@ccgc said in Netgate to Netgear config - VLANs cannot get DHCP or connect to the internet:

When the ports added to the VLAN are removed from the default VLAN (vlan 1)

can you post your pfsense switch config - it can be a bit tricky for users. Where exactly are you removing vlan 1?

Your netgear sounds corrected with the port on it connected to the pfsense having your tagged vlans, and the ports your going to connect your devices to on the netgear in that vlan untagged.

@keyser - I totally forgot about port5 as Lan Uplink, saw it as another port. Thank you!

Another check:

I can ping the interface (OPT7 on ix3) if given an IP, so it's working?

What else can I do to try using it in the LACP instead of ix0?

Thank you very much

@randydeb as @Tzvia mentions switch or switches how you do this.

And using switches does not make your other ports on you router useless.. You could use them as other network interfaces.. But trying to make a switch out of discrete interfaces waste good interfaces and makes for a horrible switch!

Not sure I would use those vlan IDs - those are quite often reserved or special in the cisco world.. You could use lagg if you want for more bandwidth and redundancy. You could put your other vlans/networks on their own interfaces connected to your switch so your not hairpinning traffic.. I for sure would put your IP cameras on their own interface.. Normally cameras are always streaming data.. While it not normally a huge amount.. I wouldn't share this on same physical interface with other networks/vlans if I had the interfaces to use.

1002-1005 Cisco defaults for FDDI and Token Ring. You cannot delete VLANs 1002-1005.

I like to use a vlan ID that matches up with the network, so for example 192.168.9.0/24 the ID is 9, my 192.168.3.0/24 the ID is 3, 192.168.7.0/24 is ID 7, etc..

If you have network/vlans that will do a lot of talking between them - its normally good to put them on their own physical interfaces vs all on the same interface where the traffic will hairpin.

@Stp well if you can ping 8.8.8.8 then internet is working.. Your problem is prob dns related.

@stampeder Not sure what your going on to be honest.. You have gone down some rabbit hole of your own making... I have told you multiple times now how to configure your ports.. you need to set 100 as native vlans on those ports.

I even linked to the cisco docs that show you how to set it as native.

@johnpoz
Thanks, John! Appreciate your example!

@johnpoz
Hi,
There was no any problem in Subnetmasks or IPs.
I found the rootcasue, the servers in vlan35 were configured with dockers and the same vlan1 subnet was occupied by dockers inside the server, thats why we were not able to reach them.
thanks

@moji said in Question about inter-Vlan traffic and interface Concept:

1- I suspect this is an issue with tagged and untagged traffic

or its just that AP doesn't have a gateway.. To access a device on another network, that device has to know how to talk back to the source network.

Validate your AP gateway set to pfsense on the network its on. If you can not do that in this AP, then you could aways source nat your traffic so it looks like pfsense IP on that network is talking to it, and not the remote IP of your client your wanting to use to access the AP gui.

soho wifi router are known for this problem, where the native firmware doesn't allow you to set a gateway on the lan interface

@Gblenn wow now this is why I love this forum....
You guys are amasing....
Thank you so much for all your help...
I will run with the setup as is for now and look into changing things later...

bookie56

@User6buinf43
You can use any free IP for masquerading in fact, but you have to assign it to the respective pfSense interface. Otherwise ARP will not work for it.

I advised you to select VLAN 8 address before, however. There is no plausible reason to use any other.

@4RR3N said in How to easily block access between multiple VLANs ?:

ncluding grabbing IP via DHCP for my client

You can not place a rule that blocks dhcp - because when you enable dhcp hidden rules are created that allow for dhcp before rules you place on the interface or even the floating tab are evaluated.

Vs having rules block vlan x, y and z on your vlan a interface.. As mentioned yes just create an alias that contains all your networks, or for that matter just all of rfc1918 space so you can just use one rule.

Keep in mind you would need to make sure you allow what you want before this rule - say dns, or ntp or icmp to pfsense IP on that interface, etc.

@pfsense555 The easy way to find out is to do packetcapture on pfsense, and see what happens to LACP control frames when you remove power from one switch.

@viragomann
I have DHCP server enabled on IoT
Screenshot from 2024-08-18 20-47-50.png

I tried the Packet Capture and it capture traffic only when I select LAN interface and it even capture traffic when I connect to IoT WLAN and on the IoT interface it does not capture anything

I got it figured out. I don't recall setting up traffic shaper, but somehow they were limited to be pretty low. Maybe I set it up previously when I had a 100/10 speed. I may just turn it off entirely and see how it goes.

Thank you both for your help! I'm glad I asked before diving into setting up the second interface.