@marvosa said in Some VLANS Route and some don't: but the IP Range for the MGMT VLAN is incorrect. Yeah 10.0.12/22 or 255.255.252 would be 10.0.12.0 - 10.0.15.255 What are the rules you put on these vlans? And yes a drawing would be most helpful.. Your saying the devices pull the correct info via dhcp.. If so that would point to connectivity being good, so first thing that comes to mind is wrong rules or lack of rules on the vlan interfaces.

@jeffboyce glad you got it sorted..

Wow that grey is subtle, but I see it now. Looking at the wiki article again, I see the confusion: look how the first column has 0 and 1 reversed, unlike the second column. So what wiki refers to as "priority" (second column) is not what pfsense means by "priority". In fact, pfsense wants the raw PCP value, it seems. Thanks!

@kom Many kind thanks!

Thanks - I appreciate the extra info! It may be a couple weeks before I can get the new switches and run some test captures. I'll report back when I have more information - or when I get stuck.

Found the answer was in how the host was identified in Veyon. Instead of the hostname, I had to use its static IP address. Now all working. Thanks.

@johnpoz Thanks

@jknott Where did I do that? When you suggested to look under Interfaces > Assignments > VLANs. So, if you want a VLAN on your WAN interface, you have to create it and configure it as needed. Absolutely agreed, that's what I've been trying to figure out how to do all along. Solution: For anyone else who's got this question, just go Interfaces --> Switches --> VLANs Edit the entry for the link you want (Click the pencil) <-- That was the part I missed until just now! Change the VLAN ID from the default of 4090 to whatever matches your external link (eg 180), and click the box to tag the traffic for interface "3". Leave "0" ticked and don't mess with it. Then you need to go to Interfaces -> Assignments -> VLANs as correctly observed by JKnott, create one in there with a matching number, then back to "Interface Assignments" and choose the new VLAN from the drop-down box for the WAN interface. Now my pings work, and I'm happy. Hooray!

@g405tsh311 said in pfSense no reporting IPs behind Switch: NetGear GS308 SW cost about $90 bucks Not sure where your buying your switches? This one is "smart" and can do vlans [image: 1626379058150-switch.png] This one is dumb [image: 1626379402352-dumb.png] Why would someone not get the "plus" or smart version? As to downgrading speed - it was an example. Be it the hardware the same or not - if you can load 3rd party on it to enable vlans and give yourself a gui/cli to get access to "smart" features - than that is great. Get a dumb one and add the gui/cli But when someone calls it a "dumb" switch - means to me it has no gui or cli, and has no way to glean info from it or set anything at all, lack of vlans being the big thing. its DUMB!! I run a 28 port sg300 as my main switch, and then have a 10 port sg300 in my AV cab.. I do multicast acls on mine, so no these entry level "smart" switches don't have such features. Its not excessive - and it wasn't all that expensive, under 200 new! And uses low amount of power.. I have way too many devices to use anything else than a 24 port switch anyway.. Good luck finding a dumb version of those anyway.. And it would be pointless, because the devices are not in the same vlans. Sure not going to isolate them all physical with different switches. Nobody is saying he has to drop $$ on a switch, and hey if you have a way for him to save a few bucks and get "dumb" model and put 3rd party on it and get vlan support, etc. etc.. Then you should really link to those details..

What is the best way to determine that? Here is something new. I am also unable to ping the VLAN interface when the vpn is connected. I started a continuous ping from the vlan to the vlan interface and to the device on the Lan. Both were returning time outs. I disabled the VPN and both pings started working. Once I re-enabled the VPN the pings started timing out again. Why would the ping return a timeout to its own interface?

@johnpoz That WAS all the problem. Thank you so much. I need to reconfigure all the environment and remove all those "general" VLANs I have created. Thank for your time and kindly explanations. This is my complete fault, not to check if THAT nic allow VLANs traffic. Thanks again.

