@johnpoz Thanks

@jknott

Where did I do that?

When you suggested to look under Interfaces > Assignments > VLANs.

So, if you want a VLAN on your WAN interface, you have to create it and configure it as needed.

Absolutely agreed, that's what I've been trying to figure out how to do all along.

Solution:

For anyone else who's got this question, just go

Interfaces --> Switches --> VLANs

Edit the entry for the link you want (Click the pencil) <-- That was the part I missed until just now!

Change the VLAN ID from the default of 4090 to whatever matches your external link (eg 180), and click the box to tag the traffic for interface "3". Leave "0" ticked and don't mess with it.

Then you need to go to Interfaces -> Assignments -> VLANs as correctly observed by JKnott, create one in there with a matching number, then back to "Interface Assignments" and choose the new VLAN from the drop-down box for the WAN interface.

Now my pings work, and I'm happy. Hooray!

@g405tsh311 said in pfSense no reporting IPs behind Switch:

NetGear GS308 SW cost about $90 bucks

Not sure where your buying your switches?

This one is "smart" and can do vlans
switch.png

This one is dumb
dumb.png

Why would someone not get the "plus" or smart version? As to downgrading speed - it was an example.

Be it the hardware the same or not - if you can load 3rd party on it to enable vlans and give yourself a gui/cli to get access to "smart" features - than that is great. Get a dumb one and add the gui/cli

But when someone calls it a "dumb" switch - means to me it has no gui or cli, and has no way to glean info from it or set anything at all, lack of vlans being the big thing. its DUMB!!

I run a 28 port sg300 as my main switch, and then have a 10 port sg300 in my AV cab.. I do multicast acls on mine, so no these entry level "smart" switches don't have such features.

Its not excessive - and it wasn't all that expensive, under 200 new! And uses low amount of power.. I have way too many devices to use anything else than a 24 port switch anyway.. Good luck finding a dumb version of those anyway.. And it would be pointless, because the devices are not in the same vlans. Sure not going to isolate them all physical with different switches.

Nobody is saying he has to drop $$ on a switch, and hey if you have a way for him to save a few bucks and get "dumb" model and put 3rd party on it and get vlan support, etc. etc.. Then you should really link to those details..

What is the best way to determine that?
Here is something new. I am also unable to ping the VLAN interface when the vpn is connected. I started a continuous ping from the vlan to the vlan interface and to the device on the Lan. Both were returning time outs. I disabled the VPN and both pings started working. Once I re-enabled the VPN the pings started timing out again. Why would the ping return a timeout to its own interface?

@johnpoz That WAS all the problem.

Thank you so much.

I need to reconfigure all the environment and remove all those "general" VLANs I have created.

Thank for your time and kindly explanations.

This is my complete fault, not to check if THAT nic allow VLANs traffic.

Thanks again.

The version of their code is pretty universal... The latest I am running runs on..

UAP-AC-Lite/LR/Pro/M/M-PRO/IW | md5sum | sha256sum UAP-HD/SHD/XG/BaseStationXG | md5sum | sha256sum UAP-nanoHD/IW-HD/FlexHD/BeaconHD | md5sum | sha256sum U6-Lite | md5sum | sha256sum U6-LR | md5sum | sha256sum U6-Pro | md5sum | sha256sum U-LTE/U-LTE-Pro | md5sum | sha256sum US-8/16/24/48/###W | md5sum | sha256sum US-L2-POE | md5sum | sha256sum US-16-XG | md5sum | sha256sum US-XG-6POE/USW-Pro/USW-Pro-POE/USW-Enterprise-24-PoE | md5sum | sha256sum USW-Pro-Aggregation/USW-Enterprise-48-PoE/USW-EnterpriseXG-24 | md5sum | sha256sum USW-Aggregation | md5sum | sha256sum USW-Flex-XG | md5sum | sha256sum USW-Industrial/USC-8 | md5sum | sha256sum USW-Flex/USP-RPS | md5sum | sha256sum USP-PDU-Pro | md5sum | sha256sum USW-16/24/48-POE/USW-24-48/USW-Lite-8/16-POE/USW-Mission-Critical | md5sum | sha256sum USW-Multi | md5sum | sha256sum

That have some newer versions that just run on the new U6 AP, but its really still the same code but they released newer versions just for them., like I said they are pretty bad at release numbers.

. Now it's possible that the AP does just a relay to the controller,

Huh... Dude I think you really have some misconceptions about a lot stuff.. And I have no idea what AP your looking at but there is no dhcpd binary..

There are some config - because the AP can get its own IP via dhcp client

Hallway-BZ.5.63.0# find / -name dhcp /etc/hotplug.d/dhcp /etc/config/dhcp Hallway-BZ.5.63.0# find / -name dhcpd Hallway-BZ.5.63.0#

You can run the dhcpd on the same hardware you run your controller if you want.. Stuff like their USG or the UDM could provide..

The AP bridge all data from the wifi to the wire, be it dhcp or any other traffic..

As to the vlan tags, guess should of quote your whole statement

doesn't seem like. (Maybe if you're offloading to another switch?)

Is not a maybe.. If your going to carry more than 1 vlan over the same wire then they NEED to be tagged.. They would need to be tagged on the port going to your AP, if your going to run more than SSIDs with different vlans.. Because the traffic coming out of the AP to the wire would be tagged with the vlan that clients traffic is on based upon the SSID they joined.

