@mlradioguy firewall rules have nothing to do with, once you enable the dhcp server hidden rules are created that will allow dhcp.

Are you seeing dhcp discovery/requests on pfsense? What does the dhcp log say, sniff on pfsense different interfaces are you seeing the dhcp?

if you set static, can you ping pfsense IP, do you even see arp entry in your clients for pfsense IP..

Man that does sound like a pain. It also doesn't sound possible to really do per app tunneling like a dedicated VPN app can do particularly for things like web browsers whereas with something like Sweech that uses a narrow host address range plus a specific port number, it would be a piece of cake. I suppose I'd have to keep the desktop app for the PC, but the phone should be ok with it since it's just one app that needs to be configured.

@johnpoz

Currently they both carry different vlans via their uplinks to pfsense? Yep that was previous situation.

And yep I do have a limmited number of vlan's in a trunk between the two switches. But for the essential management vlan, I did not like that.

Note that the bridge I implemented does work as intended! I just do not understand the IMHO crazy way it is implemented !!

@codechurn
Yes, you need an outbound NAT rule for the respective subnet on the VPN interface.

To limit access to outside destinations only, best practice is to create an RFC 1918 alias, which includes all private IP ranges and use this one in the filter rule.
86600fa1-0b28-4483-813c-42d9d6d521b9-grafik.png

You can use this as destination with "invert match" checked in the policy routing (pass) rule. Or just insert a block rule above of it.

Used in a pass rule, it looks like this:
d1fd0a53-d658-4d4d-b99a-431dc1d40461-grafik.png

Also you should limit access in your first rule to services, which are needed like DNS.

If you also want to block access to HAproxy, which is listening on the WAN IP, you need an additional block rule for this.

@desquinn Port 4/WAN2 is a unique subnet?

The steps in https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html just isolate the port, it should not affect anything else.

Steps 21-22 remove 4 from VLAN group 0 but your text shows it in there.

If you configure WAN2 but unplug it what happens?

Can you ping from pfSense into each VLAN?

Check Diagnostics/Routes.

@cyb3rtr0nian Buying used on ebay might be a good idea, but if you are looking for new, perhaps TPLink could be an option. As @AndyRH mentioned there is Unifi which is a good option, but TPLink have pretty much copied their UI in their Omada series. I have Omada at home and run Unifi at our vacation house and my mom's place and I actually think Omada is a bit more "clean" and simple to navigate.

Retransmission might be cables, but it's perhaps more likely that it is due to your wifi network. What mesh system are you using today?
Some of them seem to reuse the same wifi channel on all AP's which is completely wrong from a radio standpoint.

Phones or other devices will change to the next cell based on radio conditions and don't need to be on the same channel to be able to roam in your home. And you can control their "behaviour" via the settings for the AP's. At what signal strength they should be "pushed off" an AP so they connect to the next etc. But I'd say that is not at all necessary to mess with in a normal home with just a few AP's.

Placement and channel selection is important however, and you will be trying to minimize interference. Having all AP's on the same channel creates tons of interference, from the AP's themselves as well as all the devices.
There are apps on Android you can use to check signal strength of wifi from you neighbours on each channel (Wifi analyzer and Ubiquitis WiFiman). Wifiman has a nice mapping feature that you can use to create a "heat map" showing the signal strength or expected speed in your own home as well.
On 2.4Ghz channels are much wider than the numbers suggest, already at 20 Mhz channel width. So channel 6 also covers channels 4, 5, 7 and 8, meaning that the only non overlapping channels are 1, 6, 11 and 14. And don't use more than 20 Mhz... in theory it should give you higher speeds but you will likely get more interference and lower speeds.

@socrateberserk said in Assistance with Multiple DHCP Servers on Netgate 6100:

I just changed the rules and it works

You corrected your overlapping networks as well as I assume, pfsense will not allow you to put an IP on an interface that overlaps with another interface

@cuteliquid11 said in Do you assign a dedicated interface to manage your Pfsense from the GUI?:

switch for speed and streamlined logic.

Yeah I sure wouldn't call that streamlined, and not sure what your using for pfsense but its more than capable of routing at speed.. Now if you wanted devices to talk at like 2.5ge or 5 or 10ge or something ok.. If pfsense couldn't do those speeds..

