@chris1284 said in How to start with VLANs: where i also connect the modem link on a port with VLAN 7 (needed for T-Com) Yes, it's nothing more than a tagged VLAN port, no PVID needed on this port.

@rcoleman-netgate said in Moving LAN port icg0 to another physical interface: @kiwinia I make a new interface that allows you to access the GUI. Then I change the interface. Always have a backup port. @rcoleman-netgate, Thanks, yes I just did that and confirmed I could get to the GUI from there, that makes me feel more comfortable. I need to get familiar with the console also, in case I need it in the future. Thanks to everyone who responded

@gjaltemba said in Help with routing problem on L3 switch: It was a static route that I needed Yeah you have to tell pfsense how to get to the downstream networks for sure ;)

@hudri said in Assigning Clients to VLANs: where they just manually switched back and forth between the VLANs, You can - where you set the pc to understand the tag, but again that is not a vlan... That is some user without a clue to networking thinking they have setup a vlan and all they did is run multiple IP schemes on the same network. There is no actual security there, anything can talk to anything, be it you setup a firewall rule or not - broadcast and multicast traffic is going to be seen by every device. That is not a vlan. A vlan actually isolates traffic at layer 2.. You could move your pc into another vlan that is on that port, by changing the pvid on trunk port so the untagged traffic is now in X vs Y, etc. But just changing on the IP on the pc isn't going to work if you actually have vlans setup.

@19taurus79 Typically the answer is no... but the 1100 is a switch already with the same MAC address on all three ports so it doesn't matter here.

@awebster Thanks very much for the explanation. I think the situation is as follows: in the original layer-2 ether-net specification there is no priority field however there is a need for priority packets in a later version of the layer-2 spec there is the 802.1Q tag which add -3bit Priority code point (PCP) / COS -1bit Drop eligible indicator (DEI) / CFI -12bit VLAN identifier (VID) / vlan number To transport un-tagged frames with a priority mechanism they defined a trick "vlan0". That trick adding an 802.1Q tag to the original layer-2 frame, allows the add of the PCP/COS and the DEI/CFI. A managed ( ) switch receiving such an ^updated level2 frame^, can then process the frame with the correct priority. Of cause the switch administrator can tell the swith that it should add "whatever vlantag / number" to that in coming untagged frame, where I assume that the DEI and PCP will be set accordingly in that vlan 802.1Q field. And after transporting the frame to the other end of the network, another managed switch can output that frame to an untagged port. Doing the inverse trick changing the VID from whatever VID-value ("50") to 0. One potential problem, assume we hand over that ^modern semi-un -tagged^ frame to an unmanged switch or an end device like a PC what will happen !? Does the managed switch at the end have three options forwarding the package as: vlan package with a real vlan number as a vlan0 package perhaps not understandable for the attached equipment or forwarding the package as a classical untagged package Below a picture I took from https://en.wikipedia.org/wiki/IEEE_802.1Q [image: 1667546061773-726cd7fa-108b-42c3-860d-a397f8f082a0-image.png] I hope I described it correct this way. Louis

@broonu Hello, sorry if I'm replying to this old topic, but I'm experiencing the same problem trying to bridge the WAN interface with a VLAN created on a LAN interface. The behavior is almost the same: no reply to ARP requests from pfsense + I cant ping the pfsense upstream gateway. Before giving up, I noticed that the WAN and LAN interfaces are E1000 (not VMXNET3). I would like to change the nic type as last attempt. Anyway, before doing that, I would like to know if there is a particolar relation between bridge and vmxnet3. Could you please help me? Thanks Mauro

@321liftoff Access switch 1 & 2 should be in a stack with a LACP link to each individual stack member and the same for the pfSense connection to the access-switch stack.

