@auraz said in Netgate 6100 vlan trunking:

Is it possible to trunk these VLAN to the switch on the same port?

See https://docs.netgate.com/pfsense/en/latest/vlan/index.html

@Nath2125 I believe that 192.168.*.0/20 is a by design network - I think it tries to use networks that are not in use and then creates a network.. So I would guess for whatever reason, it didn't detect this network and picked 192.168.20/20 which causes your problem.

Simple fix is what you did and just use a different network outside that /20

Or you could dig into docker and have it use a different range that won't conflict with the other networks you want to use.

@viragomann
Thanks for the suggestion. I will certainly try it, because I want to add another VLAN to the network.
I appreciate the help

@JKnott with a tplink have no idea sure isn’t going to hurt turning it off I mean 1518 isn’t even a valid jumbo anything 1518 is frame if you include 14 bytes of header and 4 for crc

Wouldn’t be surprise at any nonsense tplink might be doing to be honest

@RickyBaker said in Can't pass traffic from Cam VLAN to a single Client on the LAN:

is it still irresponsible to simply disable the Windows firewall

Your device firewall is part of your Anti Virus protection. People have different ideas on the value of AV. I do no disable the AV on my computers

@wintok what specific brother do you have? I have brother on a different vlan and have no issues printing to it.

The specific rule is not needed that is for sure.. What is the full order of you rules? Do you have any rules in floating? If you can access the web gui, but not print - that pretty much points to those ports not involved?

Or are you trying to find the printer via airprint or some discovery that doesn't work across vlans?

If you know the IP of the printer, just setup your print driver to directly point to that IP.

printer.jpg

I disabled the ipv6 rules below and I was still able to connect online. Enabled vlan on my APs and was able to connect online. At first while wired, I couldn't ping www.google.com while connected to vlan, but I could ping it when connected wifi on the vlan. After connecting back to wired and on vlan, I can now ping www.google.com. Wierd but I'm not complaining, it is working. Not sure what happened but something happened.

Again I want to say thanks for the help Steve

Solved it 😊 😊 😊

No fw rules/nat needed it seems. I pulled out the connecting ports in 10.10.0.3 switch from the bridge interface in DC2 and created a private 192.168.4.10/192.168.4.20 router-to-router(switch) on each side. And added route from each oposite sides network to eachothers gw.

Can't find any issues so far :)

Update: This may not be a misconfiguration on pfSense side. I connected the isolated server directly to the pfSense port and created a VLAN2 on the server. It successfully got IP from VLAN2 DHCP server.

So maybe the problem is how I configured the managed switch? Completely no clue😂

Update 2: Solved! I forgot to set the PVID. It should match the VLAN ID on the port. Explained by ChatGPT:

When a frame comes into a port without a VLAN tag, the switch needs to know what VLAN that traffic should belong to. The PVID is the mechanism that does this. When the switch receives untagged traffic on a port, it assumes that the traffic belongs to the VLAN specified by the PVID for that port.

@Jarhead that would be my next step. For now, I moved that one camera to VLAN1 and it's working. I think I'll worry about it down the road.

@Cannondale Yeah, you're right the other one is an ET card. It adds support for SR-IOV and IPSec offload over VT card.

@Tommyboy

You will have to use a VLAN for the guest WiFi. You set up a VLAN on pfSense, but I can't help with the ddwrt, as I've never used it.

Here are my rules, which allow access only to the Internet and pinging the VLAN interface.

b281058e-8165-4a58-bb40-a1d7d6b92c58-image.png

@jlw52761 I solved my problem. I had my L3 switch gateway defined with lower case letters. I blew away my static maps, deleted the gateway and set it all up using all upper case letters. I set my default gateway on the WAN interface. It all works now. I have turned off IPv6 on the WAN gateway.

I am now on 23.05.

@SkippyTheMagnificent

My apologies... disregard this entire thread... I'm such a dumbass!!! I had a typo in my PSK that was preventing anything from associating with the APs!

🤦 🤦 🤦 🤦 🤦

@johanl79 Ok, you have a UniFi set-up issue and we probably should have had this conversation on their forum. UniFi has no issues running with pfSense and some make this their default business model (see Tom Lawrence as an example). What you originally enquired about was your VLANs, something easily managed with pfSense and your UniFi equipment.

It's taken a while to even understand your equipment and network topology but I think we all understand that now. You have set your mind on purchasing different equipment rather than adjusting your current settings on your new VM-based controller in order to fix your original stated issue.

☕️

@johnpoz Yes. it's in AP mode. That option shuts off a lot of the typical router functions and requires the pfsense DHCP server to give it an IP.

I think the device has some kind of hardcoded security "feature" or the web server code is just buggy. Knowing Netgear, it's probably the latter, but it could be some kind of ham-handed way to add some friction to hackers or nosy users. I have no idea.

It's not a routing issue since the problem is only with the web-based administrator interface. I can telnet and ping the device without the NAT translation.

@sysadminfromhell yeah - the only time pfsense needs to know about a "vlan" if it needs to understand tagging.

if you just setup native networks on your interfaces.. You can isolate them on your switch by just putting them in different vlans on the switch.

To pfsense its no different than if the ports were connected to 2 different physical switches. Your just creating 2 "virtual" switches by putting specific ports into different vlans on the switch.

This is the whole point of vlan capable switch.. Traffic being tagged is only used when you need to carry more than 1 vlan over the same physical wire. The tag allows either the router or AP or other switch to know this traffic is network X, this other traffic is network Y.. If you don't plan on running more than one "vlan" over the same physical wire you can still put different ports on your switch into different "vlans" and isolate them from other vlans on the switch, etc.

If it'll help, some further details about my setup, everything is connected by Unifi switches that are vlan capable, but not all of the ports are specifically configured to be on a vlan.

I've been doing fping tests just to see what can be seen through a few different systems, and below is my findings.

From a system that is connected to a port designated with vlan 3220 [10.32.2.0 network]:

uquevedo@ubence-air-wired ~ % fping -ga 10.32.40.1 10.32.40.254 10.32.40.1 10.32.40.10

From the VM itself that is configured with the bridge interface to vlan 3240:

uquevedo@kea-testing:~$ fping -qga 10.32.40.1 10.32.40.254 10.32.40.1 10.32.40.10

From a system that is connected to a port designated with vlan 3230 [10.32.3.0 network]:

[uquevedo@fedora-system ~]$ fping -ga 10.32.40.1 10.32.40.254 10.32.40.1 10.32.40.10

From the actual RHEL9.2 host system, which of course can ping the IP address:

[uquevedo@rh-vm01 ~]$ fping -ga 10.32.40.1 10.32.40.254 10.32.40.1 10.32.40.9 10.32.40.10

There are many bridged interfaces on the host system connecting to various vlan tagged interfaces:
Screenshot 2023-05-17 at 7.13.36 AM.png

The bridge0 interface is a non-vlan tagged interface [vlan1?] and is accessible to all systems on the network.

I was under the assumption that if a network interface was tagged with vlan information that it would be accessible to other systems that are part of that same vlan?

Another thing about my setup is that these vlans are configured on a pfSense box for lab purposes, they are not configured on my main pfSense box [which I don't think matters]. So even though the opt ports of this system are technically on their own network, they are connecting to my main network.

@senseivita

You're not supposed to use 4095. It's reserved.