@Stp well if you can ping 8.8.8.8 then internet is working.. Your problem is prob dns related.

@stampeder Not sure what your going on to be honest.. You have gone down some rabbit hole of your own making... I have told you multiple times now how to configure your ports.. you need to set 100 as native vlans on those ports.

I even linked to the cisco docs that show you how to set it as native.

@johnpoz
Thanks, John! Appreciate your example!

@johnpoz
Hi,
There was no any problem in Subnetmasks or IPs.
I found the rootcasue, the servers in vlan35 were configured with dockers and the same vlan1 subnet was occupied by dockers inside the server, thats why we were not able to reach them.
thanks

@moji said in Question about inter-Vlan traffic and interface Concept:

1- I suspect this is an issue with tagged and untagged traffic

or its just that AP doesn't have a gateway.. To access a device on another network, that device has to know how to talk back to the source network.

Validate your AP gateway set to pfsense on the network its on. If you can not do that in this AP, then you could aways source nat your traffic so it looks like pfsense IP on that network is talking to it, and not the remote IP of your client your wanting to use to access the AP gui.

soho wifi router are known for this problem, where the native firmware doesn't allow you to set a gateway on the lan interface

@Gblenn wow now this is why I love this forum....
You guys are amasing....
Thank you so much for all your help...
I will run with the setup as is for now and look into changing things later...

bookie56

@User6buinf43
You can use any free IP for masquerading in fact, but you have to assign it to the respective pfSense interface. Otherwise ARP will not work for it.

I advised you to select VLAN 8 address before, however. There is no plausible reason to use any other.

@4RR3N said in How to easily block access between multiple VLANs ?:

ncluding grabbing IP via DHCP for my client

You can not place a rule that blocks dhcp - because when you enable dhcp hidden rules are created that allow for dhcp before rules you place on the interface or even the floating tab are evaluated.

Vs having rules block vlan x, y and z on your vlan a interface.. As mentioned yes just create an alias that contains all your networks, or for that matter just all of rfc1918 space so you can just use one rule.

Keep in mind you would need to make sure you allow what you want before this rule - say dns, or ntp or icmp to pfsense IP on that interface, etc.

@pfsense555 The easy way to find out is to do packetcapture on pfsense, and see what happens to LACP control frames when you remove power from one switch.

@viragomann
I have DHCP server enabled on IoT
Screenshot from 2024-08-18 20-47-50.png

I tried the Packet Capture and it capture traffic only when I select LAN interface and it even capture traffic when I connect to IoT WLAN and on the IoT interface it does not capture anything

I got it figured out. I don't recall setting up traffic shaper, but somehow they were limited to be pretty low. Maybe I set it up previously when I had a 100/10 speed. I may just turn it off entirely and see how it goes.

Thank you both for your help! I'm glad I asked before diving into setting up the second interface.

@hardingd
FIXED:
It turned out to be the <pvid>1</pvid> on the <swports>. Removed that and VMs started getting DHCP from the VLAN 10 interfaces.

Maybe this helps.

@ff101

Thanks! It's working now which means the issue was in the switch configuration, I'll check that up next.

Hmm, something must have changed. If nothing changed in the firewall/switch it must have been in a client somehow.