@viragomann Hello, thats it. I had to enable the switch ports with tagged VLANs and enable the same on the Proxmox bridges. Now my VLANs are working properly and i can start over with the pfSense :-) Thank you Michael

@webdawg said in VLANS, Promiscuous Mode, and Mac Addresses: Just a bridge to a different network... Yeah there you go - that can cause all kinds of weirdness, especially with mac addresses that get seen with different IPs on them. Like with vlans on the same physical interface. Which should be isolated and devices in different vlans should really never know that interface with IP X on it has the same mac as IP Y. Glad you got it sorted.

@johnpoz said in VLAN confusion: unifi prob cheapest option - but I really don't think any of their stuff actually does L3, even though they have been talking about it for years. My sg300-28 does L3, and I got it new under 200, but it not any poe. yep, that has been my unfortunate experience with Ubi and L3. The "L3" 24 PoE I bought from Ubi was $800 so a Cisco for a bit more with better functionality will be worth it.

OK, so I used IX0 for VLAN10. [image: OPT7.png] [image: VLANS-NEW1.png] and here are the results: [image: SPEEDTEST22.png] and the CPU usage: [image: CPUUSAGE22.png] I'll update also the Netgate ticket

@bingo600 Yep... got it working. Thank you so much again.. :)

@jknott anything that hairpins could be considered on a stick. But the 6100 is not going to force that type of setup for anything, it has plenty of interfaces to work with. He could chose to setup vlans that hairpin when they talk to each other - or he could set it up so vlans that talk use different physical interfaces. He has plenty of interfaces to work with ;) But to me the whole router on a stick term came from being forced to run a router with only 1 actual physical interface. I would not consider a router 8 physical interfaces "on a stick" ;)

@ninthwave I have a pfSense with two LAN's : one for the company, with all the ethernet printers, and a second quest LAN (using the captive portal). I have a firewall rule on this second LAN that permits to contact user from the captive portal to contact the IP's of my printers. I've installed Avahi, so phones and devices can discover network services. This is what they see : [image: 1635149961861-313e6945-7183-4c6d-a15c-cfb7341607ad-image.png] btw : no need for 'cups' ....

@rafterx Your port on the switch should look something like GE2, GE1 is my router to switch interlink :- [image: 1635066837428-screenshot-2021-10-24-at-10.11.03.png] [image: 1635066846165-screenshot-2021-10-24-at-10.11.26.png] [image: 1635067180684-screenshot-2021-10-24-at-10.18.37.png] The only difference would be that I have my management network for my Aruba AP22 & switches on the untagged vlan 4903.

@johnpoz: I agree with you completely, and that’s exactly what I encountered. Once I had worked out the tagging on the various SG-1100 and switch ports, DHCP was working. It then required a better set of firewall rules to get out to the internet.

@johnpoz thank you and much obliged

UPDATE: Discovered that the upstream Cisco Switch connected to the Netgate 5100 had Cisco Port Security enabled, which was configured to only allow two MAC addresses for the port. Disabling that resolved the issue.

@prtonguy77 yes.. Any switch that can do vlans, and any AP that can do vlans can work together..

@rhvw said in Using only vlans no lan: is mixing tagged and untagged more susceptible to vlan hopping? No... But it could be more open to mistakes being made in the config I guess.. Tagged and Untagged traffic would only ever be on a port that is uplink to some device that would be handling the vlans. Another switch, another router, an AP.. Some VM host, etc. It what scenario would you have anything but 1 vlan untagged traffic going to an end use device? If you were doing that - then sure the end device could get on any vlan they wanted that was allowed on the port. The ability to hop vlans amost always comes down to a mis configuration.. If you setup your switch/AP correctly.. And there is no underlaying issue with the switch/ap - it not very likely to be able to hop vlans. In a correctly configured an functioning switch. If I put port X in vlan Y.. The user tagging traffic would not be allowed by the switch port, so it would/should not be possible for the user to hop to a different vlan.. Only untagged traffic should be allowed into that switch port, and it would be on vlan Y.