@yuriewcli said in SMB | Two Vlans: For the sake of the discussion, i'll say IT dept network range is 10.0.12.0/24. Support Dept is 10.0.11.0/21 where the printer is also connected. Now, the thing is, printing is okay, we can print from IT dept. But we can't scan. First : 10.0.11.0/21 : are you sure about that /21 ? Without firing up my network calculator, this /21 might overlap your 10.0.12.0/24 .... introducing network issues. A device, lets imagine a Windows PC, living on 10.0.12.0/24 can connect to a device on 10.0.11.3/24 (the printer) : it can print. If SMB doesn't seem to work : use the printer IP, and your good. Or assign a local DNS host name to "10.0.11.3" and use that wherever possible. The other way around : the scanner : did you check that the destination of the scanner, as it is a device living outside of the local (printer's point of view) is reachable , Windows devices, afaik, only accept, by default SMB traffic from their own local network, like 10.0.12.0/24 only. You have to visit the Windows firewall on that PC, and add other networks like 10.0.11.0/24. Normally, you should have a shared directory on the PC so the scanner can access it and drop the image or PDF scanned files.

What do you see in the output of etherswitchcfg at the CLI?

@patient0 - I have larger problems (which I can handle). The SSD in the 5100 has crapped out. It started with lots of odd errors, which this appears to be one of. But config files started having errors. And then the 5100 would not boot. I have ordered a new SSD and will recover from there. Thanks for the help! You had me in the right direction!!

All upgraded to 24.11 yet issue remains unfortunately. Here's the output I am seeing on a reboot over serial. I think the key is this line: Warning: Configuration references interfaces that do not exist: mvneta1.99 I am not sure why this is the case exactly. Is there anything from the config Welcome to Netgate pfSense Plus 24.11-RELEASE... ...ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg /usr/local/lib/ipsec /usr/local/lib/perl5/5.36/mach/CORE 32-bit compatibility ldconfig path: done. 2880 >>> Removing vital flag from php83...done. External config loader 1.0 is now starting... Launching the init system... done. Initializing.................... done. Starting device manager (devd)...2025-03-22T21:35:48.582133+11:00 - php-fpm 465 - - /rc.linkup: Ignoring link event during boot sequence. 2025-03-22T21:35:48.591626+11:00 - php-fpm 466 - - /rc.linkup: Ignoring link event during boot sequence. 2025-03-22T21:35:48.708691+11:00 - php-fpm 465 - - /rc.linkup: Ignoring link event during boot sequence. 2025-03-22T21:35:48.758862+11:00 - php-fpm 1181 - - /rc.linkup: Ignoring link event during boot sequence. done. Loading configuration...2025-03-22T21:35:48.835769+11:00 - php-fpm 466 - - /rc.linkup: Ignoring link event during boot sequence. done. Updating configuration...done. Warning: Configuration references interfaces that do not exist: mvneta1.99 Network interface mismatch -- Running interface assignment option. mvneta0: link state changed to DOWN Valid interfaces are: mvneta0 90:ec:77:0d:c5:b0 (down) NETA controller mvneta1 90:ec:77:0d:c5:b1 (up) NETA controller Do VLANs need to be set up first? If VLANs will not be used, or only for optional interfaces, it is typical to say no here and use the webConfigurator to configure VLANs later, if required. Should VLANs be set up now [y|n]? 2025-03-22T21:35:50.446791+11:00 - php-fpm 466 - - /rc.linkup: Ignoring link event during boot sequence. n VLAN interfaces: mvneta1.99 VLAN tag 99, parent interface mvneta1 If the names of the interfaces are not known, auto-detection can be used instead. To use auto-detection, please disconnect all interfaces before pressing 'a' to begin the process. Enter the WAN interface name or 'a' for auto-detection (mvneta0 mvneta1 mvneta1.99 or a): mvneta0 Enter the LAN interface name or 'a' for auto-detection NOTE: this enables full Firewalling/NAT mode. (mvneta1 mvneta1.99 a or nothing if finished): mvneta1 Optional interface 1 description found: BACKUPWAN Enter the Optional 1 interface name or 'a' for auto-detection (mvneta1.99 a or nothing if finished): mvneta1.99 The interfaces will be assigned as follows: WAN -> mvneta0 LAN -> mvneta1 OPT1 -> mvneta1.99 Do you want to proceed [y|n]? y mvneta1: link state changed to DOWN Setting up gateway monitors...done. Setting up gateway monitors...done. Writing configuration...done. One moment while the settings are reloading... done!

