Hmm. I was under the impression that WiFi 6 was 802.11ac. Apparently, it's 802.11ax. My bad!

I just wanted to follow up after having had some time to test and tinker.

@johnpoz : Thanks for your help and patience! Your insight was invaluable.

RECAP : Issue

My original issue was identified by the supposed failure of pings to traverse through pfSense between two devices on different networks (ex. 192.168.11.xx and 192.168.12.xx).

RECAP : Issue No.1 : Windows Firewall Behavior

Important issue no.1 didn't have anything to do with pfSense or, for that matter, with the network in general. Windows firewall blocks ICMP Echo requests and this behavior seems to continue even with the firewall turned off in the Control Panel.

The weird part with this issue is that both pfSense AND the managed switch could ping both computers. The issue was revealed when the computers could not ping each other (pings timed out).

The simplest way to fix this behavior is to add an Allow Rule to Windows Firewall for ICMP behavior. Just... make sure to turn it off before using those test machines elsewhere.

RECAP : Issue No.2 : pfSense DHCP

Important issue no.2 had to do with weird behavior from the DHCP service on my pfSense machine. I cannot say if this is the result of a bug. I would have to do further testing (which I may follow up on later).

This was described by johnpoz as : "if your device... doesn't have a gateway, then you would never be able to talk to it from some other network."

Or even simpler : No door (gateway), no exit.

This issue was revealed by the ping attempt on one of the computers throwing a "General Failure" error when trying to ping the other computer. Investigation of ipconfig results confirmed the issue (missing network gateway).

The proposed solution that fixed the issue was simply to enter a value in the DHCP configuration screen : Other DHCP Options/Gateway. Adding a value here propagated to the two testing machines.

The value I used was the IP address of the associated firewall interface (... the default value...).

Fin

That's it.

Pings between the two computers works as expected, even when they are in different networks. The ping works in both directions.

Thanks again!

@MoonLight-0 only if your switches supports stacking and can be stacked to one logical switch where you create an identical lagg of 4 ports (one from each switch).
If they do not stack you cannot use LAGG as an interface aggregation method accross switches.

@Gblenn said in Switching from igc1 -> ic0 as physical interface starts well and then collapses:

Use the topology mapping in Unifi Controller as support as well. It might give you some ideas of where things may be messed up..

issue when the wheels come off my Unifi manager is not reachable...

Only switch this is internal static assigned is the ProMax... will remove that and do a static assign on the pfSense... was actually thinking the current config, by the switch is told you are 172.16.10.2, irrespective which port is used for uplink... if anything... i would have expected more problems when the Cat6/2.5 GbE and fiber was patch / active into the pfSense... as it would not have known who is the uplink...

Will give all of this a try.

G

@mlradioguy firewall rules have nothing to do with, once you enable the dhcp server hidden rules are created that will allow dhcp.

Are you seeing dhcp discovery/requests on pfsense? What does the dhcp log say, sniff on pfsense different interfaces are you seeing the dhcp?

if you set static, can you ping pfsense IP, do you even see arp entry in your clients for pfsense IP..

Man that does sound like a pain. It also doesn't sound possible to really do per app tunneling like a dedicated VPN app can do particularly for things like web browsers whereas with something like Sweech that uses a narrow host address range plus a specific port number, it would be a piece of cake. I suppose I'd have to keep the desktop app for the PC, but the phone should be ok with it since it's just one app that needs to be configured.

@johnpoz

Currently they both carry different vlans via their uplinks to pfsense? Yep that was previous situation.

And yep I do have a limmited number of vlan's in a trunk between the two switches. But for the essential management vlan, I did not like that.

Note that the bridge I implemented does work as intended! I just do not understand the IMHO crazy way it is implemented !!

@codechurn
Yes, you need an outbound NAT rule for the respective subnet on the VPN interface.

To limit access to outside destinations only, best practice is to create an RFC 1918 alias, which includes all private IP ranges and use this one in the filter rule.
86600fa1-0b28-4483-813c-42d9d6d521b9-grafik.png

You can use this as destination with "invert match" checked in the policy routing (pass) rule. Or just insert a block rule above of it.

Used in a pass rule, it looks like this:
d1fd0a53-d658-4d4d-b99a-431dc1d40461-grafik.png

Also you should limit access in your first rule to services, which are needed like DNS.

If you also want to block access to HAproxy, which is listening on the WAN IP, you need an additional block rule for this.

@desquinn Port 4/WAN2 is a unique subnet?

The steps in https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html just isolate the port, it should not affect anything else.

Steps 21-22 remove 4 from VLAN group 0 but your text shows it in there.

If you configure WAN2 but unplug it what happens?

Can you ping from pfSense into each VLAN?

Check Diagnostics/Routes.

