@pfsense7515 Thank you everybody for your replies

@johnpoz haha yes I did use the wrong name I have a Netgear switch and a netgate router. Thanks for your suggestion. I will have to research some more ! I think my issue is my lack of research. I might have gotten into something that was beyond my understanding but I do think the pf software is quite a sophisticated piece to everything. Having a parameter firewall, VPN, Snort, Proxies etc it was definitely worth the purchase. I will have to learn more about networking haha. Cheers.

@chpalmer roger-roger

@polar_bear88 I have some small business cisco sg300s that are fanless etc. and use little power, a 28 and 10 port.. Pretty freaking close to cisco ios, but some differences.. But they are soon eol, and do have my eye on newer stuff - just wish multigig with vlan support wasn't so freaking expensive currently.. Save yourself some noise and power and money and just get something that more suites your current needs and budget.. You can find say 8 port get vlan gig switch for like $40.. Keep in mind your dumb switches can be leveraged off your vlan capable switch when you have devices you all want on the same vlan, etc.

@the-other Thanks for chiming in. Yes, it is working now. The Unifi AP WIFI setup was rather smooth. Not sure if everything in the switch ports setup correctly, but it's working for now. Still trying to figure out the difference between tag and untagged. I have GE1, GE2, GE9, and GE10 setup as trunk ports. GE1 and GE2 are reserved for Unifi APs, and GE9 and GE10 are uplinks to other switches. [image: 1674523132692-port_mem.png] This is a fantastic community. I was struggling for 10+ hours before I decided to post here, and I got the solution within minutes!

@core7 Maybe check your other post on the same thing?

@viragomann I have not been able to run the VLAN on the bridge

@urbaman75 So 10 port router, all have a separate subnet? If so, what I said previous still stands. Whatever vlan you use in the switch on any port that goes to a router port, that router port will use that vlan. So Router Port 1 is connected to switchport 1 with it set to vlan 10. The network on router port 1 will use vlan 10 on any other switchport that is set to vlan 10. If you set switchports 1-6 to vlan 10, 2-6 are available to use for devices to connect to the subnet on router port 1. Same with router port 2 and 3 and 4 and .... Whatever switchport you connect to a physical router interface determine the vlan it uses by the pvid of that switchport. If you had a trunk port from router to switch, that's different. You can set the switches management interface to whatever vlan you want. In your example, assign an IP for the switch in vlan 100 (or use dhcp) and it will use that vlan as management.

@opit-gmbh Well, I've now fallen down the rabbit hole of designen a way to overkill homelab. So it's gonna take a while for me to decide on the server hardware. After that is done, I'll look through the options for switches and such.. Things being what they are, this is probably gonna take months. But I'm in no hurry right now. But if I were to do it right now. I'd probably group the two 10Gbe ports, and combine them and have an affordable Mikrotik as downlink.

@cloudjockey said in Moving VLANS to ix1 interface: @rcoleman-netgate said in Moving VLANS to ix1 interface: Yes. But on the switch it is PVID on the port and thus goes out untagged (see the Switch Config VLANs tab) Is that always the rule? Would it be correct to say, if a packet going out of a switch port (away from the switch core) has the same VLAN as the port's PVID, the tag gets removed and it becomes untagged. Yes, that is the general behavior of switches.

@johnpoz Thank-you. Yes I just created a rule like the one you have. It worked flawlessly. Thanks again!

@bp81 So then the problem is the ubiquiti. Show pics of the config.

@nilocretep said in Devices on VLAN can't access the internet: all have a setup of /24. well why are you pinging 198.168.178.1 from 192.168.179.111 - why would you not ping the IP of pfsense on that interface? but yeah if that was another IP on pfsense rules allow it then sure you could ping it. Also you rules for security cameras never going to allow anything - you have the source as the securitycamera address not the net.

