@swgarland said in VLAN Setup question:

It currently tags all traffic as vlan10 unless it is changed on the switchport.

Well change it if you don't want what you want.. If you want to use just native lan as vlan 10 - then just set the port to connected to lan port of pfsense to not tag vlan 10. So your saying if you put some pc connected to port X, that you have to set the PC to understand the vlan, ie the tag.. PCs sure do not do that out of the box.

@nickh-0 said in Home IP range overlap with Work VPN:

@jknott
Thanks for the reply. usually i would, but being a consultant and working with various clients and projects the risk of running into an overlapping IP is high and need a permanent solution to allow me to "adapt" and was thinking i could have a vlan that i can change as needed rather than continuously changing my home subnet - if that makes sense.

Use 172.31.255.0/24, most of your customers if they have their heads screwed on won't allow split tunnels.

@gwaitsi


the client on vlan20 can ping all switches, routers and the firewall on vlan1 - but not the ipmi port

the routers and the switches can ping all devices including the ipmi port

pfsense can ping all routers, switches and clients - but not the ipmi port

there is no inter-vlan routing on the switches, everything must go through pfsense.

rule specifically allows all protocols / addresses from vlan20 to vlan1 and rule for vlan1 to vlan20 (for eliminating rules as a source)

the test results are also the same if i put the IPMI port into the openwrt with untagged vlan1 port instead of the managed switch

i don't understand why pfsense can't talk to this one device, when it can to all the others on the same network.

** to eliminate all possibilities, i put the ipmi port on the same vlan as the client on a openwrt port set to untagged. It was then able to get a dhcp from the client vlan

@roney-s-mathews

How are you determining that? If you want VLANs, you configure them wherever you need them and you won't be able to see if you get the addresses, without something to connect to the VLAN. Also, did you configure a DHCP server on the VLAN?

@vtglockster

The issue was the OpenVPN client. I needed to add some rules for Outbound NAT.

Once I added the rules the VLANs started working properly.

Yes, adding a new IP range to the port connected to the switch will separate the devices. Then if you want you can do interesting things with rules to isolate or not isolate devices.

Port 1 might have the IP 10.10.220.0/24 and port 2 might be 192.168.100.0/24. The only way they talk is if you allow (the default is to allow) them to talk.

@gertjan

i found it. after days. works now.
this here https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html
is not suitable for my config, because i need the 210 VLAN to terminate, so i dont need a dedicated Switch port, just a VLAN interface.

this is the right tutorial: https://mitky.com/pfsense-virtual-lan-setup-vlans/

there it works.

now the other VLANs should be working as well like this one.

@wc2l

Those are aliases. Private is an alias for all RFC1918 IPv4 addresses and IPv6 ULA. Prefix is an alias for my /56 IPv6 prefix.

Under diagnostic menu.. Packet Capture. This allows you to see like the raw data that interface sees..

Here this might help in what packet capture (sniff) is.

https://en.wikipedia.org/wiki/Packet_analyzer

edit: example

Here is a sniff (packet capture) on my dmz interface (192.168.3.253) while pinging an IP in my dmz network, from my lan network 192.168.1000

sniff.png

Now you can view more info by changing the verbosity level in that screen. Or you could just download the capture into your own software.. Wireshark for example (free)..

And get all kinds of great info on what is actually going on.. For troubleshooting stuff

info.png

In your specific scenario - you would of been able to see if pfsense was actually sending on the ping request, but not getting an answer, etc.

@cheezyadmin LLDP is a discovery protocol. My guess is their phones use LLDP to discover the voice VLAN. You will need to enable LLDP (and possibly LLDP-MED) on your switch.

adding a pass rule from(opt1) to source/dest/port(any) in the firewall on the opt1 interface solved the problem.

@madnet

As has been mentioned here many times, avoid TP-Link, if you want to use VLANs. There are plenty of other brands that work properly.

@marvosa Thank you! It took me some time and a little nudge from a friend to translate your sentence but eventually I figured it out.
I now have the gateway online and the interface up and learned some things in the process.

forgot to mention the VPN via IPsec which is the 5th net, but it probably does not make a difference here.

@hieroglyph Also, pfsense is not going to be able to move packets faster at layer3 than a switch can at layer2. If you want pfsense to be efficient, let the switches handle all inter-LAN traffic (i.e. LAN10 to LAN10. LAN20 to LAN20. Etc...). That way pfsense only needs to handle cross-LAN traffic (LAN10 to LAN20. LAN20 to LAN30, Etc...) and traffic headed out of WAN.

@pwang99
I'm starting to think you are a "Robot" , or totally miss the point here.
Always the same answer.

How much network/switch experience do you have ?

/Bingo