@hpsnt
Assuming the interface is enabled with an any/any rule, whatever the issue is... I can't see it being PFsense.

Post the running-config from your switch.

What happens if you enable the DHCP server on the VLAN 10 interface and configure your laptop with DHCP? Does it get an address?

Are you seeing anything in the firewall logs? If you pcap the VLAN 10 interface while you're testing, are you seeing any traffic?

@nornagest I would have just added another vSwitch for each new LAN. vSwitches don't need to be mapped to a physical NIC. From there, you add more NICs to your pfSense vm and map them to the new vSwitches.

Hello,

thank you for your answers, it is very helpful.

I was thinking it was possible, when you have multiple tags configured on a single physical port, to force the tag attribution for each client on the switch side.

Now i understand that i need a managed switch with my Netgate to do what i want as my cameras is not managing vlan tag on their side.

Have a good day.

@johnpoz

The switch = Cisco WS-C3560E-48PD-SF. Also running a 2960-CG

Re: There is really no reason for it
I am well aware that what I'm doing falls in the realm of completely unnecessary for a home network. Just a learning exercise.

I figured out the answer to my convoluted post from yesterday. You touched on it in your post but I'll type it out in my words...

From what I can tell, the pfSense LAN is the only untagged network available on the router. Changing the native VLAN on a switch, for example, to VLAN 20, would require that the ip address assigned to that VLAN be in the address range of the LAN network on the pfSense box (because it also is untagged) to maintain web access to the switch.

Key takeaway - the native VLAN on switch (untagged) should not be assigned to a VLAN network (tagged) on a pfSense box (else one loses web access to the switch). Also, the ip address assigned to native VLAN on switch must be in the same subnet as the router LAN.

Thank you. -jeff

@marvosa said in VLAN Internet access help...:

@live4soccer7
Please provide more insight into your design. Does that L3 Aruba switch have routing enabled and actually doing routing (i.e. is there a transit network between PFsense and the Aruba or is PFsense connected to a trunk port on the Aruba)?

The vlans are defined/created on pfsense and pfsense is connected to a trunk port on the Aruba Switch. The native and access "vlans" are both set to vlan1 (native/original LAN on pfsense).

I have been able to gain internet access, so my outbound is good. My current issue is inbound traffic now. I am unable to traceroute from the WAN or LAN interface on pfsense to the client on VLAN10. I am able to ping from the LAN to VLAN10 client though. My client can ping anything in the network (across subnets, i've allowed this just for setting up and troubleshooting).

@marvosa you have helped me a few years ago get my current network configuration set up. I wanted to say thanks again and it is good to see you!

@marvosa said in Some VLANS Route and some don't:

but the IP Range for the MGMT VLAN is incorrect.

Yeah 10.0.12/22 or 255.255.252 would be 10.0.12.0 - 10.0.15.255

What are the rules you put on these vlans?

And yes a drawing would be most helpful.. Your saying the devices pull the correct info via dhcp.. If so that would point to connectivity being good, so first thing that comes to mind is wrong rules or lack of rules on the vlan interfaces.

@jeffboyce glad you got it sorted..

Wow that grey is subtle, but I see it now.

Looking at the wiki article again, I see the confusion: look how the first column has 0 and 1 reversed, unlike the second column.

So what wiki refers to as "priority" (second column) is not what pfsense means by "priority". In fact, pfsense wants the raw PCP value, it seems.

Thanks!

@kom Many kind thanks!

Thanks - I appreciate the extra info! It may be a couple weeks before I can get the new switches and run some test captures. I'll report back when I have more information - or when I get stuck. 😬

Found the answer was in how the host was identified in Veyon. Instead of the hostname, I had to use its static IP address. Now all working. Thanks.

@johnpoz Thanks

@jknott

Where did I do that?

When you suggested to look under Interfaces > Assignments > VLANs.

So, if you want a VLAN on your WAN interface, you have to create it and configure it as needed.

Absolutely agreed, that's what I've been trying to figure out how to do all along.

Solution:

For anyone else who's got this question, just go

Interfaces --> Switches --> VLANs

Edit the entry for the link you want (Click the pencil) <-- That was the part I missed until just now!

Change the VLAN ID from the default of 4090 to whatever matches your external link (eg 180), and click the box to tag the traffic for interface "3". Leave "0" ticked and don't mess with it.

Then you need to go to Interfaces -> Assignments -> VLANs as correctly observed by JKnott, create one in there with a matching number, then back to "Interface Assignments" and choose the new VLAN from the drop-down box for the WAN interface.

