@bingo600
I have the latest version of Cloudkey Software and firmware (Gen 2 CK), APs and switches on the latest firmware.

I received a fairly lukewarm reception on the Unifi support forums for the idea of putting each VLAN on a separate wire ... 😓
e.g. "VLANs on one interface are no more or less secure than a single LAN on separate interfaces. How much bandwidth are you passing?"

There certainly seems to be a case for physically separating things like a DMZ to a different switch ...

For a 6 port pfsense box, how about:
Port 1: WAN
Port 2: LAN
Port 3: Wireless Network (VLAN a)
Port 4: IoT (VLAN b). Guest (VLAN c)
Port 5: Managment (VLAN d)
Port 6: To a small switch for a DMZ (VLAN e)

Thoughts ?

@ahmetakkaya
Maybe this is the right place to looking for.

@icq9988 Yes, you will need an any/any (or defined alias/any) on the LAN interface assuming that's where 10.30.54.1 is addressed.

If the other VLANs still aren't communicating once you've added the firewall rule(s) to the LAN, post the running-config, "sh ip route" from the switch, and the routing table from PFsense.

@ahmetakkaya Then assuming you configured and enabled the DHCP server on PFsense and have your access ports configured for the correct untagged vlan, it should be working.

I'd start checking your DHCP logs and possibly start doing pcap's. Is the traffic making it to PFsense? If not, you'll need to double-check the switch config. The other question is... does vlan 10 have rules on it to allow outbound traffic?

@dosenk
I have no other suggestions , sorry.

Well multicast discovery isn't going to work vlan to vlan either.. And no L2 discovery doesn't work over vpn either.

I would check that you can talk to your device from lan to say opt 1 network locally, before you look to it working via a vpn..

I fired up the client on my phone.. On different wifi vlan then the vlan my camera is on... I then set it up to using IP..

works.png

There you go working just fine..

edit: I don't have wireguard installed, but just disconnected my phone from wifi, only on cell - connected to my vpn connection on pfsense openvpn... Bam - watching video stream from my phone.

edit2: possible problem with some camera's is if they do not have gateway set, ie pointing of pfsense - then you can not view them from other networks, be it a vlan or vpn. Without doing source natting.

@hpsnt
Assuming the interface is enabled with an any/any rule, whatever the issue is... I can't see it being PFsense.

Post the running-config from your switch.

What happens if you enable the DHCP server on the VLAN 10 interface and configure your laptop with DHCP? Does it get an address?

Are you seeing anything in the firewall logs? If you pcap the VLAN 10 interface while you're testing, are you seeing any traffic?

@nornagest I would have just added another vSwitch for each new LAN. vSwitches don't need to be mapped to a physical NIC. From there, you add more NICs to your pfSense vm and map them to the new vSwitches.

Hello,

thank you for your answers, it is very helpful.

I was thinking it was possible, when you have multiple tags configured on a single physical port, to force the tag attribution for each client on the switch side.

Now i understand that i need a managed switch with my Netgate to do what i want as my cameras is not managing vlan tag on their side.

Have a good day.

@johnpoz

The switch = Cisco WS-C3560E-48PD-SF. Also running a 2960-CG

Re: There is really no reason for it
I am well aware that what I'm doing falls in the realm of completely unnecessary for a home network. Just a learning exercise.

I figured out the answer to my convoluted post from yesterday. You touched on it in your post but I'll type it out in my words...

From what I can tell, the pfSense LAN is the only untagged network available on the router. Changing the native VLAN on a switch, for example, to VLAN 20, would require that the ip address assigned to that VLAN be in the address range of the LAN network on the pfSense box (because it also is untagged) to maintain web access to the switch.

Key takeaway - the native VLAN on switch (untagged) should not be assigned to a VLAN network (tagged) on a pfSense box (else one loses web access to the switch). Also, the ip address assigned to native VLAN on switch must be in the same subnet as the router LAN.

Thank you. -jeff

@marvosa said in VLAN Internet access help...:

@live4soccer7
Please provide more insight into your design. Does that L3 Aruba switch have routing enabled and actually doing routing (i.e. is there a transit network between PFsense and the Aruba or is PFsense connected to a trunk port on the Aruba)?

The vlans are defined/created on pfsense and pfsense is connected to a trunk port on the Aruba Switch. The native and access "vlans" are both set to vlan1 (native/original LAN on pfsense).

I have been able to gain internet access, so my outbound is good. My current issue is inbound traffic now. I am unable to traceroute from the WAN or LAN interface on pfsense to the client on VLAN10. I am able to ping from the LAN to VLAN10 client though. My client can ping anything in the network (across subnets, i've allowed this just for setting up and troubleshooting).

@marvosa you have helped me a few years ago get my current network configuration set up. I wanted to say thanks again and it is good to see you!

@marvosa said in Some VLANS Route and some don't:

but the IP Range for the MGMT VLAN is incorrect.

Yeah 10.0.12/22 or 255.255.252 would be 10.0.12.0 - 10.0.15.255

What are the rules you put on these vlans?

And yes a drawing would be most helpful.. Your saying the devices pull the correct info via dhcp.. If so that would point to connectivity being good, so first thing that comes to mind is wrong rules or lack of rules on the vlan interfaces.

@jeffboyce glad you got it sorted..

Wow that grey is subtle, but I see it now.

Looking at the wiki article again, I see the confusion: look how the first column has 0 and 1 reversed, unlike the second column.

So what wiki refers to as "priority" (second column) is not what pfsense means by "priority". In fact, pfsense wants the raw PCP value, it seems.

Thanks!

@kom Many kind thanks!

Thanks - I appreciate the extra info! It may be a couple weeks before I can get the new switches and run some test captures. I'll report back when I have more information - or when I get stuck. 😬

Found the answer was in how the host was identified in Veyon. Instead of the hostname, I had to use its static IP address. Now all working. Thanks.