The version of their code is pretty universal... The latest I am running runs on.. UAP-AC-Lite/LR/Pro/M/M-PRO/IW | md5sum | sha256sum UAP-HD/SHD/XG/BaseStationXG | md5sum | sha256sum UAP-nanoHD/IW-HD/FlexHD/BeaconHD | md5sum | sha256sum U6-Lite | md5sum | sha256sum U6-LR | md5sum | sha256sum U6-Pro | md5sum | sha256sum U-LTE/U-LTE-Pro | md5sum | sha256sum US-8/16/24/48/###W | md5sum | sha256sum US-L2-POE | md5sum | sha256sum US-16-XG | md5sum | sha256sum US-XG-6POE/USW-Pro/USW-Pro-POE/USW-Enterprise-24-PoE | md5sum | sha256sum USW-Pro-Aggregation/USW-Enterprise-48-PoE/USW-EnterpriseXG-24 | md5sum | sha256sum USW-Aggregation | md5sum | sha256sum USW-Flex-XG | md5sum | sha256sum USW-Industrial/USC-8 | md5sum | sha256sum USW-Flex/USP-RPS | md5sum | sha256sum USP-PDU-Pro | md5sum | sha256sum USW-16/24/48-POE/USW-24-48/USW-Lite-8/16-POE/USW-Mission-Critical | md5sum | sha256sum USW-Multi | md5sum | sha256sum That have some newer versions that just run on the new U6 AP, but its really still the same code but they released newer versions just for them., like I said they are pretty bad at release numbers. . Now it's possible that the AP does just a relay to the controller, Huh... Dude I think you really have some misconceptions about a lot stuff.. And I have no idea what AP your looking at but there is no dhcpd binary.. There are some config - because the AP can get its own IP via dhcp client Hallway-BZ.5.63.0# find / -name dhcp /etc/hotplug.d/dhcp /etc/config/dhcp Hallway-BZ.5.63.0# find / -name dhcpd Hallway-BZ.5.63.0# You can run the dhcpd on the same hardware you run your controller if you want.. Stuff like their USG or the UDM could provide.. The AP bridge all data from the wifi to the wire, be it dhcp or any other traffic.. As to the vlan tags, guess should of quote your whole statement doesn't seem like. (Maybe if you're offloading to another switch?) Is not a maybe.. If your going to carry more than 1 vlan over the same wire then they NEED to be tagged.. They would need to be tagged on the port going to your AP, if your going to run more than SSIDs with different vlans.. Because the traffic coming out of the AP to the wire would be tagged with the vlan that clients traffic is on based upon the SSID they joined.

@johnpoz I think I do have the VLANs setup and traffic working between them. I can ping back and forth etc. Workstations can access the internet. Workstations can print to the printer (although they can't auto discover it). Things are failing when I want to cast from a phone to a smart tv. Right now we have to use the "enter a code" method to connect to the TV instead of being able to discover it and connect to it more easily. I'm specifically looking for the YouTube app to work for device discovery when casting. I'm using a Pixel 5 and my wife is using an iPhone XR. The TV in question is a Sony Bravia running Android OS. From the videos and reading i've found, Avahi is supposed to help enable this (unless i'm misunderstanding something).

@stephenw10 I am going to call D-Link biz support at my leisure to ask them about this. If untagged is ok on a trunk port, then why doesn't it save? If untagged isn't ok, then why does it allow the setting (and work as expected)? My guess is it is a GUI/Save bug. If it was not allowed, then it is unlikely it would have worked, saved or otherwise. As for changing the tagged ports to untagged -- yeah, I'll try to remember to mention that too.

@pzanga Yes, you'd use tagged VLANs. Just think of the VLAN as being a different network that just happens to run over the same cables. The details vary with switch make, but the ports have to be configured to pass both the native LAN and the VLAN. Just make sure you use the same VLAN ID everywhere.

@althemal I know this is not exactly the same. But it sound like Google is still involved via YouTube so it may be helpful. I fought this for a while with trying to cast from my phone on one VLAN to the chromecast on different VLAN. Eventually I came across a post suggesting to do a NAT redirect on pings to Google's DNS addresses. Firewall > NAT > Port Forward > Create A New Rule [image: 1624722486083-screenshot-2021-06-26-at-11-41-02-firewall-nat-port-forward-edit-alphatrion-tld.png] My Aliases: All_Admin_VLAN_VPN_Networks = My VLAN IP ranges (i.e. 192.168.1.0/24, 10.20.30.0/24, etc...) 3_Device_DNS_Google = dns.google (For this, I only care about IPv4 so this is basically 8.8.8.8 and 8.8.4.4) This will create a Port Forwarding rule on the NAT > Port Forward tab. AND... It will create a firewall rule called "NAT Redirect Pings To Google DNS Back To Router" on the interface tab selected in the image above. You will want to go to that firewall tab and drag the new rule to the correct place. After you have saved the rule. Now when you ping 8.8.8.8 or 8.8.4.4 pfsense should respond back and not Google's servers. For good measure I also made sure to allow access to the chomecast discovery ports (8008, 8009, and 8443). FireTV may have different ports. Restarted my phone and chromecast; then things started working.

@jknott Thanks for all the posts. I may give it another try in the home lab next week. I'm starting a 72-hour work shift this morning. I'll be home Tuesday!

@johnpoz OK, thanks I will give a try