@johnpoz I think I do have the VLANs setup and traffic working between them. I can ping back and forth etc. Workstations can access the internet. Workstations can print to the printer (although they can't auto discover it). Things are failing when I want to cast from a phone to a smart tv. Right now we have to use the "enter a code" method to connect to the TV instead of being able to discover it and connect to it more easily.

I'm specifically looking for the YouTube app to work for device discovery when casting.

I'm using a Pixel 5 and my wife is using an iPhone XR. The TV in question is a Sony Bravia running Android OS.

From the videos and reading i've found, Avahi is supposed to help enable this (unless i'm misunderstanding something).

@stephenw10 I am going to call D-Link biz support at my leisure to ask them about this. If untagged is ok on a trunk port, then why doesn't it save? If untagged isn't ok, then why does it allow the setting (and work as expected)? My guess is it is a GUI/Save bug. If it was not allowed, then it is unlikely it would have worked, saved or otherwise.

As for changing the tagged ports to untagged -- yeah, I'll try to remember to mention that too.

@pzanga

Yes, you'd use tagged VLANs. Just think of the VLAN as being a different network that just happens to run over the same cables.

The details vary with switch make, but the ports have to be configured to pass both the native LAN and the VLAN. Just make sure you use the same VLAN ID everywhere.

@althemal
I know this is not exactly the same. But it sound like Google is still involved via YouTube so it may be helpful. I fought this for a while with trying to cast from my phone on one VLAN to the chromecast on different VLAN. Eventually I came across a post suggesting to do a NAT redirect on pings to Google's DNS addresses.

Firewall > NAT > Port Forward > Create A New Rule
Screenshot 2021-06-26 at 11-41-02 Firewall NAT Port Forward Edit - AlphaTrion tld.png

My Aliases:

All_Admin_VLAN_VPN_Networks = My VLAN IP ranges (i.e. 192.168.1.0/24, 10.20.30.0/24, etc...) 3_Device_DNS_Google = dns.google (For this, I only care about IPv4 so this is basically 8.8.8.8 and 8.8.4.4)

This will create a Port Forwarding rule on the NAT > Port Forward tab. AND...
It will create a firewall rule called "NAT Redirect Pings To Google DNS Back To Router" on the interface tab selected in the image above.

You will want to go to that firewall tab and drag the new rule to the correct place.
After you have saved the rule.
Now when you ping 8.8.8.8 or 8.8.4.4 pfsense should respond back and not Google's servers.

For good measure I also made sure to allow access to the chomecast discovery ports (8008, 8009, and 8443). FireTV may have different ports.

Restarted my phone and chromecast; then things started working.

@jknott Thanks for all the posts. I may give it another try in the home lab next week. I'm starting a 72-hour work shift this morning. I'll be home Tuesday!

@johnpoz OK, thanks I will give a try

@emcstravick The vSwitch is not trunked, the vNIC in pfSense is, at least this is how I understand it.

Take a look here, it has worked for me without any problems (I use NativeVlanId 0).

@jimp said in No VLAN tags on em0 interface, works with igb0:

VLANs on em(4) work fine in general, I'm using them on both real hardware and VMs in my lab.

Odds are that it's something with either that specific variant/chipset or that hardware implementation. Not saying it's this, but we've seen similar things in the past when the driver detected that the hardware is advertising a capability the OEM didn't implement or enable. Sometimes doing a BIOS or firmware update from the OEM can help.

There may be some ways to fiddle with the interface flags for things like VLAN checksums or hardware filtering but I wouldn't trust those long-term. You're better off replacing the hardware with something much more recent.

Thank you for the explanation. I just did not expect such an odd behaviour. I have two other pfSense boxes that use the em driver, but neither of them deals with VLAN tags.

Replacement hardware is on its way ☺

@JKnott thx i found the solution.

The solution is to lower the mtu on all partitipants of the vlan. Not on the Switches or the physical network adaper of the pfsense. I lower client1 client2 an vlan interface on pfsense on MTU 8800. With that i have no broken packats.

I transmit 8772 Data Bytes + 28Bytes header = MTU 8800. If i send one over it it gets fragmentet.

The Problem is that the switch added the 4byte VLAN header. So the packag was greater then 9000 (9004). The physical network adapter on the PFsense throw the package away and it gets lost in the VLAN.

by the way you can set this on windows also with the folowing command:

netsh interface ipv4 set subinterface "interface name" mtu=8800 store=persistent

@rafm782

I'm still trying with no success

@gabacho4 anyone (users or Netgate team members)? I got a response on Reddit indicating that this is a problem on 2.5.2 as well and that the only way to change things is via the console/ssh. Sure enough, it works if I do interface assignments there. However, even after going that route, I have weird vlan 4, 6, and 8 that show up on the GUI now on the available interfaces drop down. They have no MAC addresses or interfaces associated with them. I’ve never used vlans 4,6, or 8 so no idea where those came from. When I exported my config and searched for them, they are nowhere to be found. Not sure what more to do to troubleshoot. I’m happy to file a bug report but was hoping for someone else to validate my findings.

Here’s a link to the Reddit thread:

https://www.reddit.com/r/PFSENSE/comments/o35k79/unable_to_reassign_vlan_or_port_interfaces/?utm_source=share&utm_medium=ios_app&utm_name=iossmf