It was an IPsec VPN!
If the near and far networks overlap then traffic heading for the firewall IP needs to bypass the VPN.
That's normally sorted out by the 'Enable bypass for LAN interface IP' setting with is on by default.
However, that only handles the lan interface and not any other lan-type interfaces which get created.
The fix was to add an 'Additional IPsec bypass' rule.
I'm not sure if this is a bug or not.
Should there be a list of interfaces to bypass rather than just the lan interface being special?

Cheers,
Scott

Will attempt to revive this old thread by giving it a different direction if ok with moderators. Has any of you been able to get the Signal mapper to work on the iOS app? Did you have to open any ports in pfSense? It looks like Wifiman uses port 8900.

I have read through Unifi forums as well and it appears that it is a majority of iPhone users struggling with this feature and also the recommendation is that this shouldn’t be an issue for those who have an UDM/UDMSE as their gateway/firewall. I am using a cloud key 2+ connected in pfSense LAN. I posted this question in Reddit as well.

Appreciate any assistance with this! Thank you!

@highc
We need to see screenshots to see how your VPN is set up. I know with OpenVPN, you must specify each network segment that the VPN will have access to - so 192.168.1.0/24, 192.168.3.0/24, 192.168.5.0/24, 192.158.7.0/24, etc. It sounds like this isn't set correctly.

@fhegedus said in What is the best approach to have the same iprange on different interfaces including LAGG:

why it needs to have legs in every vlan

Defeats the whole purpose segmentation to be honest.. Why do you think it needs a leg in every network? If your going to put devices in all networks - just run 1 flat network.

@oren1031 might be good to show screenshots of 'everything'

on the switch you also need to tag port 3 and also tag it to 3 on 802.1Q VLAN PVID Setting

@johnpoz said in Need help to configure pfsense + Cisco switch + vlans:

@dvb for one you have the pvid on port 8 as 1, that should be 10.. Or no nothing is ever going to work.. laptop sends traffic and port puts it on vlan 1..

Also your firewall rules - you don't need that rule from address to net.. Rules are only evaluated as traffic enters the internet from the network..

I tried one untagged vlan per port, all is working perfect :

text alternatif

Thank you very much for your support and advice !

@viragomann said in Multiple PPPoE WAN over vlans:

ly get equal IPs on both, this will never work, even not on

pfsense.PNG

@rcoleman-netgate Thank you very much. I realized that all I need to do is adding a LAN (in my case, LAN port#1) and uplink port (LAN port#5) to have a correct VLAN (VLAN4052). All my LAN ports are able to communicate with PC-A.

@johnpoz Kinda what I was thinking in regards to the dumb switch and the age of the wifi. Didn't break the bank ($7) so I could play around with it or just throw it away even. Again I appreciate the advice/suggestions!

@jknott said in PFSENSE Cluster add new vlan on existing used physical interface:

I wouldn't expect an outage to be very long, if at all. Of course, you also have to configure the switches to pass the VLANs. You might want to schedule a maintenance window to do this, or at least let the users know. Of course, TCP is designed to survive brief interruptions.

Hello ok thank you for your answer @JKnott. Yes of course, we have already configure the switches to pass the vlans. To understand steps please, if we add new vlan on existing used network card on pfsense master, primary pfsense switch automatically from master to backup and secondary pfsense switch automatically from backup to master ? would there be a micro network cut during the time of the switchover ?

Thank you very much for your time

Thanks! You where right on both problems! I was pulling my hair out :)

@sho1sho1sho1 said in VLAN cannot access private network behind another router:

-router WAN IP is 192.168.20.11 dynamically assigned by pfsense VLAN 20 dhcp server
-router LAN IP is 10.0.0.1

So if your wan of pfsense is rfc1918 this 192.168.20 address. And you want to get to 10.0.0.x on pfsense lan, if pfsense is doing nat.. Yes you would have to setup a port forward.

Also you would have to disable the block rfc1918 rule on pfsense wan. This rule blocks source IPs of rfc1918, which I would assume your client your trying to ssh to this 10.box is on..

@johnpoz said in VLAN computer not pulling correct ip address:

@thewaterbug not sure what to tell you - but its not possible.. You have no layer 2 connection to the dhcp server running on lan - so there is no way it could of pulled an IP from that dhcp server.

And your saying it never had a 0.138 address... I just don't see how it was possible without a layer 2 connection. Your saying you saw in the logs dhcp? Is that not a different physical interface? You show it on the drawing as a different interface - you don't have them bridged? Its not a vlan, where maybe the switch didn't tag something?

Ah, shoot. I didn't think to check the logs on the DHCP server, and now it's been over-written.

I saw it on the client.

Correct, it was on a different physical interface (OPT1), with no bridging in place, and the problem fixed itself just by my power-cycling the unmanaged switch.

I don't know what to say, either, other than that stranger things have happened.