Found the problem. I'd forgotten to enable the DHCP service on Office VLAN 61. The below is the correct configuration for adding multiple VLAN tags to a discrete interface [image: 1741759623930-screenshot-from-2025-03-12-10-22-04.png] Additional Information can be found on YouTube Link Here Jim Pingle Configuring Netgate Appliances Integrated Switches on pfSense 2.4.4. July 2018 Hangout (thank you Jim and @patient0 )

@viragomann I replied above but it might not have updated for you if you were typing. I enabled vlan awareness but didnt know i had to restart my proxmox host for it to work. I now am able to get IPs in the .99 subnet range

@Bob-Dig Thanks Bob. The extra rules explained in the video did the trick.

@dominikmorawietz Sounds like you want SDA or something with similar functionality. I don't think the functionality you're looking for is done at the firewall level. You'll likely need to implement something internally before it hits the firewall.

@Sergei_Shablovsky said in Mixed MTUs on different NIC's interfaces on same pfSense bare metal: How different MTUs on physically different interfaces (if NIC are 2- or 4- head model) impact on NIC's overall performance (overall throughput, numbers of IRQs, etc...) ? As mentioned before, there is no effect between different NICs. The only issue is there will be more work with smaller packets on the computer/switch/router. This is because those devices handle Ethernet frames as a whole. So, the smaller the MTU, the more frames that have to be handled and the more work for the CPU in those devices.

@algo7 said in Another vlan w/o network access issue: It's always Netgear. Their VLAN configuration is always a PITA. Ran into almost the exact issue today. What issue? There was nothing wrong with Netgear, just the port assignments...

@patient0 said in Beginner - N2000 how to set port 4 to it's own network?: That's very odd, it's a valid range and does have to work. If both the LAN1 and OPT1 are set to /24 they are not overlapping. And if neither the WAN nor the network being your parents AP are using the same IP range, then it should work. I agree that it's odd and now that it's working I'm hesitant to mess with it again. I guess I could always backup my configuration, break it and then put it back to what I know works.

@cesarin En esta parte del foro el idioma es el inglés. Hay una parte en español de este foro: https://forum.netgate.com/category/11/espa%C3%B1ol. O puedes escribir en inglés si eres capaz. If you like to go on in English: What is the pfSense version that is in use and what is the device you run pfSense on? Is the pfSense device connected to a network switch? From your description: there is a network named "LAN" on network interface igb1 (192.168.150.10/24) and a network named VOIP on VLAN 155 with parent interface igb1 (192.168.155.1/24). And you have to restart the VOIP interface to make it work again? How long does it work before you have to restart the interface?

I'm not sure where to post this, as there are dozens of threads out there on this subject. They all involve some combination of Avahi, IGMP Proxy, Firewall rule changing, jumping jacks, yak shaving, and singing ring-around-the-rosie. And they all seemed to work for whoever posted them, at the time they posted them. But they never work for me and I really have no idea how they actually worked for anyone else either. Maybe other factors were involved at the time, but I have no idea. This is probably because Sonos discovery works by making an SSDP broadcast to the local subnet, and doesn't really use any of that other stuff. (Its been a long time since I looked at Sonos behavior in a packet sniffer, so I'll admit its possible it may have involved packets for those other protocols too at various points.) But really, the only solution is to relay those broadcast packets. In any case, I finally found a solution last night that actually worked. It basically involved installing the "UDP Broadcast Relay" pfSense package, then configuring the two rules mentioned in this Reddit post: https://www.reddit.com/r/PFSENSE/comments/rfs99r/setting_up_sonos_speakers_with_vlans_how_i_got/ (At the time I had Avahi enabled, but didn't have IGMP Proxy enabled, and my firewall was already configured to allow packets to pass between the VLANs. So I make no promises as to whether other stuff is also necessary.) So I just want to drop this comment here, on the off chance it helps someone else in the future.

