go into INTERFACES/ASSIGNMENTS to create my VLANS on the VLAN tab, then assign them to the correct ports on the INTERFACES ASSIGNMENTS tab. If you have a working PFSense already and are adding VLANS as a new feature- are you logged into the web interface, INTERFACES/ASSIGNMENTS, and does it appear to be saving the changes when you SAVE?

@soultwist Nevermind. I solved it myself. This is what happens when you don't take a break. I was making it overcomplicated. When I thought about after my break I realized I need to skip all the bullshit with bridges and laggs and just give the free 10G port on pfsense a separate interface and put the Truenas on it's own vlan there and just give all other subnets access to it thru the rules instead. Just a smidge simpler and it works. :) Thanks anyway.

Same here, did it once to just learn a bit. To my knowledge bridging is the only way, but smarter people may point out some other way.

ok, so spotted the issue... the 5G router is setting the netmask to /31 and then providing a gateway in the next /31 so obviously that won't work (I'm assuming here it is the router and not actually the ISP APN). Seems pfSense has actually fixed some issues in the last two versions to correct that behaviour as the IP assignment has been the same throughout. The 5G router has 2 options for the interface subnet selection in passthrough/bridge mode - PTP (/31) which I imagine would work if the IP and gateway were on appropriate subnet boundaries or auto which in my case uses /30 so that now works. Oddly though I now don't receive the public static IP via dhcp if I also have an alias IP in the dhcp interface config on pfSense (can add an IP alias instead - need this to be able to actually connect to the 5G router locally if required on it's rfc1918 address) but removing that then all works again. Will keep investigating

@yfreiberger said in Configuring PFsense as transparent firewall over multiple interfaces between access points and vlan edge router subnets, With different filtering rules for each Existing interface: in the sense that it effectively blocks traffic originating from the internet. That is really any home, even a 20$ wifi router would do that.. if your current device does not have the ability to filter between vlans the way you want, then replace it with pfsense. Putting in a in between your edge router and your devices is way more complex then just using pfsense as your router that is for sure. But you can can create multiple bridges on pfsense, one for each vlan on your network. Most smart or managed switches, other then the cheap entry level ones would allow for ACLs to filter traffic on vlans/ports as well. There would be no need for pfsense.. I filter traffic at my switch, mostly just for broadcast and multicast - but depending on your switch you could do your "filtering" there. But the simple solution is just use pfsense as your router..

This shouldn't involve your firewall at all. Create the vlans on the switches, set the DHCP helper/relay on the switches to point to your DHCP server, and create the scopes on your dhcp server.

@hkjarral Hey Thank you for your fast answer. I'm probably dumb, didn't see this thread is about PFsense... I tried to create the bridge via GUI, but of course it is different. Anyways, thank you.

Fixed by applying patches via system patches.

@auraz said in Netgate 6100 vlan trunking: Is it possible to trunk these VLAN to the switch on the same port? See https://docs.netgate.com/pfsense/en/latest/vlan/index.html

@Nath2125 I believe that 192.168.*.0/20 is a by design network - I think it tries to use networks that are not in use and then creates a network.. So I would guess for whatever reason, it didn't detect this network and picked 192.168.20/20 which causes your problem. Simple fix is what you did and just use a different network outside that /20 Or you could dig into docker and have it use a different range that won't conflict with the other networks you want to use.

@viragomann Thanks for the suggestion. I will certainly try it, because I want to add another VLAN to the network. I appreciate the help

@JKnott with a tplink have no idea sure isn’t going to hurt turning it off I mean 1518 isn’t even a valid jumbo anything 1518 is frame if you include 14 bytes of header and 4 for crc Wouldn’t be surprise at any nonsense tplink might be doing to be honest

@RickyBaker said in Can't pass traffic from Cam VLAN to a single Client on the LAN: is it still irresponsible to simply disable the Windows firewall Your device firewall is part of your Anti Virus protection. People have different ideas on the value of AV. I do no disable the AV on my computers

@wintok what specific brother do you have? I have brother on a different vlan and have no issues printing to it. The specific rule is not needed that is for sure.. What is the full order of you rules? Do you have any rules in floating? If you can access the web gui, but not print - that pretty much points to those ports not involved? Or are you trying to find the printer via airprint or some discovery that doesn't work across vlans? If you know the IP of the printer, just setup your print driver to directly point to that IP. [image: 1686625683101-printer.jpg]

I disabled the ipv6 rules below and I was still able to connect online. Enabled vlan on my APs and was able to connect online. At first while wired, I couldn't ping www.google.com while connected to vlan, but I could ping it when connected wifi on the vlan. After connecting back to wired and on vlan, I can now ping www.google.com. Wierd but I'm not complaining, it is working. Not sure what happened but something happened. Again I want to say thanks for the help Steve

Solved it No fw rules/nat needed it seems. I pulled out the connecting ports in 10.10.0.3 switch from the bridge interface in DC2 and created a private 192.168.4.10/192.168.4.20 router-to-router(switch) on each side. And added route from each oposite sides network to eachothers gw. Can't find any issues so far :)