@ashtonianagain said in Nested Pfsense over vlan - design and sanity check:

Which I think would make that a transit network?

Just because you tag it on the switch as 999 on 1 interface, but not another, but its still 192.168.1.. And you have hosts on this network.

Which means to stop something on your 10.42 network from talking to something your 192.168.1 network you have to block it there. Now since your natting and and if you don't do any port forwards 192.168.1. couldn't talk to 10.42 unless you did a port forward, and you would be asymmetrical if you didn't do host routing on the 192.168.1.x device. And the downstream router would also be blocking source traffic from rfc1918 anyway.

Its a convoluted setup to be sure.. Just create a transit network on your edge pfsense, say 172.16.0.0/30 and put your downstream router wan on this network..

Here this is how you setup downstream routers.

pfsense-layer-3-switch.png

@johnpoz NAT reflection is set on Pure NAT. But i am guessing i have to do more than that?

If using port-based VLANs, you can only use 16 VLANs (VID 1-16). - Page 31
If using 802.1Q-Based VLANs, then you can use 128 VLANs from the range of 1–4093. - Page 33

That's how I understand from the manual.
So I'd say you should disable the port-based VLAN (basic&advanced) and enable 802.1Q VLAN and configure from there...

@viragomann said in VLAN not working in simple test.:

Not clear, why you've added port 2 to the VLAN

So that I could see if maybe I could let the tagging of the vlan happen on another device.
eg. on my client/switch I could set a vlan 10 for my device, the pfsense should see this, and since port 2 tagged in vlan 10, I should be able to access vlan 10 also.
Either way, neither way work, lol.

@viragomann said in VLAN not working in simple test.:

but you will have to add port 5 as tagged, since this is the uplink to the kernel.

This is the way!

I realize now it was right in my face all along...
But I guess after staring yourself blind on a problem you start missing things...

So I'd like to thank you all for the help!
Consider this one solved guys!

Just need to add port 5! For some reason my mind did not register the fact this was not a physical port...
e71075db-b524-4e71-85f5-bad077c99253-image.png

why on WAN? uh... no reason. :) somewhere i obviously got confused.

changed to LAN interface and all appears to working correctly!

Thanks for the input and quick response.

SOLVED

All my port have to work with all the VLAN, because I use the VLAN with VOIP and the phone (configured with VLAN 792) can be everywhere, out port of the phone can be also connected to a PC.

After those settings:

GE1 e GE2 trunk
Accepted Frame Type ALL
ingress filtering Enable
uplink disable
TPID 0x8100 Others port "Hybrid"
Accepted Frame Type ALL
ingress filtering Disable
uplink disable
TPID 0x8100

Port to VLAN

1 all Untagged (all PVID checked) 792 all Tagged

Everything start to work after this setting on DoS Global Setting:
UDP Blat --> Disable

This was insane, I think has to do with VOIP provisioning/authentication.
Ciao

@jarhead I agree, a WAN issue shouldn't affect the LAN side. When connections to the LAN side worked from a system on the same subnet, and connections from systems on different subnets didn't work, I assumed something on pfsense itself was dropping or blocking traffic from other subnets. But the default any/any rules are still active so I couldn't think of a reason why it would be doing that. But it's certainly odd that it seemingly broke for 12+ hours and then randomly started working again.

So far, the network engineer hasn't found any issues on his end. Doesn't mean there aren't any, he's just not finding them. For now, all I can do is sit and wait to see if it breaks again.

Assuming pfsense is fine, which it very well could be, my best guess is that one of the switches/routers isn't syncing the config properly with its HA partner and when it switches over the route breaks. But since I don't have access I can't go through all of them and check.

@pfsense7515

Thank you everybody for your replies

@johnpoz haha yes I did use the wrong name I have a Netgear switch and a netgate router. Thanks for your suggestion. I will have to research some more ! I think my issue is my lack of research. I might have gotten into something that was beyond my understanding but I do think the pf software is quite a sophisticated piece to everything. Having a parameter firewall, VPN, Snort, Proxies etc it was definitely worth the purchase. I will have to learn more about networking haha. Cheers.

@chpalmer roger-roger 😄

@polar_bear88 I have some small business cisco sg300s that are fanless etc. and use little power, a 28 and 10 port.. Pretty freaking close to cisco ios, but some differences..

But they are soon eol, and do have my eye on newer stuff - just wish multigig with vlan support wasn't so freaking expensive currently..

Save yourself some noise and power and money and just get something that more suites your current needs and budget.. You can find say 8 port get vlan gig switch for like $40.. Keep in mind your dumb switches can be leveraged off your vlan capable switch when you have devices you all want on the same vlan, etc.

@the-other Thanks for chiming in. Yes, it is working now. The Unifi AP WIFI setup was rather smooth. Not sure if everything in the switch ports setup correctly, but it's working for now. Still trying to figure out the difference between tag and untagged. I have GE1, GE2, GE9, and GE10 setup as trunk ports. GE1 and GE2 are reserved for Unifi APs, and GE9 and GE10 are uplinks to other switches.

port_mem.png

This is a fantastic community. I was struggling for 10+ hours before I decided to post here, and I got the solution within minutes!

@core7 Maybe check your other post on the same thing?

@viragomann I have not been able to run the VLAN on the bridge

@urbaman75
So 10 port router, all have a separate subnet?
If so, what I said previous still stands.
Whatever vlan you use in the switch on any port that goes to a router port, that router port will use that vlan.
So Router Port 1 is connected to switchport 1 with it set to vlan 10. The network on router port 1 will use vlan 10 on any other switchport that is set to vlan 10. If you set switchports 1-6 to vlan 10, 2-6 are available to use for devices to connect to the subnet on router port 1. Same with router port 2 and 3 and 4 and ....

Whatever switchport you connect to a physical router interface determine the vlan it uses by the pvid of that switchport.
If you had a trunk port from router to switch, that's different.
You can set the switches management interface to whatever vlan you want. In your example, assign an IP for the switch in vlan 100 (or use dhcp) and it will use that vlan as management.

@opit-gmbh Well, I've now fallen down the rabbit hole of designen a way to overkill homelab. So it's gonna take a while for me to decide on the server hardware. After that is done, I'll look through the options for switches and such.. Things being what they are, this is probably gonna take months. But I'm in no hurry right now.

But if I were to do it right now. I'd probably group the two 10Gbe ports, and combine them and have an affordable Mikrotik as downlink.

@cloudjockey said in Moving VLANS to ix1 interface:

@rcoleman-netgate said in Moving VLANS to ix1 interface:

Yes. But on the switch it is PVID on the port and thus goes out untagged (see the Switch Config VLANs tab)

Is that always the rule? Would it be correct to say, if a packet going out of a switch port (away from the switch core) has the same VLAN as the port's PVID, the tag gets removed and it becomes untagged.

Yes, that is the general behavior of switches.

@johnpoz
Thank-you.
Yes I just created a rule like the one you have. It worked flawlessly.
Thanks again!