@wc2l Those are aliases. Private is an alias for all RFC1918 IPv4 addresses and IPv6 ULA. Prefix is an alias for my /56 IPv6 prefix.

Under diagnostic menu.. Packet Capture. This allows you to see like the raw data that interface sees.. Here this might help in what packet capture (sniff) is. https://en.wikipedia.org/wiki/Packet_analyzer edit: example Here is a sniff (packet capture) on my dmz interface (192.168.3.253) while pinging an IP in my dmz network, from my lan network 192.168.1000 [image: 1614355630380-sniff.png] Now you can view more info by changing the verbosity level in that screen. Or you could just download the capture into your own software.. Wireshark for example (free).. And get all kinds of great info on what is actually going on.. For troubleshooting stuff [image: 1614355766223-info.png] In your specific scenario - you would of been able to see if pfsense was actually sending on the ping request, but not getting an answer, etc.

@cheezyadmin LLDP is a discovery protocol. My guess is their phones use LLDP to discover the voice VLAN. You will need to enable LLDP (and possibly LLDP-MED) on your switch.

adding a pass rule from(opt1) to source/dest/port(any) in the firewall on the opt1 interface solved the problem.

@madnet As has been mentioned here many times, avoid TP-Link, if you want to use VLANs. There are plenty of other brands that work properly.

@marvosa Thank you! It took me some time and a little nudge from a friend to translate your sentence but eventually I figured it out. I now have the gateway online and the interface up and learned some things in the process.

forgot to mention the VPN via IPsec which is the 5th net, but it probably does not make a difference here.

@hieroglyph Also, pfsense is not going to be able to move packets faster at layer3 than a switch can at layer2. If you want pfsense to be efficient, let the switches handle all inter-LAN traffic (i.e. LAN10 to LAN10. LAN20 to LAN20. Etc...). That way pfsense only needs to handle cross-LAN traffic (LAN10 to LAN20. LAN20 to LAN30, Etc...) and traffic headed out of WAN.

@pwang99 I'm starting to think you are a "Robot" , or totally miss the point here. Always the same answer. How much network/switch experience do you have ? /Bingo

@janiboy You will need firewall rules to allow the LAN and VLAN to communicate.

@nevar i was able to figure out the issue. it is noob mistake. i forgot that starting windows10, ping is disable by default argh. after realizing that, i install portable ftp server on my pc that is on vlan and then try connect to it from my lan. i was able to connect to it. i also do couple test with the rule set to disable/enable and it work as expected.

@cburbs , @johnpoz & @bingo600 for all the suggestions! I ended up using LibreOffice Draw, the start was clunky but once I got the hang of its drawing toolbar it became a breeze. Also realized that by documenting details, it took that extra level of time and scrutiny made me think through the topology functionally and not use my standard "do first then think later" approach It is also easy to edit and make changes so for a free solution and a simple network like mine it worked out great, here is a blurred screenshot for your delight!!! [image: 1613527913361-screen.png]

@hieroglyph , @JKnott , FIXED! TL;DR: Could not understand why pfsense was not passing and/or routing untagged traffic to switch UI's via tagged interfaces, but no problems with any untagged<-vlan->untagged device traffic. solution: my ID10T mistake: uncheck "Enable Static ARP entries" in DHCP on the interfaces of the devices, or add the static APR entries necessary for all devices (hosts and switches...) to talk. Look for states in state table. Dumb*** move on my part. Posted for all to read and groan/laugh at the noob...as the saying goes "KISS"...but, it's as much about learning as doing. And, I now have SSH for all my devices installed, putty/mobaXterm/wireshark installed on all my machines, and also WSL with ubuntu to help me out in the future :) Ok, after i tried a ton of reading, pinging, capturing, triple checking/disabling rules and trying the outbound NAT, and that didn't work either, in the process I noticed something else recently changed: whereas before I could ping "just fine" from any of my vlans, well, my primary vlan stopped seeing the switches also... I like these types of failures! So, resetting my assumptions, after more google-fu, I looked at the state tables (recommended in other posts), and realized there were no states in pfsense for switch-1. Well, if pfsense can't see it, pfsense won't route to it, but the other devices were present.... hmmm....as if the switch(es) weren't allowed.... I thought I'd try to add a static ARP for switch-1 - and... that's when I noticed that at some point in my former brilliancy, I happened to check the "Enable Static ARP entries" in DHCP on the VLAN10 interfaces. Now that's all fine and good as it had the machines I wanted to connect with, BUT no entries for switch-1 (or 2)! Added them to the VLAN10 interface since that is what they communicate to, and EVERYTHING is groovy again! Now I can use the firewall rules to fine tune access, and avoid NAT for now, as future challenge will be VPN's....I may be back... Anyhoo, thank you again @hieroglyph and @JKnott for your time and help giving me direction!

@marvosa said in Access point with VLAN - no LAN connection: RxBadPkt's? Why would you do that??!?! Like I said... suspect... LoL! Good question - like every tagged packet is marked as bad - I do recall that when was testing their - whats the right word?? Oh yeah JUNK! Do yourself a favor and use something else other than tp-link for switches and AP.. As dumb products they might be fine - but if your wanting to do vlans. They don't understand them..

@hanalei_boy You'd think so, but it's not hard to give it a try to see what happens. Put it first, so that nothing else can affect it.