How is lack of any firewall rules between segments on your switch vs easy clickly clicky easy firewall rules on pfsense streamlined? You creating firewall rules via ACLs? Not sure what switch your using, but those are not anything close to ease rules can be done on pfsense.

If your not firewalling between the segments on your switch, why even segment them? Just put them all on the same vlan, etc.

But you still haven't said what your route conflict is??

Lets take a look at your drawing.. But routing to your downsteam router(L3 switch doing routing) wouldn't cause route conflict..

Here is example of how you would setup downstream router

pfsense-layer-3-switch.png

@johnpoz Thank you, that really cleared things up.

@netguy Ahh, good I did the followup. I noted that your original question could mean you were talking about pfsense Interfaces rather than switch interfaces.

No, adding the same VLAN on more than one Interface on pfSense is a really bad idea. You can theoretically create a bridge containing several interfaces, but it causes a lot of issues and strange/unpredictable behaviour, so definitely something I would recommend you stay away from. Get yourself a managed switch - they are dirt cheap, especially used. You’ll end up doing it anyways even if you choose not to follow my advise now.

@ccgc I also notice now that on this view, you have all the ports 1-8 Tagged instead of Untagged?

3c37ad16-951e-4fda-a3c6-77b63306ab1f-image.png

Did you follow this guide?

https://kb.netgear.com/31026/How-to-configure-a-VLAN-on-a-NETGEAR-managed-switch

And you really don't have to do anything with VLAN 1, except remove it from the ports you want to have as access ports for VLAN 20 (VIDEO).

And of course, VIDEO has to have a different subnet range than LAN. So if VIDEO has 192.168.0.1/24 you have to use something other than 192.168.0.

@Frosch1482 the rfc1918 is just that, an alias that contains all the rfc1918 networks.. Are you other vlans not rfc1918?

Why would you need to create several to block rfc1918? You can have lots and lots of aliases if that is what makes sense for what your wanting to do.. Which you have not actually expressed in any sort of detail that would be helpful for someone wanting to help you.

I gave you an example of simple set of rules that would allow a "guest" sort of network to access the internet - but not any of your other network (if they are rfc1918) nor any pfsense gui IPs, even if the wan is public and changes.. That is the "this firewall" alias.

Those rules I gave as example could be adjusted to whatever your needs are.

Maybe you want to allow any dns? Maybe you don't want to allow ntp access or ping of pfsense IP on your guest network, etc.

@Bly On a 3100 the LAN ports are a switch so all the same port from what pfSense sees. You will need to isolate the ports in order to use separate firewall rules. But once you do that, then yes, they are just like separate ports.

@ccgc said in Netgate to Netgear config - VLANs cannot get DHCP or connect to the internet:

When the ports added to the VLAN are removed from the default VLAN (vlan 1)

can you post your pfsense switch config - it can be a bit tricky for users. Where exactly are you removing vlan 1?

Your netgear sounds corrected with the port on it connected to the pfsense having your tagged vlans, and the ports your going to connect your devices to on the netgear in that vlan untagged.

@keyser - I totally forgot about port5 as Lan Uplink, saw it as another port. Thank you!

Another check:

I can ping the interface (OPT7 on ix3) if given an IP, so it's working?

What else can I do to try using it in the LACP instead of ix0?

Thank you very much

@randydeb as @Tzvia mentions switch or switches how you do this.

And using switches does not make your other ports on you router useless.. You could use them as other network interfaces.. But trying to make a switch out of discrete interfaces waste good interfaces and makes for a horrible switch!

Not sure I would use those vlan IDs - those are quite often reserved or special in the cisco world.. You could use lagg if you want for more bandwidth and redundancy. You could put your other vlans/networks on their own interfaces connected to your switch so your not hairpinning traffic.. I for sure would put your IP cameras on their own interface.. Normally cameras are always streaming data.. While it not normally a huge amount.. I wouldn't share this on same physical interface with other networks/vlans if I had the interfaces to use.

1002-1005 Cisco defaults for FDDI and Token Ring. You cannot delete VLANs 1002-1005.

I like to use a vlan ID that matches up with the network, so for example 192.168.9.0/24 the ID is 9, my 192.168.3.0/24 the ID is 3, 192.168.7.0/24 is ID 7, etc..

If you have network/vlans that will do a lot of talking between them - its normally good to put them on their own physical interfaces vs all on the same interface where the traffic will hairpin.