@NGUSER6947 TL DR - Don't use VLANs when a firewall alias is the more appropriate solution. You don't want to get too granular with your VLANs IMHO. I think most home networks only need 3 VLANs. 1 - a "Secure" VLAN for the router/firewall device itself and other network equipment, as well as all of your personal data. This likely includes most of your personal computers/laptops, network storage devices, etc, but it does NOT include personal mobile devices like phones and tablets. Devices on this VLAN should be able to access any other VLAN. 2 - a "No Internet" VLAN for any device that doesn't need internet access. This might include a lot of the automation devices in your network, CCTV cameras, any network printers, etc etc. Of course the VLAN not having internet doesn't mean you won't be able to access these devices either locally or remotely (over a VPN connection), because you will still be able to do that if setup that way. Devices on this VLAN shouldn't have access to any other VLAN. 3 - an "Everything else" VLAN for........ you guessed it......... everything else (ie your media servers, smart TVs, mobile devices, etc.) Basically anything that needs an internet connection but isn't "secure" enough, or has no reason to be accessing your personal data (which resides on the "Secure" VLAN) needs to go on this VLAN. Not only do your personal mobile devices need to be on this VLAN for security reasons, it's also easier to cast/stream to the media servers when everything is on the same VLAN. Honestly the vast majority of your devices will likely fall onto this VLAN. Devices on this VLAN would have access to the "No Internet" VLAN only. When you have just a small number of devices that you want to handle differently, this is when you can/should create firewall "aliases" and control groups of devices this way. Most of the time an alias is a better way to manage the devices than a full blown VLAN IMHO. So no, I would not create an "Entertainment VLAN" because that is getting too granular with your VLANs, but I probably would create an "entertainment" firewall alias if I wanted to handle those devices differently when it comes to ad blocking, rules, or other typical firewall activities. PS - I know a lot of people want to have a "Guest" wireless network/vlan but that isn't actually needed most of the time now that your guests are generally going to have a mobile phone and mobile internet service that works well. Perhaps if your home is located in a cellular "dead spot" this would be helpful to your guests, otherwise it really isn't needed. I know that I initially created a guest network and it was only used perhaps twice over about a 5 year period, so I eventually did away with it. Having a guest network that isn't actually used/needed is nothing but a security risk that should be eliminated.

@patient0 said in Creating VLANs with 802.1q VLAN Mode and Network Port Lagg0: https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/configuring-the-switch-ports.html Awesome. I did not pick this up. Total legend !! I added ports 9 and 10 which has resolved the issue. [image: 1737908034410-b745177b-2681-4ef0-b993-48f4e7ebe815-image.png]

@nmpuk where are the corrections - that diagram makes no sense.. DMZFW—intLan2 / 10.0.13.1/24 (Vlan3) — AppServ intLan3 / 10.0.12.1/24 (Vlan4) | IntLan4 / 10.0.12.2/24 (Vlan5) InnerFW And here you have the same network in 2 different vlans? and then also ' Assigning vlans works just fine during first setup.. But it's never going to work like you have it drawn. If you can't take the time to actually draw up correctly what you want - how is anyone going to help you. So your going to have 3 firewalls running on a VM.. Why would you need to setup vlans in the first place in pfsense? Vlans are when traffic is tagged.. Just put your different interfaces in different port groups.. No real reason to tag anything on pfsense. Only place you would might need to tag is when leaving the vm host, and again no reason to tag that in pfsense. You could but then the port group on your vm host would need to be set to pass the tags.