@rcoleman-netgate Thank you very much. I realized that all I need to do is adding a LAN (in my case, LAN port#1) and uplink port (LAN port#5) to have a correct VLAN (VLAN4052). All my LAN ports are able to communicate with PC-A.

@johnpoz Kinda what I was thinking in regards to the dumb switch and the age of the wifi. Didn't break the bank ($7) so I could play around with it or just throw it away even. Again I appreciate the advice/suggestions!

@jknott said in PFSENSE Cluster add new vlan on existing used physical interface: I wouldn't expect an outage to be very long, if at all. Of course, you also have to configure the switches to pass the VLANs. You might want to schedule a maintenance window to do this, or at least let the users know. Of course, TCP is designed to survive brief interruptions. Hello ok thank you for your answer @JKnott. Yes of course, we have already configure the switches to pass the vlans. To understand steps please, if we add new vlan on existing used network card on pfsense master, primary pfsense switch automatically from master to backup and secondary pfsense switch automatically from backup to master ? would there be a micro network cut during the time of the switchover ? Thank you very much for your time

Thanks! You where right on both problems! I was pulling my hair out :)

@sho1sho1sho1 said in VLAN cannot access private network behind another router: -router WAN IP is 192.168.20.11 dynamically assigned by pfsense VLAN 20 dhcp server -router LAN IP is 10.0.0.1 So if your wan of pfsense is rfc1918 this 192.168.20 address. And you want to get to 10.0.0.x on pfsense lan, if pfsense is doing nat.. Yes you would have to setup a port forward. Also you would have to disable the block rfc1918 rule on pfsense wan. This rule blocks source IPs of rfc1918, which I would assume your client your trying to ssh to this 10.box is on..

@johnpoz said in VLAN computer not pulling correct ip address: @thewaterbug not sure what to tell you - but its not possible.. You have no layer 2 connection to the dhcp server running on lan - so there is no way it could of pulled an IP from that dhcp server. And your saying it never had a 0.138 address... I just don't see how it was possible without a layer 2 connection. Your saying you saw in the logs dhcp? Is that not a different physical interface? You show it on the drawing as a different interface - you don't have them bridged? Its not a vlan, where maybe the switch didn't tag something? Ah, shoot. I didn't think to check the logs on the DHCP server, and now it's been over-written. I saw it on the client. Correct, it was on a different physical interface (OPT1), with no bridging in place, and the problem fixed itself just by my power-cycling the unmanaged switch. I don't know what to say, either, other than that stranger things have happened.

@jasonreg said in VLANS and Ports: I would like to set up the 10GB ports to feed my switches on ix0 (Needs all VLANs) and ix1 (only needs a single VLAN) respectively. My question is, do I need to add the VLAN interfaces to those ports as well assuming I am using them as trunk ports or does it all feed through the LAN interface? If the VLAN is controlled by pfSense and it has to pass the port it must be tagged on the interface it is going out. And your destination switch must be trunked or otherwise configured to handle each tagged VLAN -- note that the term "trunk" is one to limited platforms, most notably Cisco. Most other platforms just deal with tagged and untagged VLANs by name.

@harjpanesar great, glad you got it sorted..

@jblackburn A bridge is a medium that allows two different types of networking protocols to communicate (ether and virtual, WiFi ether switch and router... etc) at the layer 2 level. The intended use of a bridge is: Physical iface (Ether, WiFi, DSL...) <-> 2.Specific VLAN tag traffic iface (on the physical NIC) <-> 3. Switch <-> 4.Bridge <-> 5. Other iface A switch is different in that it is an actual electronic switching circuit. A bridge doesn't switch anything by itself, it needs software to forward packets.

@viragomann Got it, thank you very much for your help.

@ashtonianagain said in Nested Pfsense over vlan - design and sanity check: Which I think would make that a transit network? Just because you tag it on the switch as 999 on 1 interface, but not another, but its still 192.168.1.. And you have hosts on this network. Which means to stop something on your 10.42 network from talking to something your 192.168.1 network you have to block it there. Now since your natting and and if you don't do any port forwards 192.168.1. couldn't talk to 10.42 unless you did a port forward, and you would be asymmetrical if you didn't do host routing on the 192.168.1.x device. And the downstream router would also be blocking source traffic from rfc1918 anyway. Its a convoluted setup to be sure.. Just create a transit network on your edge pfsense, say 172.16.0.0/30 and put your downstream router wan on this network.. Here this is how you setup downstream routers. [image: 1677151907972-pfsense-layer-3-switch.png]

@johnpoz NAT reflection is set on Pure NAT. But i am guessing i have to do more than that?

If using port-based VLANs, you can only use 16 VLANs (VID 1-16). - Page 31 If using 802.1Q-Based VLANs, then you can use 128 VLANs from the range of 1–4093. - Page 33 That's how I understand from the manual. So I'd say you should disable the port-based VLAN (basic&advanced) and enable 802.1Q VLAN and configure from there...

@viragomann said in VLAN not working in simple test.: Not clear, why you've added port 2 to the VLAN So that I could see if maybe I could let the tagging of the vlan happen on another device. eg. on my client/switch I could set a vlan 10 for my device, the pfsense should see this, and since port 2 tagged in vlan 10, I should be able to access vlan 10 also. Either way, neither way work, lol. @viragomann said in VLAN not working in simple test.: but you will have to add port 5 as tagged, since this is the uplink to the kernel. This is the way! I realize now it was right in my face all along... But I guess after staring yourself blind on a problem you start missing things... So I'd like to thank you all for the help! Consider this one solved guys! Just need to add port 5! For some reason my mind did not register the fact this was not a physical port... [image: 1676838530130-e71075db-b524-4e71-85f5-bad077c99253-image.png]

why on WAN? uh... no reason. :) somewhere i obviously got confused. changed to LAN interface and all appears to working correctly! Thanks for the input and quick response. SOLVED

All my port have to work with all the VLAN, because I use the VLAN with VOIP and the phone (configured with VLAN 792) can be everywhere, out port of the phone can be also connected to a PC. After those settings: GE1 e GE2 trunk Accepted Frame Type ALL ingress filtering Enable uplink disable TPID 0x8100 Others port "Hybrid" Accepted Frame Type ALL ingress filtering Disable uplink disable TPID 0x8100 Port to VLAN 1 all Untagged (all PVID checked) 792 all Tagged Everything start to work after this setting on DoS Global Setting: UDP Blat --> Disable This was insane, I think has to do with VOIP provisioning/authentication. Ciao

@jarhead I agree, a WAN issue shouldn't affect the LAN side. When connections to the LAN side worked from a system on the same subnet, and connections from systems on different subnets didn't work, I assumed something on pfsense itself was dropping or blocking traffic from other subnets. But the default any/any rules are still active so I couldn't think of a reason why it would be doing that. But it's certainly odd that it seemingly broke for 12+ hours and then randomly started working again. So far, the network engineer hasn't found any issues on his end. Doesn't mean there aren't any, he's just not finding them. For now, all I can do is sit and wait to see if it breaks again. Assuming pfsense is fine, which it very well could be, my best guess is that one of the switches/routers isn't syncing the config properly with its HA partner and when it switches over the route breaks. But since I don't have access I can't go through all of them and check.