Now my pings work, and I'm happy. Hooray!

@g405tsh311 said in pfSense no reporting IPs behind Switch:

NetGear GS308 SW cost about $90 bucks

Not sure where your buying your switches?

This one is "smart" and can do vlans
switch.png

This one is dumb
dumb.png

Why would someone not get the "plus" or smart version? As to downgrading speed - it was an example.

Be it the hardware the same or not - if you can load 3rd party on it to enable vlans and give yourself a gui/cli to get access to "smart" features - than that is great. Get a dumb one and add the gui/cli

But when someone calls it a "dumb" switch - means to me it has no gui or cli, and has no way to glean info from it or set anything at all, lack of vlans being the big thing. its DUMB!!

I run a 28 port sg300 as my main switch, and then have a 10 port sg300 in my AV cab.. I do multicast acls on mine, so no these entry level "smart" switches don't have such features.

Its not excessive - and it wasn't all that expensive, under 200 new! And uses low amount of power.. I have way too many devices to use anything else than a 24 port switch anyway.. Good luck finding a dumb version of those anyway.. And it would be pointless, because the devices are not in the same vlans. Sure not going to isolate them all physical with different switches.

Nobody is saying he has to drop $$ on a switch, and hey if you have a way for him to save a few bucks and get "dumb" model and put 3rd party on it and get vlan support, etc. etc.. Then you should really link to those details..

What is the best way to determine that?
Here is something new. I am also unable to ping the VLAN interface when the vpn is connected. I started a continuous ping from the vlan to the vlan interface and to the device on the Lan. Both were returning time outs. I disabled the VPN and both pings started working. Once I re-enabled the VPN the pings started timing out again. Why would the ping return a timeout to its own interface?

@johnpoz That WAS all the problem.

Thank you so much.

I need to reconfigure all the environment and remove all those "general" VLANs I have created.

Thank for your time and kindly explanations.

This is my complete fault, not to check if THAT nic allow VLANs traffic.

Thanks again.

The version of their code is pretty universal... The latest I am running runs on..

UAP-AC-Lite/LR/Pro/M/M-PRO/IW | md5sum | sha256sum UAP-HD/SHD/XG/BaseStationXG | md5sum | sha256sum UAP-nanoHD/IW-HD/FlexHD/BeaconHD | md5sum | sha256sum U6-Lite | md5sum | sha256sum U6-LR | md5sum | sha256sum U6-Pro | md5sum | sha256sum U-LTE/U-LTE-Pro | md5sum | sha256sum US-8/16/24/48/###W | md5sum | sha256sum US-L2-POE | md5sum | sha256sum US-16-XG | md5sum | sha256sum US-XG-6POE/USW-Pro/USW-Pro-POE/USW-Enterprise-24-PoE | md5sum | sha256sum USW-Pro-Aggregation/USW-Enterprise-48-PoE/USW-EnterpriseXG-24 | md5sum | sha256sum USW-Aggregation | md5sum | sha256sum USW-Flex-XG | md5sum | sha256sum USW-Industrial/USC-8 | md5sum | sha256sum USW-Flex/USP-RPS | md5sum | sha256sum USP-PDU-Pro | md5sum | sha256sum USW-16/24/48-POE/USW-24-48/USW-Lite-8/16-POE/USW-Mission-Critical | md5sum | sha256sum USW-Multi | md5sum | sha256sum

That have some newer versions that just run on the new U6 AP, but its really still the same code but they released newer versions just for them., like I said they are pretty bad at release numbers.

. Now it's possible that the AP does just a relay to the controller,

Huh... Dude I think you really have some misconceptions about a lot stuff.. And I have no idea what AP your looking at but there is no dhcpd binary..

There are some config - because the AP can get its own IP via dhcp client

Hallway-BZ.5.63.0# find / -name dhcp /etc/hotplug.d/dhcp /etc/config/dhcp Hallway-BZ.5.63.0# find / -name dhcpd Hallway-BZ.5.63.0#

You can run the dhcpd on the same hardware you run your controller if you want.. Stuff like their USG or the UDM could provide..

The AP bridge all data from the wifi to the wire, be it dhcp or any other traffic..

As to the vlan tags, guess should of quote your whole statement

doesn't seem like. (Maybe if you're offloading to another switch?)

Is not a maybe.. If your going to carry more than 1 vlan over the same wire then they NEED to be tagged.. They would need to be tagged on the port going to your AP, if your going to run more than SSIDs with different vlans.. Because the traffic coming out of the AP to the wire would be tagged with the vlan that clients traffic is on based upon the SSID they joined.