@cyb3rtr0nian Buying used on ebay might be a good idea, but if you are looking for new, perhaps TPLink could be an option. As @AndyRH mentioned there is Unifi which is a good option, but TPLink have pretty much copied their UI in their Omada series. I have Omada at home and run Unifi at our vacation house and my mom's place and I actually think Omada is a bit more "clean" and simple to navigate.

Retransmission might be cables, but it's perhaps more likely that it is due to your wifi network. What mesh system are you using today?
Some of them seem to reuse the same wifi channel on all AP's which is completely wrong from a radio standpoint.

Phones or other devices will change to the next cell based on radio conditions and don't need to be on the same channel to be able to roam in your home. And you can control their "behaviour" via the settings for the AP's. At what signal strength they should be "pushed off" an AP so they connect to the next etc. But I'd say that is not at all necessary to mess with in a normal home with just a few AP's.

Placement and channel selection is important however, and you will be trying to minimize interference. Having all AP's on the same channel creates tons of interference, from the AP's themselves as well as all the devices.
There are apps on Android you can use to check signal strength of wifi from you neighbours on each channel (Wifi analyzer and Ubiquitis WiFiman). Wifiman has a nice mapping feature that you can use to create a "heat map" showing the signal strength or expected speed in your own home as well.
On 2.4Ghz channels are much wider than the numbers suggest, already at 20 Mhz channel width. So channel 6 also covers channels 4, 5, 7 and 8, meaning that the only non overlapping channels are 1, 6, 11 and 14. And don't use more than 20 Mhz... in theory it should give you higher speeds but you will likely get more interference and lower speeds.

@socrateberserk said in Assistance with Multiple DHCP Servers on Netgate 6100:

I just changed the rules and it works

You corrected your overlapping networks as well as I assume, pfsense will not allow you to put an IP on an interface that overlaps with another interface

@cuteliquid11 said in Do you assign a dedicated interface to manage your Pfsense from the GUI?:

switch for speed and streamlined logic.

Yeah I sure wouldn't call that streamlined, and not sure what your using for pfsense but its more than capable of routing at speed.. Now if you wanted devices to talk at like 2.5ge or 5 or 10ge or something ok.. If pfsense couldn't do those speeds..

How is lack of any firewall rules between segments on your switch vs easy clickly clicky easy firewall rules on pfsense streamlined? You creating firewall rules via ACLs? Not sure what switch your using, but those are not anything close to ease rules can be done on pfsense.

If your not firewalling between the segments on your switch, why even segment them? Just put them all on the same vlan, etc.

But you still haven't said what your route conflict is??

Lets take a look at your drawing.. But routing to your downsteam router(L3 switch doing routing) wouldn't cause route conflict..

Here is example of how you would setup downstream router

pfsense-layer-3-switch.png

@johnpoz Thank you, that really cleared things up.

@netguy Ahh, good I did the followup. I noted that your original question could mean you were talking about pfsense Interfaces rather than switch interfaces.

No, adding the same VLAN on more than one Interface on pfSense is a really bad idea. You can theoretically create a bridge containing several interfaces, but it causes a lot of issues and strange/unpredictable behaviour, so definitely something I would recommend you stay away from. Get yourself a managed switch - they are dirt cheap, especially used. You’ll end up doing it anyways even if you choose not to follow my advise now.

@ccgc I also notice now that on this view, you have all the ports 1-8 Tagged instead of Untagged?

3c37ad16-951e-4fda-a3c6-77b63306ab1f-image.png

Did you follow this guide?

https://kb.netgear.com/31026/How-to-configure-a-VLAN-on-a-NETGEAR-managed-switch

And you really don't have to do anything with VLAN 1, except remove it from the ports you want to have as access ports for VLAN 20 (VIDEO).

And of course, VIDEO has to have a different subnet range than LAN. So if VIDEO has 192.168.0.1/24 you have to use something other than 192.168.0.

@Frosch1482 the rfc1918 is just that, an alias that contains all the rfc1918 networks.. Are you other vlans not rfc1918?

Why would you need to create several to block rfc1918? You can have lots and lots of aliases if that is what makes sense for what your wanting to do.. Which you have not actually expressed in any sort of detail that would be helpful for someone wanting to help you.

I gave you an example of simple set of rules that would allow a "guest" sort of network to access the internet - but not any of your other network (if they are rfc1918) nor any pfsense gui IPs, even if the wan is public and changes.. That is the "this firewall" alias.

Those rules I gave as example could be adjusted to whatever your needs are.

Maybe you want to allow any dns? Maybe you don't want to allow ntp access or ping of pfsense IP on your guest network, etc.

@Bly On a 3100 the LAN ports are a switch so all the same port from what pfSense sees. You will need to isolate the ports in order to use separate firewall rules. But once you do that, then yes, they are just like separate ports.