@sarxworks There's all kinds of problems. First, no IP on the vlan, it'll never talk to anything. Second, the 172.16 network didn't exist, you kinda just threw IP's on the 2 devices and left it at that. As I said, the host and VM aren't connected correctly. I'd have to go through the setup again to say more but the whole thing was wrong. Just to add, if you do default the pfSense install, you'll need to change the LAN network. Can't have the same subnet on the WAN and the LAN.

@eroji glad you found your solution..

@evilecho For a vpn-killswitch you only tag the rule with the VPN-gateway set, if you use PBR.

@viragomann Thank you for your advice. This is in line with what I found out so far. In more general terms, here is what I found: 1: It is possible to create a bridge between a tagged VLAN interface and an untagged LAN interface just like between two untagged interfaces, except if the tagged VLAN's parent interface is also a member of a bridge. See here for more: https://redmine.pfsense.org/issues/11139. For example, if LAN on ix0, VLAN10 on ix0.10 and LAN2 on ix1, then I can create a bridge between VLAN10 and LAN2 if, and only if, LAN is not a member of a bridge. 2: This bridging works well between a WAN interface and a VLAN, which itself is bound to a LAN parent interface. To use the example above, this would be between the WAN interface and LAN10. In my case, where the WAN is a "private WAN" behind an Internet facing gateway (ISP-GW), the Netgate's WAN interface (like any other member interface) can be configured to receive an IP address via DHCP (but not have a DHCP server) from the ISP-GW (192.168.192.0/24). All other devices connected to this bridge will also be able to receive an IP address from ISP-GW. Note that all addresses on member interfaces and all connected devices are (must be) in the same subnet. Also note that, generally, this does not work without the double NAT/gateway setup, because it would need multiple IP addresses from the ISP. 3: For DHCP address assignment to work, a firewall rule may be required on all bridge member interfaces (except probably the one where the DHCP server resides): source 0.0.0.0, source port 68, destination address 255.255.255.255 and destination port 67. This message is the first to be sent in the DHCP protocol. There are two aspects to this that I don't fully understand yet: 3.1: The rule may not be required if one of the bridge member interfaces receives a DHCP address. It seems that pfSense automatically adds a hidden rule to that effect. What is not clear to me is whether this hidden rule applies only to the bridge member that receives a DHCP address, or whether it applies to all bridge members. 3.2: I don't understand the role of the system tunables net.link.bridge.pfil_bridge and net.link.bridge.pfil_member. It is easy to find a variety of explanations for these, but none of these is complete. There are two aspects of firewall rules in brides and bridge members: a) govern the traffic between the bridge interface or a member interface entering/exiting the firewall/routing engine, and b) filtering the traffic between the member interfaces without it entering the firewall. I suspect the system tunables apply to the first aspect, but not to the second. 3.3: Testing of this is complicated by the facts that a) devices cache their IP address and use the last address when trying to renew an address lease, and b) the bridge caches the MAC addresses on each bridged segment. When changing the firewall rule mentioned above and the system tunable settings, all the caches need to be flushed to determine the impact of the change. 4: Concerning the propagation of the traffic on the Unifi switches (and I assume this is similar to other managed switches): to make this work the only thing required is to declare the VLAN, without specifying DHCP/seubnet/gateway parameters. This makes the switch aware that the VLAN exists. The VLAN can then be added to trunk profiles (as tagged traffic) and to port profiles for VLAN-unaware end nodes' access to the untagged data stream. I will further update this when I have gained a better understanding for 3.2. Any further comments are welcome. Peter

@jarhead Yeah, there's link. I've just realized that the original router, apart from VLAN and fixed MAC address, it has a hostname configured. So, I decided to add the same hostname in pfSense WAN interface and the spoofed MAC has disappeared (greyed xx in GUI and no spoofed MAC at CLI). I guess I have to repeat the process of unlink WAN physical interface from VLAN and start again, but it does not give much confidence... I know how to check packet counters with "ip address" in Linux, but not in FreeBSD... xD pfSense DHCP Logs are showing dhclient process sending DHCPDISCOVER over igb1.1074, but no answer apparently.