I've done some more reading since my first post and I had mistakenly thought that they need to match or "bad things would happen". Thanks for clarifying.

This was because of Hyper - V Not sure how to get Hyper V working with all this, but I set it up on bare metal and it seems to work fine

@steveits oh really I'm going to investigate :)

@swemattias You don't configure VLANs on a VPN. VLANs are configured on Ethernet ports and VLANs are carried on IP. You normally just route the subnets and recreate the VLAN at the other end. OpenVPN supports TAP mode, which might be able to do what you want, but I don't now about Wireguard.

@keyser very true ! That's the solution. I appreciate !

@jknott and @johnpoz Thank you so much for your insights! Aside from a few Ubiquity APs and switches, my network is fairly simple in terms of devices (few laptops, a couple of smart tvs, nest and a few cell phones. Getting ready to dive into installing the new Netgate 6100 and have been thinking about creating VLANs and how to organize all of my devices there including my Ubiquity devices. Have been thinking about sitting down one of these days and determining what goes where before deciding how many VLANs to create. At the same time I have also been wondering if the VLANs and rules I create will be able to accommodate any new devices I get in the future. That is why I was wondering if there is a general rule to organize current and new devices without having to create new VLANs or having to redo everything on the network. In my current pfSense setup I don’t have any VLANs - currently using the LAN interface for most devices and another OPT at a different subnet connected to a Cisco 8 port switch with a few devices attached to it via Ethernet (smart TV, Blu-ray and DVR). Recently I also ran new cat6a cabling everywhere in my house so I am in the process of determining how everything will connect to the new Ubiquity switches/AP and Netgate 6100. Thanks again! Really appreciate your assistance!

@johnpoz I was just being a little suspicious. :-)

@justsumdad said in DHCP on VLAN: I am running the pfSense virtualized. And are you passing the tags to pfsense via 4095 set on your vswitch..You say your running vmware (esxi?)

@furom Lacking privleges to delete this myself. I have rephrased my question in another post, tho I did try to edit, but wasn't allowed either. Please delete this.

This might help:- https://www.netgate.com/resources/videos-configuring-netgate-appliance-integrated-switches-on-pfsense-244

@19taurus79 said in Block answer on ping from Vlan: now a beer:) hehee - which is always to the correct response ;)

Thanks to you both for responding. After looking at this some more last night, i went back to the windows box and re-read windows firewall re: pinging It seems i did not read correctly the 1st time, and (now) have made the correct changes to allow pings. Now with my rule on the .20 inteface, i can ping correctly! And all is working as it should!! Thank again

@frayper what is the point of the RB, you want to use that as a downstream router?? But you want pfsense to be your router for the vlans? I don't get trying to setup a local interface as dhcp client.. Why would you do that? Here https://forum.netgate.com/post/393642 Set LAN IP via DHCP You could always run into the dhcp handing out a gateway, so pfsense would think its a wan. If you want pfsense to be the gateway for your lan side networks, where your RB downstream is just L2 then set them as static IPs. But that RB is normally used as a router (L3).. So not sure what your thinking is going be setup here. If you want pfsense to be the gateway for those 2 networks, then you just need a L2 switch.

@johnpoz The forum is flagging this for spam so I can't edit the post I just did to get the quotes right.

@sven72 said in IOT VLAN not reaching internet: well I disabled the logging but indee I never said turn off all logging, rules you create by default do not log. Only stuff that falls through to the default deny would be logged by default. So just create a rule that blocks that host from going to 8.8.8.8 and don't log it in the rule. Example my work laptop generates lots of noise trying to get to stuff it can't get to when on home network.. I have no desire to see that, so there is a rule no logging for my work laptop trying to go to any private IPs that is not logged. [image: 1641669708901-notlog.jpg] You can see the specific rules above and blow it are set to log [image: 1641669829070-logrules.jpg]

@kuro68k I haven't been following that thread - sorry. I don't have a i225, so no idea.