@grimmsh0t Nice to hear it works. Unless you only tested DHCP on Lan interface It has to be the AgentID tickbox that worked. As you already had : allow ip any any on Vlan30 /Bingo Ps: Did you notice the "Thank you" button in the bottom of each post

You can run lan on a tag if you want.. But yeah during first install its just native.. During install it asks you right up front if you need any vlans set or not. https://docs.netgate.com/pfsense/en/latest/install/assign-interfaces.html [image: 1630332523088-setup.jpg]

@farmerb3d said in Does LAGG + Trunk add any overhead?: LACP works it would simply use the next best link. nope doesn't work that way ;) hehehe

@biggsy Perfect, thats what I needed! Thank you!

@marvosa Well I forgot to mention that my Pfsense is virtualized in Proxmox, but I use a dedicated two port Intel gigabit NIC for WAN and LAN. This problem appeared when I upgraded my whole network to gigabit. The WAN interface just drops for parts of the second and the connectivity just comes and goes during the file transfer. I tried today to tweek QoS on the switch and actualy managed to fix the problem for now, but the transfer speeds dropped significantly.

@bingo600 I have the latest version of Cloudkey Software and firmware (Gen 2 CK), APs and switches on the latest firmware. I received a fairly lukewarm reception on the Unifi support forums for the idea of putting each VLAN on a separate wire ... e.g. "VLANs on one interface are no more or less secure than a single LAN on separate interfaces. How much bandwidth are you passing?" There certainly seems to be a case for physically separating things like a DMZ to a different switch ... For a 6 port pfsense box, how about: Port 1: WAN Port 2: LAN Port 3: Wireless Network (VLAN a) Port 4: IoT (VLAN b). Guest (VLAN c) Port 5: Managment (VLAN d) Port 6: To a small switch for a DMZ (VLAN e) Thoughts ?

@ahmetakkaya Maybe this is the right place to looking for.

@icq9988 Yes, you will need an any/any (or defined alias/any) on the LAN interface assuming that's where 10.30.54.1 is addressed. If the other VLANs still aren't communicating once you've added the firewall rule(s) to the LAN, post the running-config, "sh ip route" from the switch, and the routing table from PFsense.

@ahmetakkaya Then assuming you configured and enabled the DHCP server on PFsense and have your access ports configured for the correct untagged vlan, it should be working. I'd start checking your DHCP logs and possibly start doing pcap's. Is the traffic making it to PFsense? If not, you'll need to double-check the switch config. The other question is... does vlan 10 have rules on it to allow outbound traffic?

@dosenk I have no other suggestions , sorry.

Well multicast discovery isn't going to work vlan to vlan either.. And no L2 discovery doesn't work over vpn either. I would check that you can talk to your device from lan to say opt 1 network locally, before you look to it working via a vpn.. I fired up the client on my phone.. On different wifi vlan then the vlan my camera is on... I then set it up to using IP.. [image: 1629482679687-works.png] There you go working just fine.. edit: I don't have wireguard installed, but just disconnected my phone from wifi, only on cell - connected to my vpn connection on pfsense openvpn... Bam - watching video stream from my phone. edit2: possible problem with some camera's is if they do not have gateway set, ie pointing of pfsense - then you can not view them from other networks, be it a vlan or vpn. Without doing source natting.

@hpsnt Assuming the interface is enabled with an any/any rule, whatever the issue is... I can't see it being PFsense. Post the running-config from your switch. What happens if you enable the DHCP server on the VLAN 10 interface and configure your laptop with DHCP? Does it get an address? Are you seeing anything in the firewall logs? If you pcap the VLAN 10 interface while you're testing, are you seeing any traffic?

@nornagest I would have just added another vSwitch for each new LAN. vSwitches don't need to be mapped to a physical NIC. From there, you add more NICs to your pfSense vm and map them to the new vSwitches.

Hello, thank you for your answers, it is very helpful. I was thinking it was possible, when you have multiple tags configured on a single physical port, to force the tag attribution for each client on the switch side. Now i understand that i need a managed switch with my Netgate to do what i want as my cameras is not managing vlan tag on their side. Have a good day.

@johnpoz The switch = Cisco WS-C3560E-48PD-SF. Also running a 2960-CG Re: There is really no reason for it I am well aware that what I'm doing falls in the realm of completely unnecessary for a home network. Just a learning exercise. I figured out the answer to my convoluted post from yesterday. You touched on it in your post but I'll type it out in my words... From what I can tell, the pfSense LAN is the only untagged network available on the router. Changing the native VLAN on a switch, for example, to VLAN 20, would require that the ip address assigned to that VLAN be in the address range of the LAN network on the pfSense box (because it also is untagged) to maintain web access to the switch. Key takeaway - the native VLAN on switch (untagged) should not be assigned to a VLAN network (tagged) on a pfSense box (else one loses web access to the switch). Also, the ip address assigned to native VLAN on switch must be in the same subnet as the router LAN. Thank you. -jeff

@marvosa said in VLAN Internet access help...: @live4soccer7 Please provide more insight into your design. Does that L3 Aruba switch have routing enabled and actually doing routing (i.e. is there a transit network between PFsense and the Aruba or is PFsense connected to a trunk port on the Aruba)? The vlans are defined/created on pfsense and pfsense is connected to a trunk port on the Aruba Switch. The native and access "vlans" are both set to vlan1 (native/original LAN on pfsense). I have been able to gain internet access, so my outbound is good. My current issue is inbound traffic now. I am unable to traceroute from the WAN or LAN interface on pfsense to the client on VLAN10. I am able to ping from the LAN to VLAN10 client though. My client can ping anything in the network (across subnets, i've allowed this just for setting up and troubleshooting). @marvosa you have helped me a few years ago get my current network configuration set up. I wanted to say thanks again and it is good to see you!