@jarhead Yeah, there's link. I've just realized that the original router, apart from VLAN and fixed MAC address, it has a hostname configured. So, I decided to add the same hostname in pfSense WAN interface and the spoofed MAC has disappeared (greyed xx in GUI and no spoofed MAC at CLI). I guess I have to repeat the process of unlink WAN physical interface from VLAN and start again, but it does not give much confidence... I know how to check packet counters with "ip address" in Linux, but not in FreeBSD... xD pfSense DHCP Logs are showing dhclient process sending DHCPDISCOVER over igb1.1074, but no answer apparently.

@rcoleman-netgate i think via LDAP group membership is possible but the pfsense UI has only user options...

@johnpoz Ahh ok. Geez this is overly complicated but i understand a bit more. When you have no choice this is the solution :) Thanks for clarifying.

@chpalmer I know this is a really old one but it's one of the top results while looking around for a solution to the problem being described here... You provided the hint about how to fix it, at least in my circumstance - I had to REMOVE the MAC address from the WAN interface, I don't know what was going on there but I had a value previously assigned there and once I removed it everything started working fine. I probably had the MAC Address value set previously from a long time ago and it caused some issue when getting everything assigned to the new LAGG interface. I don't really know for sure but removing the value from MAC Address fixed the issue for me. Thank you.

@jbarbanera You can remove the nat 1:1 rule. That is not the use case, it is meant for. Check if the network settings are correct on both machines. Is pfSense the default gateway on both. I assume it isn't at least on the WAN computer. If it isn't add a static route to it for the other network behind pfSense and point it to pfSense IP.

Yeah, that could be the issue. I have heard from users to stay away from Realtek NICs. I made sure that I got a used 4-port Intel NIC, less than $20 from eBay, which has been working flawlessly under pfSense when I built my pfSense box two years ago.

@johnpoz said in allowing roku discovery across VLANs: full byte HA! @jaaasshh Did you ever figure this out? I know this breaks @johnpoz's heart but I'm trying to do the same.

@jarhead And when you do there's no need to redact interface names or internal MAC addresses... public IPs, FQDNs, usernames? Sure.

@uquevedo Groovy. Glad it worked

I should also mention, the DMZ network we are trying to setup is a routed network. The ISP has a static route pointed at our firewall with this particular network.

@wifi-will I'm not certain how your hotels would be much different than that seniors residence I mentioned. It had a router and 4 24 port switches, with the switches spread among 3 towers and the office. It also had a lot of WiFi and ADSL to the rooms. Each room also had it's own router.

That's the thing. I've had suricata running on the system with just the three physical interfaces for a while now with no problems, but once I got around to moving the tunnel so I could make use of suricata, things started getting weird. Right now, I'm suspecting that it's going to come down more to a combo of pfsense/suricata not liking the use of tagged vlans with my particular configuration (I did see netmap_ring_reinit igb3, which happens to be the parent for the vlan at one point, causing traffic to stop flowing until the system was restarted, with a full reset to POST at the worst case). This was partially me derping any not expecting inline mode to inspect the tagged packets, which I should have, and partially it apparently blocking the neighbor solicitation packets, which was totally unexpected, and resolved by disabling it on the parent interface. I'm not totally adverse to moving the parent interfaces around, or moving the tagged vlan to something port based on the switch, which may also lead to cleaning up some, ahem, 'technical debt' in the layout of the local network space. Regardless, I reserve the right to change my opinion as I look into this more. At this time, things are stable and the public facing server IP's are receiving traffic as expected.

@ydyw8rdm8i7dfd Just note that when you set switchport mode trunk , it will "default" allow all Vlans on the trunk. If you feel for it you could do a further restriction : switchport trunk allowed vlan 868-870,872-876,897,898 Remember the "add" on allow , else you will be sorry /Bingo

@dominikhoffmann There is a lot of nonsense on the internet - that video seems like one of those.. No you would not bridge 2 interfaces on the router and plug them into the same switch.. You just created a LOOP.. You can somewhat try to simulate a switch port with 2 interfaces and creating a bridge that you would connect devices into, or 2 dfifferent switches.. But a bridge is not the same as a switch port - if you want/need more ports than use a switch..

@treefrog Assign the vlan to an interface, create your firewall rules. Then you can move lan to the interface. But yeah @viragomann is correct if you plugged the pc directly into the pfsense interface you would had to set the PC to do tagging? Out of curiosity why do you want your lan tagged?

@natethegreat21 you can for sure block specific as you have done. But as mentioned its easier to just create an alias that either contains your specific networks, or just all the rfc1918 networks. You could create an alias with your full prefix for your IPv6 space. Problem with dynamic ipv6 is that could change - which is one of the reasons I prefer tunnel from HE, I get a /48 to do with what I will and it doesn't change.