@jamesdav It's just a switch. If you must use the switch built into the SG-1100 for this and not an actual external outside switch, you can modify this procedure: https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/switch-overview.html That puts two ports on the same LAN broadcast domain but it will work equally well for VLAN 4090 (WAN).

@derelict & All Thanks for your help. The issue is resolved. The problem was the Netgear switch port was being blocked because of STP rules. Issue Resolved!

I came up with this topology: [image: 1616531784069-210322-network-diagram.jpg]  I also set took these configuration steps: set up a bridge between the interfaces corresponding to the LAN and OPT ports in Interfaces→Bridges, set the OPT port to have the IP address 192.168.4.1, set up a DHCP server for the entire 192.168.4.0/24 subnet on the interface corresponding to OPT, with 192.168.4.1 as the gateway address, turned on the Avahi package to route mDNS traffic between the 192.168.4.1/24 and 192.168.1.1/24 subnets, turned off the Velops’ DHCP server, and set the LAN base address to 192.168.4.2, so as to not create a conflict with the OPT port. The second Ethernet connection on the master Velop node is purely for remote administration purposes. That’s how it communicates to the LinkSys configuration servers.

@Derelict & @teamits : you were both right. Sorry, my bad: it was bad Ubiquity configuration. If anyone falls in the same trap, the solution is to set "Corporate" + "VLAN". Not "VLAN Only" + "VLAN": [image: 1616462963822-98a25145-0f81-4440-85e0-ab5af871da71-image.png] Thank you both very much!

@mcury Perfect, got it working as expected. Still curious about what causes the underlying issue wrt routing from the gateway but it's less of a concern since I can address the symptom.

I eventually solved it by using the ISP modem/router for IPTV and but pfSense behind it. It's double NAT but that's ok for now.

I solved the issue a while ago and forgot to answer here. After entering the IP in Captive Portal / Allowed IP Addresses, everything was perfect. As my CP is authenticated, so I believe that the question was precisely at that point. The other end had no way to authenticate itself to be able to pass and from the moment I released the IP there, he started to communicate. I even thought about doing a test of this type, taking the CP's authentication to see if it worked directly, but I ended up not having time. Anyway ... it's resolved. Thanks to everyone who was willing to try to help.

@rnelsen Did you configure the VLAN through the switch? I use VLAN 3 for my guest WiFi. I configured VLAN 3 on pfsense, my Unifi AP and the Cisco switch ports that connect to pfsense and the AP.

@adamsolar The SG-2100 only has two built-in NIC’s Mvneta0 = WAN Mvneta1 = LAN (Which is connected to the Built-in switch) So the 4 “LAN” ports are actually switch ports that switches traffic to/from the 2.5Gbit LAN NIC If you want VLAN capability on those ports (different VLANs on ports), you need to set up 802.1q mode on the switch: https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html

@lillianroot Getting Deja Vu, I feel like I've seen this question posted a while back. (my assumption is that they plugged into the layer 3 switch instead) I doubt it. They most likely did one of two things... they either spanned the appropriate VLAN out to that switch or put the end-users on a different VLAN and forced them to re-address their equipment. Are the layer 3 switches allows the VLANS to pass traffic across a trunk through routing but the layer 2 switch can't do that feature? A layer 3 switch is a switch that also has routing functionality. However, it would need to be configured and implemented properly to actually route traffic. The fact that the switch has layer 3 functionality doesn't necessarily mean it's routing traffic. So, the short answer to your question is no. A layer 3 switch will pass the same VLANs over a trunk that a layer 2 switch will. The difference is layer 3 switches can also do static routing, dynamic routing, etc. Best practice is for every closet to have unique VLANs. So, if the VLAN you're looking for isn't on the switch, it was probably left off by design. So, someone had to make a decision whether to span that VLAN out to that switch or force the end-users to re-address their equipment on a subnet that exists in that closet.

@swgarland said in VLAN Setup question: It currently tags all traffic as vlan10 unless it is changed on the switchport. Well change it if you don't want what you want.. If you want to use just native lan as vlan 10 - then just set the port to connected to lan port of pfsense to not tag vlan 10. So your saying if you put some pc connected to port X, that you have to set the PC to understand the vlan, ie the tag.. PCs sure do not do that out of the box.

@nickh-0 said in Home IP range overlap with Work VPN: @jknott Thanks for the reply. usually i would, but being a consultant and working with various clients and projects the risk of running into an overlapping IP is high and need a permanent solution to allow me to "adapt" and was thinking i could have a vlan that i can change as needed rather than continuously changing my home subnet - if that makes sense. Use 172.31.255.0/24, most of your customers if they have their heads screwed on won't allow split tunnels.

@gwaitsi  the client on vlan20 can ping all switches, routers and the firewall on vlan1 - but not the ipmi port the routers and the switches can ping all devices including the ipmi port pfsense can ping all routers, switches and clients - but not the ipmi port there is no inter-vlan routing on the switches, everything must go through pfsense. rule specifically allows all protocols / addresses from vlan20 to vlan1 and rule for vlan1 to vlan20 (for eliminating rules as a source) the test results are also the same if i put the IPMI port into the openwrt with untagged vlan1 port instead of the managed switch i don't understand why pfsense can't talk to this one device, when it can to all the others on the same network. ** to eliminate all possibilities, i put the ipmi port on the same vlan as the client on a openwrt port set to untagged. It was then able to get a dhcp from the client vlan

@roney-s-mathews How are you determining that? If you want VLANs, you configure them wherever you need them and you won't be able to see if you get the addresses, without something to connect to the VLAN. Also, did you configure a DHCP server on the VLAN?

@vtglockster The issue was the OpenVPN client. I needed to add some rules for Outbound NAT. Once I added the rules the VLANs started working properly.

Yes, adding a new IP range to the port connected to the switch will separate the devices. Then if you want you can do interesting things with rules to isolate or not isolate devices. Port 1 might have the IP 10.10.220.0/24 and port 2 might be 192.168.100.0/24. The only way they talk is if you allow (the default is to allow) them to talk.

@gertjan i found it. after days. works now. this here https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html is not suitable for my config, because i need the 210 VLAN to terminate, so i dont need a dedicated Switch port, just a VLAN interface. this is the right tutorial: https://mitky.com/pfsense-virtual-lan-setup-vlans/ there it works. now the other VLANs should be working as well like this one.