@laplacian said in Trouble with VLAN: Also, is there a better way to specify the internet other than !RFC1918? Yeah Any.. While ! (bang) rules can and do work, I would stay away from them.. You should be explicit in your rules. Less likely for errors and way easier to read at a glance. If you don't want stuff to go to rfc1918, then be explicit with that either block or locally reject is sometimes better, because it will tell the client hey your not getting there. No reason to bang your head sending retrans, and waiting for them to time out. There have been issues in the past when vips are used that can mess up ! rules, if your going to use a ! rule then make sure you fully and comprehensively test that it is in fact working exactly how you want. You understand 1 rule vs 2 is not going to provide any less overhead or performance.. And is more likely to be written wrong or not work as intended, etc.

@jarhead So, I didn't get to that issue the next morning... life gets in the way sometimes. But I did finally get on it and once I realized what you were saying, I felt like an idiot. Easy to do at the switch using the untag and PVID. Just wanted to say thanks for the help... albeit a bit late.

@jclausendk Follow these steps: Create a new interface VLAN Create VLAN in the switch Tag ports 1 and 0 for VLAN Assign WAN to the new interface VLAN you set up in step 1

@xanthopteryx Glad to hear it works! Yeah there's no need to do L3 when a simple L2 modification is needed :D

@laplacian said in Can't get IP on VLAN: If another device comes along and plugs into one of my dumb switches or connects to my guest WiFi, how can automatically put that device into a Guest VLAN, subject to the pfsense firewall rules designed for Guest VLAN? By having all VLANs as tagged and leaving the guest VLAN untagged on all the ports that might be exposed, additionally putting a lock on the door where the data cabinet is located. If you want something like AAAA or Cisco ISE you need different hardware. pfSense doesn't do AAAA on its own and most systems like that (x501) need a third system to do management anyway and those are done on the switch level. I did a little of that with Aruba in the last gig but not too much - we would find it easier to spin up an SSID in a part of a building for a single user most of the time.

@ne_77 you can for sure spread your vlans across multiple interface.. Be that manually with specific uplinks, or as a lagg setup. But yes vlans on the same physical interface will share the bandwidth. This may or may not be an issue for you if there is not a lot of intervlan traffic on the same physical

@creationguy I normally use reject for local stuff like this.. If your not going to allow it, might as well tell the client - hey your not getting there, vs having it try with retrans and just bang its head against a wall. I wouldn't suggest you ever use reject externally, unless for a specific purpose - I reject on traceroute ports so that traceroute works.

@travelmore said in Cant ping vlan on pf sense from any device?: Port 8 is just a PC for testing purposes and currently right now for connecting to the switch to view the settings. How would that work with vlan 20 tagged... Did you tell the pc to look for a tag? Just at a loss to what your not getting.. What what is confusing about this?? pfsense - 1U,20T -- netgear -- 1U,20T -- dumbswitch -- 1U,20T - cisco -- 1U,20T -- AP This shows you exactly what the ports on pfsense or switch connected should be set for. Pfsense lan is native untagged.. this would be vlan 1 on your switch... So the port connected pfsense, port 4 on your netgear should be vlan 1U, 20T and pvid should be 1 as well. POrt on your netgear that will end up on your cisco same way 1U, 20 tagged.. Port that connects to your dumb switch on cisco, in cisco world this would be a trunk, and you would allow the vlans you want 20..l pvid still 1.. nothing to change there. Port that connects to your AP on your cisco, again same thing vlan 1 Untagged, vlan 20 tagged this is a trunk on cisco.. What are you not understanding - so I can come at it a different way.. This is pretty basic stuff here.. If there is no tag, this is a native vlan on a switch.. Normally 1 for example is the default for switches. You can only have 1 untagged vlan on a port. If you carry another network it has to be tagged. For vlan 20 traffic to get from pfsense to your cisco you have to have all the physical ports that connect the switches set to understand that 20 is tagged, not tagged is vlan 1, etc.

There might be. I did search some of the source files for something similar but only found the priority flow-control options.

@dabdad Funny, I got you as being the negative one. Every reply I made never contradicted a thing. And if you had listened to my very first post, none of the others would have been needed. But glad you got it working.

@creationguy Never said to change vlan1, chances are you can't, but stop using it. Vlan1 will always be in the switch. But it doesn't need to be used.