@aidanlw505 said in VLAN Interfaces not responding to arp who has traffic:

urrent workaround is just running it on the WAN interface since it doesn't have V

Are you on 22.05?

@jarhead Omg... Thanks sir 🙏 should've checked the IP table before.. It's working correctly on the correct subnet now! You made my day sir.

@tyler-0 said in Vlan not getting access to internet:

@the-other @rcoleman-netgate
Thank you both for the responses! I'm a noob when it comes to networking, more of a noob when it comes to firewalls and rules lol.

So heres what i've changed and decided I want to accomplish. Ultimately, I would like to do L3 on the switch, but after reading more on different posts, it seemed easiest just to let PFSense do DHCP Instead of the switch.

Instead of Vlan 10 being the lan IP, I changed it to vlan 50.

Heres ideally what I want to accomplish. This is what I had setup previously with my Cisco ASA. But I ditched the ASA, sort of, it's still in my rack, but I wanted to try PFSense lol.

What I had setup before and what I would like to do, just unsure how to achieve it properly.

ASA Config -
Inside Interface Vlan 50 192.168.50.1
Outside DHCP

Switch Config -
Switch Port 24 connected to the ASA (inside) tagged with Vlan 50. Vlan 50 IP On the switch was 192.168.50.2. I then had a static route 0.0.0.0 0.0.0.0 192.168.50.1 to the inside interface of the ASA.
My Cisco Switch was set to Layer 3 on all Vlans. Management 10, Wired Devices, 5, IoT 6, Guest 7.
I've since moved to meraki access points and am letting Meraki do DHCP for the guest network, so really I only need 3 vlan. 10 (mgt) 5 (wired) 6 (IoT).

I realized I had it all wrong when I set PFSense to be 192.168.10.10. I don't want PFsense to sit on the mgt Vlan, i feel like that's wrong..?

Let me know how I can best and easiest do this. If i need to scratch DHCP via L3 on the switch, I can set it up via PFSense. Would I then still need to put an IP on the vlan on the switch side if I choose for PFSense to do DHCP?

I believe we're good now actually.
I made PFSense Lan 192.168.50.1, my switch I created vlan 50 and gave it IP 50.2. I then fixed vlan 5 correctly to what was stated, I can now access the internet on the vlan 5 for wired devices. I've got ProxMox itself on vlan 10 for management. The only issue i'm having now is vlans seeing each other. For example my PC is sitting on vlan 5, but unable to ping the gateway 192.168.10.1 for vlan 10, therefore I cannot get to my proxmox server on that Vlan. It's going to take me a bit to tinker with the rules to figure it out. I also don't want my management vlan to have access to the Internet. I assume that's the point of the 'lan net' rule. I plan to create a DMZ Network for my VM's to sit on that need Internet access.

The Engenius is a Layer2 switch that will be not able to route the vlans. This must be done by the Cisco L3 switch and/or
by your pfSense firewall. Therefor @johnpoz were asking
you who is routing the vlans.

Trunk port is a term from Cisco itself, it is an uplink that
transfers all the vlans from switch to switch and or router.

You say uplink and now vlans are in "game", you say trunk
and there will be vlans in the "game".

If you want that the Cisco switch is routing the entire
vlans, as I am informed you must be setting them all
up on the EnGenius switch (1:1) as you have it done
on the Cisco one.

Very seldom you may getting in trouble, this is one or
the most and often known point why many network admins will be using switches from one vendor and
on opt often comes that you will in greater
installments stack them up (ring).

@massimomoretti yes

@prtonguy77 Just assign a vlan to that interface and give it the IP info you want. Leave the parent interface blank.
I've done this a few times before. I just name the parent interface "Trunk" and use the vlan as needed.
I never needed just one vlan on it but it'll still work.

@jarhead

short update as promised:

Changing the configuration of the switch and only allowing the VLANs that we actually use (in stead of "ALL") solved the problem!

@johnpoz I don't remember when I initially set it up if that was the default. I am assuming it is because until I added the VLAN everything just worked.

@dominikhoffmann said in Home automation on separate VLAN: How to control with apps?:

@netblues: Stuxnet used Siemens industrial controls to mess up Iranian uranium enrichment centrifuges.

Indeed.
Siemens is a German manufacturer, and there is strong speculation than stuxnet was made especially for that, by israeli spooks.

So I guess xmas lights are nuclear powered or something?

@jecker
After investigating the issue, Version 22.05 was causing 15% packet loss. After downgrading the device to 22.01 our packet loss dropped to 3%, better but not perfect.

@jknott yeah, that's what I'm doing, using ulas as well as gua...still would be nice.
And I agree with the opinion about ISPs breaking ipv6 with those dynamic prefix idea...
To get a fix prefix german telekom wants about 20 Euro a month more by providing half the bandwith. So...wonder ,why they implement it as they do...(not)
:)

@mystique_ said in bridge igc3 to ix1.172 network..:

I have a few vlans defined on ix1, one of them being 172 for management.
I am trying to have a local (igc3) be bridged to that ix1.172 for local management if/when onsite..

bridge0: > member: ix1.42 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 13 priority 128 path cost 2000

These are different VLANs. 🤔

@summer
solved with:
VLAN PFSENSE IP
1 192.168.1.1
10 192.168.10.1

SWITCH PORTS:
PFSENSE AS TRUNK
Device as Untagged 10

Then with firewall rules I can allow/disallow traffic.

Thanks, BR

@adminproconer And how about you remove the link aggregation..

If still slow then I would sniff - but if you have full speed, and ping is 1ms - your issue is not network related, but most likely server or performance related.

Sniff to see what is slow, nothing the network the router can do if server answers slowly.

@fireix said in VLAN on D-link:

This way, no overlapping

FWIW pf will not let you do overlapping subnets so that doesn't matter so much. You can migrate your networks over to a new /28 individually as long as it is contained in a different /24 than your other interfaces.

@adminproconer said in Firewall rule problems. (Client-to-client forward):

Where should I start troubleshooting the issue?

With the network settings and firewall config of the concerned device.

Ensure that all devices in both subnets use pfSense as gateway.

If you can access a device from within it's own subnet, but not from another network segment check its firewall and ensure that it allows access from outside.