@worldhopp I believe you just solved my issue! I was just visualizing tagged and untagged backward. I'll let you know for sure how it turns out.

Thanks for the response on this old forum.

@dotdash said in Same Networks in different VLANs:

multiple routing tables is just that and not actually several routers

We could debate semantics I guess ;)

To "me" VRF is actual another router.. Since it is a whole set of new routing tables, and sure other interfaces.. Even if they are "virtual"

"Virtual routing and forwarding (VRF) is an IP-based computer network technology that enables the simultaneous co-existence of multiple virtual routers (VRs) as instances or virtual router instances (VRIs) within the same router."

think the OP should just use different networks for the vlans

We agree here ;)

Solved...
For some reason, "Firewall -> NAT -> Outbound" showed me an "Auto created rule for ISAKMP - ... to WAN" for one failing VLAN, but it did not add the "randomize Source port" entry automatically.

No clue why... I also seem to have had "Manual Outbound NAT rule generation." on, but then I wonder how I ended up with the above auto created rule.

In any case, I now added the needed NAT entries manuall and now finally it works :)

@johnpoz : Linksys EA7300 - You said it would work, but it doesn't!!! 😆 🤣

Not listed as supported on the DD-WRT web site. 😞

But it is supported on OpenWRT with vLan! Yay!

So, cool beans! I can (probably) take it from here.
Thanks for your, and everyone's, help!!!

@ossgeek said in Best Practices for VLANs with Multiple Interfaces:

it would be a few extra clicks to configure.

Either way adding more vlans to a physical interface is no big deal, be it you have untagged on the interface already or not. Sure you would have to change the config on your switch a bit.

But I run native (untagged) network on same interface I also have tagged vlans on.. There is nothing saying you can not do that - unless you had some limitation of your switch? Or again some company policy stated not to do that ;)

@viragomann Big thanks for this, man. One click fix after days of troubleshooting and even consulting with others.

@skippythemagnificent You shouldn't have it tagged if the only thing on it is untagged... but you do have to have the assignment made.

There's a lot of data in this ticket so if you said you have a 802.1Q switch on that interface or other tagged device then that would make sense.

@grovesjon

https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/router-on-a-stick.html

i dont have the screen in step 5

@steveits Hey,

Thanks for your response, sorry for the late reply.
I did follow Netgate's instructions, futhermore I've tried most of the configurations looking at the specific ports and if tagged or untagged traffic comes in.
Though the router is not implemented yet in the network. Its still on its test setup.
The DHCP server is enabled and configured the same as my other interfaces, wich do work.
The interface is has a /24 subnet.
I hope I am explaining it correct, I'm still a bit of a noob with networking.

@gertjan said

PS : It's not a Russian bank, right ? ;)

Not exactly but they have had other "problems"

@crucialguy - Thanks for the response. I took your suggestion and configured port on Zyxel to be tagged but still was not getting any IP from pfsense. Of course moving lan connection to another port I do get IP from native vlan. So I must have configure the VLAN on Zyxel switch incorrectly.

@johnpoz i think that is what i was suggesting in the 2nd setup.

e.g. wifi/guest vlans on the gs110 pass on the interface to the gs108 (netgear) which then pass on the single interface to pfsense. there won't be loops because they both support spanning tree. so in effect the vlans will be on cascaded switches.

Hi,
Did you manage to make a bridge work for LAN?

Thanks for that, changed now.

@pulsartiger In the Unifi Controller, for the network you set the subnet for the VLAN as follows
ec3a21b9-caed-4009-9f8b-ebfa971ba3d8-image.png

And the VLAN ID as follows
93e7c28d-65b5-4333-81de-41bf93ffb2e7-image.png

Then in pfSense you create a VLAN for the same ID
f2725e9c-4b97-4836-9247-2c344c04c4c0-image.png

And firewall rules as appropriate. For example I allow my phone/ipad access to certain applications on the LAN (through a HA proxy). Printers are also allowed. I block everything else on VLAN100 to LAN and VLAN200. The last rule is to allow everything, everywhere.
f16a2da8-876e-4ab7-858b-93753be316c2-image.png