Hi @rooticle, the XQ-7100 is set by default to use the switch without vlans. What was described here in the topic is a way to bypass the switch as far as possible. Switch Ports Overview Or have I misunderstood you?

@mol Thank you!

@nomis-home43 You can leave it as layer3. Config one port on the switch as a trunk. Tag all 3 vlans on that port. Untag the vlans on any switchports you need for the networks, I think you said you only need 1 port per network so just do that. In pfSense, go to interfaces/vlans. Add the 3 vlans to the LAN port, This is the equivalent of making that port a trunk, so remove any config you have on it. Then go to Interfaces/assignments. On the bottom there's "available network ports". In the drop down, all 3 vlans will be there. Assign each vlan, one at a time, and they will be assigned an OPTx name. Click each OPTx, enable it, rename it, assign ip's as needed. Go to Services/DHCP server. You will see all 3 vlans at the top, click one, enable dhcp server and set range. Repeat for the other two. Then set firewall rules on the new ports. Should be good from there.

akuma1x, I'm starting to understand. I need to read the post and digest it. I'm not sure how to configure the X, Y, Z ports between the switches. I never thought about doing that.

@johnpoz Since both my phone and desktop are on LAN and the phone can see the chromecast and cast to it and the desktop cannot. doesn't that mean something is wrong somewhere?

@stephenw10 said in Single NIC Setup Not Working as It Should: mixed mode' of some type in order to carry both tagged and untagged traffic on one port. Not really a "mixed" mode.. But the untagged traffic would need to be set as the native vlan.. Wouldn't show it in the gui.. Here would be a port config of doing tagged with an untagged vlan. interface gigabitethernet5 description "sg4860 WLan and vlans" switchport trunk allowed vlan add 4,6 switchport trunk native vlan 2 here is how it looks in the gui of my sg300 [image: 1652878246452-switch.jpg] On this port vlan 2 is untagged, while vlans 4 and 6 are tagged.

@aaronssh It was confusing as hell to me too until someone explained in a way that my primitive brain could process. It's opposite how you intuitively want to think about it. I still get it backwards sometimes. The house analogy is actually a fantastic way of keeping it straight in my head.

@amc_oldsarge Any new vlans creatred will need outbound rules adding, if you want an internet only rule do something like this:- [image: 1652729794177-screenshot-2022-05-16-at-20.36.06.png] Where n_ip_local contain all the local subnets.

@prtonguy77 said in Block clients on same VLAN from seeing eachother?: Any ideas? get a switch that does, or create vlans to isolate the devices you don't want talking to each other.

Thanks to all for explaining doh. I changed my SecureLANs alias to not include the 192.168.20.0/24 network. So now, all PCs on 20.0 seem to get DNS, etc. I added a rule to block source from 20.0 network and destination to This Firewall/443. I think I'm good, unless I missed something else.

@dansci Yes, you're making the same mistake I thought you were making. You want static IPv4 on both interfaces. By not enabling IPv4, you are disabling that interface.

@johnpoz said in How to keep networks separated: Seems odd to me that your saying pfsense is getting a public IP - but other devices are getting 192 - this isn't normally how a gateway in bridge mode works. That's how the att garbage works. Their gateways have what's called passthrough mode. Via dhcp it assigned the public ip to a single device on the lan side. However, the public ip still remains assigned to the gateway's wan as well. It's a pseudo passthrough mode of sorts, fake bridge. The end result, customer's device (router, pfsense, etc) has what appears to be a public ip as well as the gateway. As such, the gateway can assign various private ip's to other devices (wired and wireless) connected its ethernet ports and/or wifi ssid. A traceroute behind the customer's router (pfsense or other), will show the gateway ip as the first hop (192.168.1.254) rather than the real wan gateway. For those of us on fiber in areas not get upgraded to xg-pon, several bypass methods exist which eliminate the isp gateway box entirely. The best is extracting (or buying) the 802.1x certs then implementing them in software using wpa_supplicant. This gives customer full access and control of the network, no double nat, etc. Also a /60 PD for ipv6 vs /64 from the gateway box. The other methods still rely on the gateway box in one manner or another.

What IP range is used in the router before pfSense? I think pfSense is looking ok, don't know about that switch.

@derek_nos said in Netgate 2100 Vlans With Aruba 1930 Switch And AP15: so the following should be fine for native vlan1 and vlan30 Yep!

Okay so I indirectly "fixed" my problem. All it took was installing Debian as I couldn't install proxmox directly via serial console, then modded Debian into proxmox, virtualised pfsense with virtio networks cards.