@mmarco

Again, you don't have to pass VLANs through the tunnel. Just create the VLANs at each end and route the subnets appropriately.

@uns3en said in Unable to address WAN addresses from VLANs:

and I use an reverse proxy to serve them over 443.

Ok - why is that a problem then? Your reverse proxy works just fine like that be it you nat reflect or hit it directly locally. Or if you ran your reverse proxy on pfsense, no need for nat reflection or host override, etc.

@jknott
Yes okay though is it then possible to still say to the mobile branche office (vlan)subnet, if only this specific subnet wants to go to the outside world (to contact the extern hosted ip-phone-provider), it needs to make use of the ipsec ?. (while the other subnet traffic who want to surf the internet go straight from 4G to its 4G-internet service provider).

Meanwhile i'm testing out also :
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-route-internet-traffic.html
Though its just my guts feeling saying it seams overkill for what i want to achieve here, as there already is an ipsec tunnel. It make me more woried to alter the main HQ office to such an extend.

@pfsenseuser2020

Did you ever figure out why it wasn't working?

I have the same issue not being able to create a working bridge in vmware.

@jacy

There is no such rule. VLANs are at L2 and the filters work at L3. What you do is configure the interfaces with VLANs when you need them. For example I have VLAN3 enabled on my LAN interface to support my guest WiFi. Also, my understanding is the Netgate gear does something different with VLANs. I haven't worked with Netgate equipment, so I can't help with that.

Finally figured it out. The internal ports 9 and 10 had to be added as members of VLAN 216 in order for the internal routing to occur. Hope this post helps someone else with the same issue!

Well, I'm no expert but I got it working on my end, esxi 6.7, but using layer 2 'lite' layer 3 switches from Netgear though. I kept the management network on my default LAN, thinking that if there were issues with the VLAN, I want to be able to reach the management network without a fuss. I put two nics on that original vswitch, for the management network, and put the rest on a new port group on a second vswitch that I created for the VLAN. Put it in VLAN 4095 (will probably move it to the right VLAN at some point- 4095 means all VLANS). I then set the Netgear switch ports that came from the VMs in ESXI to the correct VLAN and it's working.

I don't know why it drops, maybe more information as to how it is set? One vswitch with everything in it (management/vlans all in the same vlan) or multiple vswitches..., plus I don't know how your physical switch handles the vlans, I never tried TP Link with vlans before.

Happy to help, I ran pfsense on esxi for many years.. I currently do not have esxi setup here, or any access where I could post screenshots on how it can be done, etc.

But happy to answer questions..

The biggest issues I see new users with multiple routers having is not understanding why they run into problems when they try and have hosts on what ends up being their transit network.

And new users to esxi not understanding how it works with tags, or doesn't work ;)

But when it comes down to it - tag is a tag is a tag.. But tags are only need when you want to carry more than 1 vlan over the same wire.

@tkyead bump. Also, can't edit post, but re-written to shorten and for clarity:

Hi folks,

Having some issues getting VLANs set up. My end goal is to have internet routed through my PFSense box and a Unifi AP and 3 SSIDs connected to different VLANs.

Setup

- WAN -> PF -> Unmanaged switch -> to: - Wired clients - PiHole on the default LAN, for local DNS - WAN -> PF -> Unmanaged switch -> Link port of managed switch - Unmanaged switch -> Unifi AP w/3 SSIDs: - SSID 1 - VLAN 10: trusted (192.168.20.0/24) - SSID 2 - VLAN 30: untrusted smart home network (192.168.100.0/24) - SSID 3 - VLAN 35: untrusted guest network (192.168.200.0/24) - PFSense LAN default network - 192.168.10.0/24

In PFSense, I have all 3 VLANs defined & enabled with DHCP turned on. DHCP is working as when I connect to SSID 1 (trusted network) I'll get e.g. 192.168.20.5. I can also ping the PiHole from all wireless clients. Here's where it gets interesting - nslookups from wireless clients to the PiHole do not work (trusted & untrusted both), nor do I have internet connectivity. I do have port 53 allowed from any internal networks -> PiHole, and I'm not currently seeing any blocked firewall entries that would provide any clues either.

Troubleshooting steps taken

I thought the Unifi AP might be messing things up so I connected managed switch -> an old wireless router's LAN port and set all managed switch ports to VLAN 10 (so all wireless clients on the old router's network would get a 192.168.20.x). This surprisingly also does not work in the same way as above -- I can ping PiHole, I can somehow supposedly ping internet addresses (e.g. 1.1.1.1) but I do not have internet connectivity via e.g. web browser.

I'm not sure what else I can try here. Any help would be greatly, greatly appreciated!

Edited to shorten length & for clarity

I was finally able to get Century Link to come on-site. As it turns out, the PON tap is doing this to my entire neighborhood -- so thankfully this has nothing to do with pfsense. Though, Century Link has no idea what's happening, so I'm not sure If I should be relieved?

The NSA wiretap is probably just malfunctioning and instead of sending copies of our packets back to Fort Meade, they are being sent back down the line to the ONT. Nothing to see here.

Yep. dhcp.png

@sshami I can't ping backup Sync intrerface IP from Master node.

@sokolum said in Isolated VLAN / Private VLAN:

Netgear GS108TV3.

You might want to check the manual to see if that function is supported. You may have to check carefully, as it might not be obvious. For example, with my crappy TP-Link switch, it's called "Multi-Tenant Unit VLAN".

Thanks so much to everybody involved here. I was entirely wrong in my initial suspicion, but the analysis helped me better understand how networks work, so I do not consider this as lost time.

Some revelations:

for incoming traffic, wireshark, tcpdump and packet capture (pfsense) are king for outgoing traffic, ip route get [host ip] helps to see in which direction traffic leaves (or doesn't leave) the host

@derelict Thanks. You made my day. I will try that