This might help:-

https://www.netgate.com/resources/videos-configuring-netgate-appliance-integrated-switches-on-pfsense-244

@19taurus79 said in Block answer on ping from Vlan:

now a beer:)

hehee - which is always to the correct response ;)

Thanks to you both for responding.
After looking at this some more last night, i went back to the windows box and re-read windows firewall re: pinging
It seems i did not read correctly the 1st time, and (now) have made the correct changes to allow pings.

Now with my rule on the .20 inteface, i can ping correctly! And all is working as it should!!

Thank again

@frayper what is the point of the RB, you want to use that as a downstream router?? But you want pfsense to be your router for the vlans?

I don't get trying to setup a local interface as dhcp client.. Why would you do that? Here

https://forum.netgate.com/post/393642
Set LAN IP via DHCP

You could always run into the dhcp handing out a gateway, so pfsense would think its a wan.

If you want pfsense to be the gateway for your lan side networks, where your RB downstream is just L2 then set them as static IPs. But that RB is normally used as a router (L3).. So not sure what your thinking is going be setup here.

If you want pfsense to be the gateway for those 2 networks, then you just need a L2 switch.

@johnpoz
The forum is flagging this for spam so I can't edit the post I just did to get the quotes right.

@sven72 said in IOT VLAN not reaching internet:

well I disabled the logging but indee

I never said turn off all logging, rules you create by default do not log. Only stuff that falls through to the default deny would be logged by default.

So just create a rule that blocks that host from going to 8.8.8.8 and don't log it in the rule.

Example my work laptop generates lots of noise trying to get to stuff it can't get to when on home network.. I have no desire to see that, so there is a rule no logging for my work laptop trying to go to any private IPs that is not logged.

notlog.jpg

You can see the specific rules above and blow it are set to log

logrules.jpg

@kuro68k I haven't been following that thread - sorry. I don't have a i225, so no idea.

@snr
You have to enable the bridges. On the interfaces assignments tab hit the Add (Hinzufügen) button for both, edit the settings then and enable them.

Then enable the DHCP relay on both bridges.

@giyahban said in Multi-LAN Multi-VLAN access problem:

vlan500 on both 2.0/30 and 3.0/30 but they are on different interfaces

If they are different networks I wouldn't be using the same vlan ID on them, especially if they share any infrastructure.. Not an issue if you use vlan ID X on switch A, and also use ID X on switch B, etc. if there is no communication ever between these switches..

But I wouldn't bridge 2 different L3 networks together using the same vlan ID..

If these are 2 different networks, why wouldn't use use different vlan IDs

@JT40 is there a reason you are unwilling to post the following information?

@patch said in Interface range setup:

So specifically please post all of these screen shots

Switch showing VLAN setting pages
pfsense -> Interfaces -> Interface assignments
pfsense -> Interfaces -> VLANs
Pfsense -> Firewall -> Rules -> Floating, WAN, all LAN, all VLAN

Perhaps if we better understood that we could better help you.

@bingo600 said in Tagged VLAN Setup on Single Switch:

i find it hard to beleive that it can't do basic tagging correct

Same here, I have used netgear now and then over the years, and have never seen any problems with tagging. I don't have any experience with that specific model. But it sure isn't an entry level model ;) Not at 48 ports..

@autourdupc said in VLAN to LAN ping always possible despite rules:

Next time, i will ask community before spending soo much time !

What we are here for.. If there is some issue you have question on - or not sure if your understanding something correctly.. Yup just stop on by, here to help.

@nick-loenders Do a packet capture on the interface and look at the packet tags ?

@viragomann sure, yes, I should draw a map with some overview. Will do asap.

I am perfectly aware of the fact that the pfsense is my bottleneck right now.

The firewall rules are now working and matching.

The alias is still not listed, but it's working as expected. Thanks for your help

@cerberus2022 said in VLAN and DHCP for Phone VLAN:

Hello,
I am trying to create VLAN that will do DHCP for say VLAN 41 and network 192.168.76.0/24 . I assign the network and create the server.I also have my ports tagged on my ubiquiti switch. However my phone does not pull a dhcp despite being tagged that vlan. It also does not even work with a static ip plugged directly into the pfsense or switch. I used to do this on ubiquiti routers and i am wondering if i am missing something on this setup.

You say your phones are tagged on that vlan.
I know several phones that can run native .1q.
Do you use that feature ?

Are you running the phone switchports as "untagged" or tagged.

They have to match ...

/Bingo

@jt40 the default is drop, ie just block..

But internally it is sometime better to reject vs just drop. I want to let my internal client you can not go there right away - via a reject. Vs letting it bang its head with retrans trying to figure out why he is not getting an answer.

Externally no you would almost never want to send a reject to something out on the internet.. But internally - if your going to on purpose prevent something like vlan x from talking to vlan y.. its better to just let them know - hey stop trying to go there ;)

If the device asks for something else and the rule is not present, I expect the packets to be dropped automatically...

That is how it works.. If there is not allowed, then traffic dropped gone over this how many times already.. But yet to see a picture of your rules.. You have been told multiple times that pfsense will not route traffic unless there is an allow rule.

If the spam system is preventing you from uploading a picture - then link to it somewhere else, use something like my picture is here somewhere . domain . tld / whatever even if you have to but. But what I can tell you yet again yes default is deny. No rule to allow, traffic is dropped.

If you want to actually see it - then look at the full rule set. Since this default deny is not shown in the gui..

[21.05.2-RELEASE][admin@sg4860.local.lan]/root: pfctl -sr | grep "Default deny rule" block drop in inet all label "Default deny rule IPv4" block drop out inet all label "Default deny rule IPv4" block drop in inet6 all label "Default deny rule IPv6" block drop out inet6 all label "Default deny rule IPv6" [21.05.2-RELEASE][admin@sg4860.local.lan]/root:

@jknott all stuff pointing to returning of the switch if you ask me..

@karimwassim
Did you obey the pfSense VLAN Configuration section in the docs?