@creationguy Never said to change vlan1, chances are you can't, but stop using it. Vlan1 will always be in the switch. But it doesn't need to be used.

@j24 A bit late to this party, can are you able to share a screenshot of the Switching > VLAN > Advanced > VLAN Membership, for one of your static VLAN groups? I'm trying to see where I'm going wrong with the tagged/untagged options.

@johnpoz What if @samleemc's location is ISS, or on some base camp in Antarctica ? Or, more serious, he rented a "housing" in some data centre with very limited "Watts" available. For any other situation, yeah, life should be kept simple : get a switch.

@jarhead Hi, thanks for following up. I appreciate it. I contacted the switch manufacturer for a 3rd time and finally figured it out. lol. there was a few things i was doing wrong, plus the support tech kind of led me in the wrong direction. Thanks again!!

@creationguy If your running tagged only on the port.. Then yeah it would be best to set the pvid to the vlan you want any for whatever reason untagged traffic that might hit that interface to be in. Might be best to use some black hole vlan ID there, other than the default vlan 1. For example you create a vlan 666 for example. Add ports that are disabled, or ports that should never see untagged traffic set the pvid to that.. This goes nowhere only to other disabled ports, etc. if your not using vlan 1 actually for anything, that could be your "blackhole" or disabled vlan ID sure.. If you are actually using vlan 1 for other untagged traffic, ie an interface on pfsense has an IP directly on its interface, then your other interfaces that only have tagged traffic should not be in that same vlan for any untagged traffic, whatever the ID is your using on the switch.

Yeah true. Be sure that you use "Protocol > Any" (for testing)

@northernsky the specs on the page clearly call out discrete ports, states unswitched.. You can use them for whatever sort of connection you want lan or wan, but they are not switch ports. While you can somewhat simulate what a switch does with a bridge, its still not switching and horrible solution and really should only be used while you wait for a switch ;) If your switch supports vlans, then sure you could use the different interfaces on pfsense as uplinks from the different vlans, so your not hairpinning intervlan traffic over the same physical interface, etc. Did you just get the 6100? Maybe you can return it and get a 7100 or a 2100 which do include switch ports.. But they are not 2.5ge ports like on the 6100..

@jknott Perfect, I have made some similar rules and implemented a speed limiting rule now and it works a dream, thanks!

You should start your own thread with the details then. Steve

@juniper said in VLAN over VPN: i need to use addresses of the same subnet (for example 8x.xx.xx.128/25) on both pfsense box linked by a VPN, is there a way to do? You'd need a TAP VPN, not TUN.

@natharas You're probably in the wrong forum. Should rather be asked in the Proxmox forum. I can't see, what this has to do with pfSense. But maybe you can give a bit more details.

That should work. You should be able to use the parent interface separately to the tagged VLAN interface. Steve

@priext What does a traceroute out from OPT show? The 1100 is one switch with three ports. Very wild guess but the last paragraph of that doc caught my eye: "With both the LAN and OPT switch ports using the same VLAN on the switch (4091), the firewall will receive traffic from either port on its mvneta0.4091 interface, which is assigned as LAN by default." It sounds like LAN is detected as down and that prevents access from OPT. What happens if you swap them and put your PC on OPT?

@publictoiletbowl You can make it whatever you want. I have some VLANs on the LAGG set to dedicated untagged ports on the switch, and some as tagged trunks.

@johnpoz Thanks again for your help and input! Wanted to give an update: I did receive my 16-port Unifi Switch Lite 16, swapped it in and moved some switches around. Doing so, I was able to take out two Ubiquiti Edge Router X's (in VLAN Switch mode) and a simply unmanaged switch. Now the only brand of switch I am using is Unifi switches. After taking out the Edgerouters, things started to work as expected. I'm very familiar with the Unifi switches, but a little less so with the Edgerouters. Despite my best attempts to set them up properly with the correct VID's and PVID's for my different VLANS, ports, and trunks downstream from my primary switch, I must have still gotten something wrong and been creating some sort of STP issue. As I said, now that I am using only Unifi switches, things are working as expected, so we seem to be all clear! Thanks again for all of your help and input!

@jarhead appreciate the quick reply. I’ll check that out. Thanks again

@creationguy You don't typically untag more than one vlan on a port. While vlan 20 'should' work on that port, the others definitely won't as the device plugged in wouldn't be tagged so all egress traffic would go out on vlan 20 (pvid). Just think it through, Trunk ports carry vlans to where you need them. Access Ports let you use those vlans. Have to assume port 24 goes to pfSense, then just untag the ports as you need them with just the vlan needed. If you need to carry the vlans to another device, use a trunk and tag the vlans needed on it, then untag ports that will use each specific vlan.

@jarhead said in TP-Link VLAN assistance: @natharas Switchports that connect to a device should be untagged. Tag the interface in switch one going to pfSense. make sure both vlans in pfSense are on the same interface. Then tag port one in both switches with both vlans. all other ports are untagged. pfSense to switch one, tagged with both vlans. sw1 port1, tagged with both vlans. sw2 port 1, tagged with both vlans. All others untagged with appropriate vlans as needed. Thank you so much that has work, I really appreciate your advise and taking the time to help me. What is the best way to move Proxmox to VLAN 50, it is still on my existing DHCP range of 192.168.1.x? Would it be best to VLAN aware linux bridge VMBR0 or should it be done via Shell?