Finally figured it out. The internal ports 9 and 10 had to be added as members of VLAN 216 in order for the internal routing to occur. Hope this post helps someone else with the same issue!

Well, I'm no expert but I got it working on my end, esxi 6.7, but using layer 2 'lite' layer 3 switches from Netgear though. I kept the management network on my default LAN, thinking that if there were issues with the VLAN, I want to be able to reach the management network without a fuss. I put two nics on that original vswitch, for the management network, and put the rest on a new port group on a second vswitch that I created for the VLAN. Put it in VLAN 4095 (will probably move it to the right VLAN at some point- 4095 means all VLANS). I then set the Netgear switch ports that came from the VMs in ESXI to the correct VLAN and it's working. I don't know why it drops, maybe more information as to how it is set? One vswitch with everything in it (management/vlans all in the same vlan) or multiple vswitches..., plus I don't know how your physical switch handles the vlans, I never tried TP Link with vlans before.

Happy to help, I ran pfsense on esxi for many years.. I currently do not have esxi setup here, or any access where I could post screenshots on how it can be done, etc. But happy to answer questions.. The biggest issues I see new users with multiple routers having is not understanding why they run into problems when they try and have hosts on what ends up being their transit network. And new users to esxi not understanding how it works with tags, or doesn't work ;) But when it comes down to it - tag is a tag is a tag.. But tags are only need when you want to carry more than 1 vlan over the same wire.

@tkyead bump. Also, can't edit post, but re-written to shorten and for clarity: Hi folks, Having some issues getting VLANs set up. My end goal is to have internet routed through my PFSense box and a Unifi AP and 3 SSIDs connected to different VLANs. Setup - WAN -> PF -> Unmanaged switch -> to: - Wired clients - PiHole on the default LAN, for local DNS - WAN -> PF -> Unmanaged switch -> Link port of managed switch - Unmanaged switch -> Unifi AP w/3 SSIDs: - SSID 1 - VLAN 10: trusted (192.168.20.0/24) - SSID 2 - VLAN 30: untrusted smart home network (192.168.100.0/24) - SSID 3 - VLAN 35: untrusted guest network (192.168.200.0/24) - PFSense LAN default network - 192.168.10.0/24 In PFSense, I have all 3 VLANs defined & enabled with DHCP turned on. DHCP is working as when I connect to SSID 1 (trusted network) I'll get e.g. 192.168.20.5. I can also ping the PiHole from all wireless clients. Here's where it gets interesting - nslookups from wireless clients to the PiHole do not work (trusted & untrusted both), nor do I have internet connectivity. I do have port 53 allowed from any internal networks -> PiHole, and I'm not currently seeing any blocked firewall entries that would provide any clues either. Troubleshooting steps taken I thought the Unifi AP might be messing things up so I connected managed switch -> an old wireless router's LAN port and set all managed switch ports to VLAN 10 (so all wireless clients on the old router's network would get a 192.168.20.x). This surprisingly also does not work in the same way as above -- I can ping PiHole, I can somehow supposedly ping internet addresses (e.g. 1.1.1.1) but I do not have internet connectivity via e.g. web browser. I'm not sure what else I can try here. Any help would be greatly, greatly appreciated! Edited to shorten length & for clarity

I was finally able to get Century Link to come on-site. As it turns out, the PON tap is doing this to my entire neighborhood -- so thankfully this has nothing to do with pfsense. Though, Century Link has no idea what's happening, so I'm not sure If I should be relieved? The NSA wiretap is probably just malfunctioning and instead of sending copies of our packets back to Fort Meade, they are being sent back down the line to the ONT. Nothing to see here.

Yep. [image: 1619562318879-dhcp.png]

@sshami I can't ping backup Sync intrerface IP from Master node.

@sokolum said in Isolated VLAN / Private VLAN: Netgear GS108TV3. You might want to check the manual to see if that function is supported. You may have to check carefully, as it might not be obvious. For example, with my crappy TP-Link switch, it's called "Multi-Tenant Unit VLAN".

Thanks so much to everybody involved here. I was entirely wrong in my initial suspicion, but the analysis helped me better understand how networks work, so I do not consider this as lost time. Some revelations: for incoming traffic, wireshark, tcpdump and packet capture (pfsense) are king for outgoing traffic, ip route get [host ip] helps to see in which direction traffic leaves (or doesn't leave) the host

@derelict Thanks. You made my day. I will try that

@SteveITS After isolating the vlan on the switch, I had to configure a static IP, and now must configure for the WAN access. Would you know anything about this?

I ended up just plugging a Raspberry PI into a port on the N3K-C3172 TOR, and configured the network stack to implement the L2TP pseudowire, so it ends up being the same number of hops, but it would have been nice to implement it either in the switch or the firewall and not have to live with a single function appendage... but that's life in technology.

@johnpoz Then I was just discussing it. I hadn't actually tried it on pfsense. Today, I thought I would, given I have so much time on my hands with the pandemic. I run openSUSE Linux on my network and it supports VLAN 0. In fact, it's what pops up when you create a VLAN. In my previous experiment with VLANs, I was using VLAN 5, which pfsense supports. I also have VLAN 3 for my guest WiFi. BTW, I just came across this. In reading it, I get the impression someone doesn't understand what VLAN 0 is for. The "reserved" purpose is for putting the CoS bits on a frame, without having a separate VLAN. That is a VLAN 0 frame should be treated identically to a native frame, other than CoS.

@duvel If you have 4 NICs, there's likely not much use with using VLANs. If you want to learn about VLANs, you have to actually set them up and have something at the other end of the wire that can handle them. A managed switch will do that. You can create multiple subnets and put them on individual VLANs. Then use the managed switch to sort them out, so that when you plug a computer into the different ports, it will be on the different subnets. Depending on your WiFi situation, you might get a proper AP and use a VLAN to provide a guest WiFi. One other thing you can do with a managed switch is create a data tap, so you can monitor a connection with Wireshark. This is very handy when learning about networks. Again, small managed switches are cheap. Just avoid TP-Link.