@steveits Thanks for the help Steve! Bridge worked :)

I've finally managed to get this fixed, thanks to a kind soul found on the Internet. I basically got schooled(again!) on layer 2 traffic and having an extra pair of eyes go through the firewall config, I found out what the problem was. I was basically trying to shoehorn VLAN traffic through the switch and causing a loop(even with loop prevention turned off). However, this was not affecting my regular traffic which made me continue to troubleshoot and assume that my configuration was correct.

Considering my requirement has been that VMs talk to each and gets update over the internet and nothing outside of these VLANs, I added another interface to pfsense(trunk port) and in pfsense, changed the VLANs to be going through the new interface, rather than still pushing it through the physical LAN which I was trying to do. I now get DHCP AND the machines are able to reach out to the internet.

Once I added the trunk network interface as an additional NIC, it showed up as a 3rd interface on pfsense which showed as vmx2

ef00ec88-22ea-4b6e-a5cb-a5cd24c95b2e-image.png

I used the third NIC to pass my VLAN traffic
97e9f5c0-4b2a-4482-8320-999d1e4bbdaf-image.png

Earlier, I had configured VLAN to be going vmx1, by letting the traffic go out through the LAN/Trust interface and then trying to get it back through the same port (since I didn't have another NIC free on ESXi). Now, all my VMs are getting the correct IP address range

Well I would have preferred not to go in the « advanced user only » box on my first day but sometimes you gotta run before you can walk:

ifconfig bridge0 addr

@fgervais Thanks! Than my problem is probably related to the Hyper-V vSwitch I was using.

@jarhead Are you actually seeing a problem or just a few counters and only when you reboot? Lots of things happen when a system is rebooted and not just on the pfSense side. Assuming you're connected to a switch which also will run through some link up/link down procedures. If I was only seeing a few error counters on reboot and then no further incrementing or problems, I would personally move on to something else.

You'll likely need to send screen shots of the interface assignment page and detail exactly what you are doing to attempt to reassign the VLAN to the physical if.

@martywise have you tried to reconfigure the native lan for the port connected to your pfsense box. You could make the native lan of the switch trunk port different than the rest of the switch so it doesn't pass data other ports having same native vlan

@bigups43 Yes.

The big advantage of stackable switches that that you have redundancy as you can run a single LAGG over multiple switches.

@soheil-amiri

Max throughput can be reached on a bare bone system. A VM will always add overhead.

What has been done with pfSense : see one of the many Youtube videos.
I guess it can't up-scale forever, and thats why TNSR was created.

Now it works, solutions were as you wrote not to use vlan but lan on j4125 firewall.

Thanks @bingo600 and the rest of you for the help.

@rcoleman-netgate As I said, I had not assigned VLAN 128 to any interface, but thanks for the advice. Getting 504 would still be a pretty bugged out way in that case though.

The issue is gone for me now. I tried rebooting before posting here, and it didn't help. But now I rebooted again and it seems to have gone away. ¯\_(ツ)_/¯

I've just done a write up about the challenges of debugging these scenarios for reference: https://www.contradodigital.com/2022/07/25/how-to-troubleshoot-ping-icmp-not-working/

@mc-amz "switches" only shows up on Netgate hardware that has a switch built in... such as the 1100, 2100, 3100 and 7100 systems.

My 7100:
a2df6481-6062-4d6c-9b55-1659260d39ea-image.png

@johnpoz 🤣 🤣 🤣 🤣

@aidanlw505 said in VLAN Interfaces not responding to arp who has traffic:

urrent workaround is just running it on the WAN interface since it doesn't have V

Are you on 22.05?

@jarhead Omg... Thanks sir 🙏 should've checked the IP table before.. It's working correctly on the correct subnet now! You made my day sir.

@tyler-0 said in Vlan not getting access to internet:

@the-other @rcoleman-netgate
Thank you both for the responses! I'm a noob when it comes to networking, more of a noob when it comes to firewalls and rules lol.

So heres what i've changed and decided I want to accomplish. Ultimately, I would like to do L3 on the switch, but after reading more on different posts, it seemed easiest just to let PFSense do DHCP Instead of the switch.

Instead of Vlan 10 being the lan IP, I changed it to vlan 50.

Heres ideally what I want to accomplish. This is what I had setup previously with my Cisco ASA. But I ditched the ASA, sort of, it's still in my rack, but I wanted to try PFSense lol.

What I had setup before and what I would like to do, just unsure how to achieve it properly.

ASA Config -
Inside Interface Vlan 50 192.168.50.1
Outside DHCP

Switch Config -
Switch Port 24 connected to the ASA (inside) tagged with Vlan 50. Vlan 50 IP On the switch was 192.168.50.2. I then had a static route 0.0.0.0 0.0.0.0 192.168.50.1 to the inside interface of the ASA.
My Cisco Switch was set to Layer 3 on all Vlans. Management 10, Wired Devices, 5, IoT 6, Guest 7.
I've since moved to meraki access points and am letting Meraki do DHCP for the guest network, so really I only need 3 vlan. 10 (mgt) 5 (wired) 6 (IoT).

I realized I had it all wrong when I set PFSense to be 192.168.10.10. I don't want PFsense to sit on the mgt Vlan, i feel like that's wrong..?

Let me know how I can best and easiest do this. If i need to scratch DHCP via L3 on the switch, I can set it up via PFSense. Would I then still need to put an IP on the vlan on the switch side if I choose for PFSense to do DHCP?

I believe we're good now actually.
I made PFSense Lan 192.168.50.1, my switch I created vlan 50 and gave it IP 50.2. I then fixed vlan 5 correctly to what was stated, I can now access the internet on the vlan 5 for wired devices. I've got ProxMox itself on vlan 10 for management. The only issue i'm having now is vlans seeing each other. For example my PC is sitting on vlan 5, but unable to ping the gateway 192.168.10.1 for vlan 10, therefore I cannot get to my proxmox server on that Vlan. It's going to take me a bit to tinker with the rules to figure it out. I also don't want my management vlan to have access to the Internet. I assume that's the point of the 'lan net' rule. I plan to create a DMZ Network for my VM's to sit on that need Internet access.

The Engenius is a Layer2 switch that will be not able to route the vlans. This must be done by the Cisco L3 switch and/or
by your pfSense firewall. Therefor @johnpoz were asking
you who is routing the vlans.

Trunk port is a term from Cisco itself, it is an uplink that
transfers all the vlans from switch to switch and or router.

You say uplink and now vlans are in "game", you say trunk
and there will be vlans in the "game".

If you want that the Cisco switch is routing the entire
vlans, as I am informed you must be setting them all
up on the EnGenius switch (1:1) as you have it done
on the Cisco one.

Very seldom you may getting in trouble, this is one or
the most and often known point why many network admins will be using switches from one vendor and
on opt often comes that you will in greater
installments stack them up (ring).

@massimomoretti yes

@prtonguy77 Just assign a vlan to that interface and give it the IP info you want. Leave the parent interface blank.
I've done this a few times before. I just name the parent interface "Trunk" and use the vlan as needed.
I never needed just one vlan on it but it'll still work.