@xanthopteryx Glad to hear it works! Yeah there's no need to do L3 when a simple L2 modification is needed :D

@laplacian said in Can't get IP on VLAN:

If another device comes along and plugs into one of my dumb switches or connects to my guest WiFi, how can automatically put that device into a Guest VLAN, subject to the pfsense firewall rules designed for Guest VLAN?

By having all VLANs as tagged and leaving the guest VLAN untagged on all the ports that might be exposed, additionally putting a lock on the door where the data cabinet is located.

If you want something like AAAA or Cisco ISE you need different hardware. pfSense doesn't do AAAA on its own and most systems like that (x501) need a third system to do management anyway and those are done on the switch level. I did a little of that with Aruba in the last gig but not too much - we would find it easier to spin up an SSID in a part of a building for a single user most of the time.

@ne_77 you can for sure spread your vlans across multiple interface.. Be that manually with specific uplinks, or as a lagg setup.

But yes vlans on the same physical interface will share the bandwidth. This may or may not be an issue for you if there is not a lot of intervlan traffic on the same physical

@creationguy I normally use reject for local stuff like this.. If your not going to allow it, might as well tell the client - hey your not getting there, vs having it try with retrans and just bang its head against a wall.

I wouldn't suggest you ever use reject externally, unless for a specific purpose - I reject on traceroute ports so that traceroute works.

@travelmore said in Cant ping vlan on pf sense from any device?:

Port 8 is just a PC for testing purposes and currently right now for connecting to the switch to view the settings.

How would that work with vlan 20 tagged... Did you tell the pc to look for a tag?

Just at a loss to what your not getting.. What what is confusing about this??

pfsense - 1U,20T -- netgear -- 1U,20T -- dumbswitch -- 1U,20T - cisco -- 1U,20T -- AP

This shows you exactly what the ports on pfsense or switch connected should be set for.

Pfsense lan is native untagged.. this would be vlan 1 on your switch... So the port connected pfsense, port 4 on your netgear should be vlan 1U, 20T and pvid should be 1 as well.

POrt on your netgear that will end up on your cisco same way 1U, 20 tagged..

Port that connects to your dumb switch on cisco, in cisco world this would be a trunk, and you would allow the vlans you want 20..l pvid still 1.. nothing to change there.

Port that connects to your AP on your cisco, again same thing vlan 1 Untagged, vlan 20 tagged this is a trunk on cisco..

What are you not understanding - so I can come at it a different way.. This is pretty basic stuff here.. If there is no tag, this is a native vlan on a switch.. Normally 1 for example is the default for switches. You can only have 1 untagged vlan on a port. If you carry another network it has to be tagged.

For vlan 20 traffic to get from pfsense to your cisco you have to have all the physical ports that connect the switches set to understand that 20 is tagged, not tagged is vlan 1, etc.

There might be. I did search some of the source files for something similar but only found the priority flow-control options.

@dabdad Funny, I got you as being the negative one.
Every reply I made never contradicted a thing.
And if you had listened to my very first post, none of the others would have been needed.
But glad you got it working.

@creationguy Never said to change vlan1, chances are you can't, but stop using it.
Vlan1 will always be in the switch. But it doesn't need to be used.

@j24 A bit late to this party, can are you able to share a screenshot of the Switching > VLAN > Advanced > VLAN Membership, for one of your static VLAN groups? I'm trying to see where I'm going wrong with the tagged/untagged options.

@johnpoz
What if @samleemc's location is ISS, or on some base camp in Antarctica ? 😊

Or, more serious, he rented a "housing" in some data centre with very limited "Watts" available.

For any other situation, yeah, life should be kept simple : get a switch.

@jarhead Hi, thanks for following up. I appreciate it. I contacted the switch manufacturer for a 3rd time and finally figured it out. lol. there was a few things i was doing wrong, plus the support tech kind of led me in the wrong direction.

Thanks again!!

@creationguy If your running tagged only on the port.. Then yeah it would be best to set the pvid to the vlan you want any for whatever reason untagged traffic that might hit that interface to be in.

Might be best to use some black hole vlan ID there, other than the default vlan 1. For example you create a vlan 666 for example. Add ports that are disabled, or ports that should never see untagged traffic set the pvid to that.. This goes nowhere only to other disabled ports, etc.

if your not using vlan 1 actually for anything, that could be your "blackhole" or disabled vlan ID sure..

If you are actually using vlan 1 for other untagged traffic, ie an interface on pfsense has an IP directly on its interface, then your other interfaces that only have tagged traffic should not be in that same vlan for any untagged traffic, whatever the ID is your using on the switch.

Yeah true. Be sure that you use "Protocol > Any" (for testing)

@northernsky the specs on the page clearly call out discrete ports, states unswitched..

You can use them for whatever sort of connection you want lan or wan, but they are not switch ports.

While you can somewhat simulate what a switch does with a bridge, its still not switching and horrible solution and really should only be used while you wait for a switch ;)

If your switch supports vlans, then sure you could use the different interfaces on pfsense as uplinks from the different vlans, so your not hairpinning intervlan traffic over the same physical interface, etc.

Did you just get the 6100? Maybe you can return it and get a 7100 or a 2100 which do include switch ports.. But they are not 2.5ge ports like on the 6100..

@jknott Perfect, I have made some similar rules and implemented a speed limiting rule now and it works a dream, thanks!

You should start your own thread with the details then.

Steve

@juniper said in VLAN over VPN:

i need to use addresses of the same subnet (for example 8x.xx.xx.128/25) on both pfsense box linked by a VPN, is there a way to do?

You'd need a TAP VPN, not TUN.

@natharas
You're probably in the wrong forum. Should rather be asked in the Proxmox forum.
I can't see, what this has to do with pfSense. But maybe you can give a bit more details.

That should work. You should be able to use the parent interface separately to the tagged VLAN interface.

Steve