I also have sets of rules to block them on the interfaces themselves however do I need to add this tag anywhere else?

@fireix Just remember VLANs were designed to limit broadcast traffic. The next thing is switching is faster than routing. And last, layer 3 switches are faster than routers. I think of this when I design networks.

@diyfoolwall

The NIC of the server can / should only press the power-on button if it receives the secret magic wake up packet : the packet should have a data payload of exactly 3 times its own MAC address. Nothing more, nothing less.

To be able to receive this packet, the NIC itself should be powered on. Most ofthen, the NIC goes in low power mode, something like "10 Mbit half duplex' as this is the most economic mode.

If the NIC in front of the server doesn't support this mode : wake on lan won't work. This is what probable happened : pfSense sees the NIC (link) down, so it can't use the NIC to send the WOL packet.
That's why its best always to use a switch between any pfSense NIC's, and your LAN(s) devices, as switches accepts the full scale of 10 Mbits/half up to 1 Gbit/full as this is their job.

@JonathanLee Ah, yes, it surely looks more flexible with L3 switch in terms of security and how much you can do on port level. I will not be using normal VLANs in my case since I can't do subnetting-isolation (waste of IP-space and tons of config).

With regards to mesh, in my case, the two Uplink switches will be physically stacked. So the two switches will communicate as one and I would think that it would reduce the chances of broadcast storms. Or maybe not.. One reason for stacking and LACP is to simplify configuration and avoid relying on STP.

@tomic why you would of ever thought 192.168.2 would be an option is concerning..

Sniff on pfsense on the vlan 10 interface when you try and access the printer... Do you see pfsense send on the traffic, if so then its not a pfsense problem.

Also validate your printers mask is correct for your vlan 10 network, if its 192.168/16 and your trying to talk to it from say 192.168.2.x then the printer would think hey that is local and would never send the traffic back to pfsense to be routed back to your client trying to access the printer.

Your saying ping works - that points to maybe your using the wrong port to access the printer gui? Or it doesn't like remote access.. Can you access the printer gui from something on the vlan 10 network? To validate the gui is even working or enabled..

If that works, and you show sniffing pfsense sending the traffic - you could always source nat so printer thinks pfsense IP on its own network is talking to it.

@toskium yes running a pcap over the interface configured for LAG will show LACPDUs being sent by the switch and pfsense. Should be bidirectional. Assuming you see that your issue may be elsewhere.

@Antibiotic

Yes, you can have VLANs without a switch. Just connect the 2 devices with a cable and you can put what ever VLANs you want on it, though I'm not sure why you'd do that.

@rashadmahmood that is with only the 1 physical connection with your vlans running over it..

Just create a new uplink from your switch in say vlan 10, not tagged and connect to pfsense on another interface that you put your 10.0.0 network on..

@johnpoz Ha! Yeah, didn't think of that right. I was thinking setting static IP's and "on autopilot" setting .1 as gateway. DHCP would not have that problem.
But having .2 as a gateway address is still dumb to me. So he should still follow your advice in the way you meant it in my opinion.

@Skozzy said in Snort crashing and consistently high RAM consumption since creating new VLANs:

appliance, would i lose my current pfsense plus license? is there a way to transfer it since i still own the appliance?

As I am informed the license is bounded to the hardware that means to the device.
If you have 2 devices you own two licences and both will be able be upgraded
with no extra cost on top of it.

So if you are buying a appliance from negate you get the license on top of it
and if you run it let us say 5 years, you saved $129 each year that you would
pay if you go with your own hardware. So there should be nothing bad buying
after several years another appliance from Netgate the other one you could
try for testing out things or plain as a spare.

@coxhaus said in Can't get pfSense to communicate with Ubiquiti switch:

So, I would assume an Ubiquiti switch would cost around the same. You may be better off with Cisco.

Yeap, I'll definitely check those, I usually wait a lot, do a lot of research..

When I got the SG-4100, I was thinking about an upgrade of my entire network to 2.5Gbps, but since then, I couldn't find a managed 2.5Gbps switch that worth the price.

In this mean time, I got non managed switch, tp-link (TL-SH1005), it gets the job done.
Also got a 2.5Gbps ethernet adapter for my NAS, which is working perfectly.

So, for the time being, I can search for prices, no rush..

@Dobby_ I thought routes were automatically created for VLAN subnets?

@mhd353 Yeah you could do that. Or like I said earlier, just change the 3.1 to 30.1 and use it as the native on that port, you can then add vlans later if needed. I've done it where I name the physical port "Trunk" and had no native network on it. I've also read recently that the physical port doesn't even need to be enabled but I never did that and doesn't sound like something that would work to me. Maybe I'll try it sometime just to find out.

Hello,
I have successfully done that.

Multiple PLCs with same address static NAT.

I used a couple of Stratix 5700 switch, (which itself is a Cisco Router), One is NAT other routing.

I just want to know if there is a cheaper alternative, those switches don't come cheap.

AICV

@Antibiotic

With this install script, i can only see that "localhost" is doing the dns reqeusts. So there is no way anymore to block specific rules on specific users. 😕

@johnpoz Well, I have here a scenario in it's not possible for the packets to go through the local/internal network.
I have a pfSense with a /29 public IP (one address in the WAN and others as VIPs). In the LAN side, I have a PBX IP running in a VLAN1, and a STUN/TURN Server running on another VLAN2.
For the PBX I have a VIP with NAT Port Forward Rules, and NAT Outbound Rules;
For the STUN/TURN Server, I also have a VIP with NAT Port Forward Rules, and NAT Outbound Rules;
The IP Phones/Softphones located "in the world" can access the STUN/TURN Server via VIP address.
But the PBX, can't access the VIP address of STUN/TURN Server.
And why do I need this? Because the STUN/TURN Server needs to receive/recognize the Public IP address of the PBX and send back this information to the PBX put this on the SIP packets.
If the PBX reaches the STUN/TURN Server internally, the STUN will return the internal IP to PBX, and this info will be informed in the SIP packets, and then no one on the internet can find the RTP address of PBX.

But I didn't find how to make it work here. Any idea?

BR,