@nick-loenders Do a packet capture on the interface and look at the packet tags ?

@viragomann sure, yes, I should draw a map with some overview. Will do asap.

I am perfectly aware of the fact that the pfsense is my bottleneck right now.

The firewall rules are now working and matching.

The alias is still not listed, but it's working as expected. Thanks for your help

@cerberus2022 said in VLAN and DHCP for Phone VLAN:

Hello,
I am trying to create VLAN that will do DHCP for say VLAN 41 and network 192.168.76.0/24 . I assign the network and create the server.I also have my ports tagged on my ubiquiti switch. However my phone does not pull a dhcp despite being tagged that vlan. It also does not even work with a static ip plugged directly into the pfsense or switch. I used to do this on ubiquiti routers and i am wondering if i am missing something on this setup.

You say your phones are tagged on that vlan.
I know several phones that can run native .1q.
Do you use that feature ?

Are you running the phone switchports as "untagged" or tagged.

They have to match ...

/Bingo

@jt40 the default is drop, ie just block..

But internally it is sometime better to reject vs just drop. I want to let my internal client you can not go there right away - via a reject. Vs letting it bang its head with retrans trying to figure out why he is not getting an answer.

Externally no you would almost never want to send a reject to something out on the internet.. But internally - if your going to on purpose prevent something like vlan x from talking to vlan y.. its better to just let them know - hey stop trying to go there ;)

If the device asks for something else and the rule is not present, I expect the packets to be dropped automatically...

That is how it works.. If there is not allowed, then traffic dropped gone over this how many times already.. But yet to see a picture of your rules.. You have been told multiple times that pfsense will not route traffic unless there is an allow rule.

If the spam system is preventing you from uploading a picture - then link to it somewhere else, use something like my picture is here somewhere . domain . tld / whatever even if you have to but. But what I can tell you yet again yes default is deny. No rule to allow, traffic is dropped.

If you want to actually see it - then look at the full rule set. Since this default deny is not shown in the gui..

[21.05.2-RELEASE][admin@sg4860.local.lan]/root: pfctl -sr | grep "Default deny rule" block drop in inet all label "Default deny rule IPv4" block drop out inet all label "Default deny rule IPv4" block drop in inet6 all label "Default deny rule IPv6" block drop out inet6 all label "Default deny rule IPv6" [21.05.2-RELEASE][admin@sg4860.local.lan]/root:

@jknott all stuff pointing to returning of the switch if you ask me..

@karimwassim
Did you obey the pfSense VLAN Configuration section in the docs?

@dumdedumda said in [SOLVED] Large file transfers between interfaces dropping:

@netnewb2 said in [SOLVED] Large file transfers between interfaces dropping:

Problem solved by adding static routes to VLANs that weren't in the same network as FreeNAS. I assume it had something to do with asymmetric routing and with FreeNAS not setting gateways on VLAN.

Currently dealing with a similar scenario myself-- where transferring large files inter-VLAN between FreeNAS and a client crashes the network.

Can you explain the process of "adding static routes to VLANs that weren't in the same network as FreeNAS"? Thanks!

Well, it’s been a while since the initial post and right now even I don’t understand what I was trying to do. Looks needlessly complicated.

AFAIR, it has something to do with FreeNAS on multiple VLANs and asymmetric routing. Example:

PC on 192.168.1.5
FreeNAS on 192.168.1.100 and 192.168.100.100

PC tries to access FreeNAS on 192.168.100.100. Works initially but after a while FreeNAS will try to respond via 192.168.1.100, as in, from the same VLAN as the PC.

Or another issue when FReenas tries to answer back from 100.100 but doesn’t have a gateway set on that interface. The solution was to add a gateway on 192.168.100.0/24 but that wasn’t an option (in the freenas gui). So I had to set a static route from Freenas something like, 192.168.1.0/24 via 192.168.100.1 (router interface on that VLAN that can talk between VLANs).

Tbh I can’t remember details and since then, I’ve moved on from freenas and pfsense

If "My PC" is not tagged you may need to set the correct native VLAN on the switch. I had that problem.

@pzanga said in VLAN priority setting question:

Let me ask you this - are you using the VLAN priority set option in your traffic shaper rules? I am figuring I will end up using that option to tag the VLAN priority on the incoming SIP traffic, while the phones tag the outgoing traffic.

No I'm not using VLAN priority set option in our traffic shaper rules.

@johnpoz It's on my own hardware that is on the FreeBSD hcl. It's the default untagged VLAN that stops working. It's the physical network. ex. eth0 192.168.1.1 eth0.10 192.168.10.1 As soon as I add the eth0.10 and assign it to the parent eth0 it all stops working. luckily I can get in over WAN but not on the LAN at all from anywhere. So I'm not even sure the VLAN is working or not because nothing works. The switch has the VLANs assigned and tagged and the native vlan, VLAN(1) is untagged.

@viragomann Hello,

thats it.
I had to enable the switch ports with tagged VLANs and enable the same on the Proxmox bridges. Now my VLANs are working properly and i can start over with the pfSense :-)

Thank you
Michael

@webdawg said in VLANS, Promiscuous Mode, and Mac Addresses:

Just a bridge to a different network...

Yeah there you go - that can cause all kinds of weirdness, especially with mac addresses that get seen with different IPs on them. Like with vlans on the same physical interface. Which should be isolated and devices in different vlans should really never know that interface with IP X on it has the same mac as IP Y.

Glad you got it sorted.

@johnpoz said in VLAN confusion:

unifi prob cheapest option - but I really don't think any of their stuff actually does L3, even though they have been talking about it for years. My sg300-28 does L3, and I got it new under 200, but it not any poe.

yep, that has been my unfortunate experience with Ubi and L3.

The "L3" 24 PoE I bought from Ubi was $800 so a Cisco for a bit more with better functionality will be worth it.

OK, so I used IX0 for VLAN10.

alt text

alt text

and here are the results:

alt text

and the CPU usage:
alt text

I'll update also the Netgate ticket