@madnet

As has been mentioned here many times, avoid TP-Link, if you want to use VLANs. There are plenty of other brands that work properly.

@marvosa Thank you! It took me some time and a little nudge from a friend to translate your sentence but eventually I figured it out.
I now have the gateway online and the interface up and learned some things in the process.

forgot to mention the VPN via IPsec which is the 5th net, but it probably does not make a difference here.

@hieroglyph Also, pfsense is not going to be able to move packets faster at layer3 than a switch can at layer2. If you want pfsense to be efficient, let the switches handle all inter-LAN traffic (i.e. LAN10 to LAN10. LAN20 to LAN20. Etc...). That way pfsense only needs to handle cross-LAN traffic (LAN10 to LAN20. LAN20 to LAN30, Etc...) and traffic headed out of WAN.

@pwang99
I'm starting to think you are a "Robot" , or totally miss the point here.
Always the same answer.

How much network/switch experience do you have ?

/Bingo

@janiboy

You will need firewall rules to allow the LAN and VLAN to communicate.

@nevar i was able to figure out the issue. it is noob mistake. i forgot that starting windows10, ping is disable by default argh. after realizing that, i install portable ftp server on my pc that is on vlan and then try connect to it from my lan. i was able to connect to it. i also do couple test with the rule set to disable/enable and it work as expected.

@cburbs , @johnpoz & @bingo600 for all the suggestions!

I ended up using LibreOffice Draw, the start was clunky but once I got the hang of its drawing toolbar it became a breeze. Also realized that by documenting details, it took that extra level of time and scrutiny made me think through the topology functionally and not use my standard "do first then think later" approach 😁

It is also easy to edit and make changes so for a free solution and a simple network like mine it worked out great, here is a blurred screenshot for your delight!!!

screen.png

@hieroglyph , @JKnott ,

FIXED!

TL;DR: Could not understand why pfsense was not passing and/or routing untagged traffic to switch UI's via tagged interfaces, but no problems with any untagged<-vlan->untagged device traffic. solution: my ID10T mistake: uncheck "Enable Static ARP entries" in DHCP on the interfaces of the devices, or add the static APR entries necessary for all devices (hosts and switches...) to talk. Look for states in state table.

Dumb*** move on my part. Posted for all to read and groan/laugh at the noob...as the saying goes "KISS"...but, it's as much about learning as doing. And, I now have SSH for all my devices installed, putty/mobaXterm/wireshark installed on all my machines, and also WSL with ubuntu to help me out in the future :)

Ok, after i tried a ton of reading, pinging, capturing, triple checking/disabling rules and trying the outbound NAT, and that didn't work either, in the process I noticed something else recently changed: whereas before I could ping "just fine" from any of my vlans, well, my primary vlan stopped seeing the switches also... I like these types of failures!

So, resetting my assumptions, after more google-fu, I looked at the state tables (recommended in other posts), and realized there were no states in pfsense for switch-1. Well, if pfsense can't see it, pfsense won't route to it, but the other devices were present.... hmmm....as if the switch(es) weren't allowed....

I thought I'd try to add a static ARP for switch-1 - and... that's when I noticed that at some point in my former brilliancy, I happened to check the "Enable Static ARP entries" in DHCP on the VLAN10 interfaces. Now that's all fine and good as it had the machines I wanted to connect with, BUT no entries for switch-1 (or 2)! Added them to the VLAN10 interface since that is what they communicate to, and EVERYTHING is groovy again! Now I can use the firewall rules to fine tune access, and avoid NAT for now, as future challenge will be VPN's....I may be back...

Anyhoo, thank you again @hieroglyph and @JKnott for your time and help giving me direction!

@marvosa said in Access point with VLAN - no LAN connection:

RxBadPkt's? Why would you do that??!?! Like I said... suspect... LoL!

Good question - like every tagged packet is marked as bad - I do recall that when was testing their - whats the right word?? Oh yeah JUNK!

Do yourself a favor and use something else other than tp-link for switches and AP.. As dumb products they might be fine - but if your wanting to do vlans. They don't understand them..

@hanalei_boy

You'd think so, but it's not hard to give it a try to see what happens. Put it first, so that nothing else can affect it.

That is what I do as well, some interfaces run multiple vlans. Others have only single interface. My high volume vlans have their own uplink. Other vlans like my wireless ones share an interface. Wireless clients not going to be able to use a full gig interface anyway - not a single device for sure.. Maybe as you move to AX.. But until that time with wifi 5, not really possible for a wireless client to use full gig. So yeah they can share an interface, and rare that any wifi vlan would ever talk to another wifi vlan, etc.

This is what is nice about having multiple interfaces on your router. One of the reasons went with the 4860... Lots of discrete interfaces, gives you more options. I don't really have any use for switch ports in my router ;) That is why I have switches... heheh

Now what I would love to see, would be a netgate box that has multigig interfaces - support for 802.3bz.. Love to have interfaces that can do 10/100/1000/2.5/5/10ge

Multigig switch ports be great.. This could allow for say future connection of AX APs that support say 2.5ge uplink into the router, when you don't actually have a muligig switch, etc.

All good now. Found out that its the client (Win 10) firewall

@JKnott Looks like you are mostly correct.
I factory defaulted all of my equipment and setup everything from scratch again.
Looks like I am able to issue DHCP to each VLAN correctly.

Thank you!

@jknott Thank you .... ill try to inspire from your hint. Thank you again.

@marvosa yea, unfortunately my switches are L2 only, so I don't think inter-vlan routing on the switch is going work for me. Interesting to note VLAN overhead. I didn't think it was that much, but frankly I don't have much experience with VLANs and this is my first attempt at VLANs on a network I control. Thanks for your feedback. Definitely helps me understand and have some base expectations with routing VLANs through pfSense :)