@janiboy

You will need firewall rules to allow the LAN and VLAN to communicate.

@nevar i was able to figure out the issue. it is noob mistake. i forgot that starting windows10, ping is disable by default argh. after realizing that, i install portable ftp server on my pc that is on vlan and then try connect to it from my lan. i was able to connect to it. i also do couple test with the rule set to disable/enable and it work as expected.

@cburbs , @johnpoz & @bingo600 for all the suggestions!

I ended up using LibreOffice Draw, the start was clunky but once I got the hang of its drawing toolbar it became a breeze. Also realized that by documenting details, it took that extra level of time and scrutiny made me think through the topology functionally and not use my standard "do first then think later" approach 😁

It is also easy to edit and make changes so for a free solution and a simple network like mine it worked out great, here is a blurred screenshot for your delight!!!

screen.png

@hieroglyph , @JKnott ,

FIXED!

TL;DR: Could not understand why pfsense was not passing and/or routing untagged traffic to switch UI's via tagged interfaces, but no problems with any untagged<-vlan->untagged device traffic. solution: my ID10T mistake: uncheck "Enable Static ARP entries" in DHCP on the interfaces of the devices, or add the static APR entries necessary for all devices (hosts and switches...) to talk. Look for states in state table.

Dumb*** move on my part. Posted for all to read and groan/laugh at the noob...as the saying goes "KISS"...but, it's as much about learning as doing. And, I now have SSH for all my devices installed, putty/mobaXterm/wireshark installed on all my machines, and also WSL with ubuntu to help me out in the future :)

Ok, after i tried a ton of reading, pinging, capturing, triple checking/disabling rules and trying the outbound NAT, and that didn't work either, in the process I noticed something else recently changed: whereas before I could ping "just fine" from any of my vlans, well, my primary vlan stopped seeing the switches also... I like these types of failures!

So, resetting my assumptions, after more google-fu, I looked at the state tables (recommended in other posts), and realized there were no states in pfsense for switch-1. Well, if pfsense can't see it, pfsense won't route to it, but the other devices were present.... hmmm....as if the switch(es) weren't allowed....

I thought I'd try to add a static ARP for switch-1 - and... that's when I noticed that at some point in my former brilliancy, I happened to check the "Enable Static ARP entries" in DHCP on the VLAN10 interfaces. Now that's all fine and good as it had the machines I wanted to connect with, BUT no entries for switch-1 (or 2)! Added them to the VLAN10 interface since that is what they communicate to, and EVERYTHING is groovy again! Now I can use the firewall rules to fine tune access, and avoid NAT for now, as future challenge will be VPN's....I may be back...

Anyhoo, thank you again @hieroglyph and @JKnott for your time and help giving me direction!

@marvosa said in Access point with VLAN - no LAN connection:

RxBadPkt's? Why would you do that??!?! Like I said... suspect... LoL!

Good question - like every tagged packet is marked as bad - I do recall that when was testing their - whats the right word?? Oh yeah JUNK!

Do yourself a favor and use something else other than tp-link for switches and AP.. As dumb products they might be fine - but if your wanting to do vlans. They don't understand them..

@hanalei_boy

You'd think so, but it's not hard to give it a try to see what happens. Put it first, so that nothing else can affect it.

That is what I do as well, some interfaces run multiple vlans. Others have only single interface. My high volume vlans have their own uplink. Other vlans like my wireless ones share an interface. Wireless clients not going to be able to use a full gig interface anyway - not a single device for sure.. Maybe as you move to AX.. But until that time with wifi 5, not really possible for a wireless client to use full gig. So yeah they can share an interface, and rare that any wifi vlan would ever talk to another wifi vlan, etc.

This is what is nice about having multiple interfaces on your router. One of the reasons went with the 4860... Lots of discrete interfaces, gives you more options. I don't really have any use for switch ports in my router ;) That is why I have switches... heheh

Now what I would love to see, would be a netgate box that has multigig interfaces - support for 802.3bz.. Love to have interfaces that can do 10/100/1000/2.5/5/10ge

Multigig switch ports be great.. This could allow for say future connection of AX APs that support say 2.5ge uplink into the router, when you don't actually have a muligig switch, etc.

All good now. Found out that its the client (Win 10) firewall

@JKnott Looks like you are mostly correct.
I factory defaulted all of my equipment and setup everything from scratch again.
Looks like I am able to issue DHCP to each VLAN correctly.

Thank you!

@jknott Thank you .... ill try to inspire from your hint. Thank you again.

@marvosa yea, unfortunately my switches are L2 only, so I don't think inter-vlan routing on the switch is going work for me. Interesting to note VLAN overhead. I didn't think it was that much, but frankly I don't have much experience with VLANs and this is my first attempt at VLANs on a network I control. Thanks for your feedback. Definitely helps me understand and have some base expectations with routing VLANs through pfSense :)

@nerlins said in Am I thinking this topology through correctly?:

I did this, but couldn't see Unifi devices in the network controller.

Well your only going to see unifi devices when they are in the same L2 network, unless you did L3 adoption..

I even brought up putting wireless and wired in the same vlan, etc. Which is why you would want a switch.. Bridging interfaces is NOT a switch..

As I suggested from the get go - get a switch to put in front of pfsense so you can do whatever you want with putting anything you want in any specific vlan.. If your going to connect a AP that has multiple vlans on it directly into a port on pfsense, you would have no way to add wired devices to any of these vlans.. Without the nonsense that is bridging..

Spend the $40 and get a vlan capable switch to connect all your different devices together.. Then either use multiple uplinks or setup lacp into pfsense so it can route between the networks at L3..

Or get an appliance that has actual switch ports on it, like a 2100 or 3100

@ziarmal

What you are referring to is called QinQ, as described in 802.1ad. It's common in the telecom industry, where it's typically used to provide Ethernet over fibre, but I haven't heard of it beyond that. Also, this is strictly a layer 2 issue and so beyond what pfsense can do.

I found the issue is with the Orbis using STP by reading Flash008's post in the link below.

https://community.netgear.com/t5/Orbi/Orbi-RBK53-ethernet-backhaul-issue/td-p/1505888

I had a couple of options to address this. Either keep the switches STP off and Enable BPDU, or turn on basic STP on the switches with the ports used by the Orbis using the default priority of 32768. I went with turning on STP and setting the ports to use the default 32768 priority which seemed to have worked. Network did go down for about 30 seconds, but then it recovered without isues since.

It's definitely not the pfSense box. On another note, I will most likely tackle some Traffic Limiters next to see if I can't get an A or A+ on dslreports for bufferbloat.

Thanks again for everyone's help. I think I'm good. :)

@dennypage

To be clear, mDNS traffic WILL still move across the network and is still accessible if you are connected to the 2.4GHz side of your SSID. The problem was actually pretty hard to trace out due to the sporadic nature and the fact that the traffic was present on the network. It's just that the WAPs drop it over the 5GHz side if the meshing is enabled.

@r801248 any update on this?