@bingo600 said in VLAN security question:

As Mac should be unique.

Well, any router that's connected to multiple VLANs will have the same MAC on those VLANs. On the other hand the IP addresses will be different, as they're on different subnets.

@bingo600 Yes all the management of the network is done from the 163 network. The only things connected to the 163 network is a Microsoft AD server and trusted computers in that AD domain. There is an additional physical 160 network set up just like the 163 network (physical ports on the switch and wifi) with the exception that it connects to pfSense on EM1 and it has port 13 assigned to it as a tagged port . There is an additional tagged SSID on the access point for devices to connect to the 160 network. This is also a dedicated interface with no other networks. It has various trusted devices, laptops, phones tablets etc that should not access the other networks. Those devices connect either by ethernet or wireless.

Every network (physical or vlan) has firewall rules that reject access to RFC1918 networks with the exception of a few select devices on the 163 network that are used to manage the full network.

@sgw said in how to manage APs and various ESSIDs:

What do you mean with "native LAN" ? The standard LAN on pfsense?

"Native LAN" refers to the network without any VLANs. For example, with pfsense, you have an interface for your LAN. You can run all sorts of traffic over it, but there is no separation into virtual LANs. Anything beyond that basic network, is carried over VLANs on the same basic network. Of course, you could use a managed switch to remove the VLAN tag and place the packets on another physical network. Any traffic on that network would be "native", even though it would be VLAN elsewhere. On my system, I my native LAN interface is bge0. I also have bge0.3, which is VLAN3 on my native LAN. If you were to watch the traffic on that physical interface, you would see frames both with and without VLAN tags.

While many devices can handle VLANs and work directly with tagged frames, others can't, which means they can only be on the native LAN or be behind a managed switch that has a port dedicated to that VLAN.

My VLAN is used for my guest WiFi. So, I have pfsense, my AP and my switch configured for that VLAN. Both native LAN and VLAN 3 are on the switch ports connected to pfsense and the AP. All other ports are native LAN only.

@rostyslav-didus said in Trunk port beetwen Cisco 3750g & PfSense 2.4.2-RELEASE:

@bingo600
Yes sir!
My mistake-I didn't say that pfsense is on Esxi.
We updated pfsense. Now it got last stable version.
I am going to read how to make proper vlans on Esxi to allow vlan 5 flow.
I'll show esxi config in 2 hours.
Thanks.

I have not tried a pfSense on ESXi , but have a small home ESXi , where i used vSwitch to make the trunk (& Vlan definitions).

Someone else w. pfSense on a VM experience should chip in.
Have a look in this section.
https://forum.netgate.com/category/33/virtualization

Nevermind. I figured it out. It was something on my own computer blocking it. Thanks for the advice and the help anyway!

@johnpoz, thank you.

well Netgear vlan switch arrived,.. figured out how to configure it,.. and I now have 5 local VLANs enabled all working fine,..
There are just so many configurable things with this unit,..
BTW does anyone know how to save the config,.. without using the netgear cloud,. or is that the catch,. they want you to use their paid service... or am I just being a Scrooge...

I got his all working in my lab without issue, rolling into production will need planning as WAN will need re-configured and drop my remote connection.

@lugwitz said in phyiscal pfsense trunk to vSwitch esxi:

I don't see that vlans are supported with it.

it’s hard to imagine, as it is supported in principle by PHY ....(
Intel® 82571EB)

10af4282-d773-4298-8181-24c31db957d7-image.png

but then I found this:

https://social.technet.microsoft.com/Forums/ie/en-US/11584256-b924-4945-a2f4-aefca0c3a43a/intel-1000pro-vlan-not-working-any-idea?forum=winserverhyperv

Scratch the PPPoE bridge, let's say ANY subnet is available through two very different paths that can't be LACPed but they nevertheless access the exact same broadcast domains. Could a LAGGs be use to apply the same sets of rules on "paired" interfaces? Is don't suppose it can also constantly evaluate network conditions to choose the best performing path either, is it? 🤓

@jknott Thanks and think I understand.
regards.

The 5 different Synology models I opened up all had Etron Tech nic's.

@jknott Got it, thanks! I learned a lot, the most bizarre thing is that on VMware switches the MTU is 20bytes less than the one set. Just for VLAN trunking nothing fancy like VXLAN or anything like that.

I also got some super weird results on FreeBSD (not pfSense, or firewall distribution at all) where using this hot new command I learned it'd go until certain MTU and pass the traffic, 9000, for instance, but wehn it's "sweeping" (increasing) but starting an echo request right at the same 9000 would say it's too big. …and if you add LACP to the mix things go cray, Britney-Spears-umbrella-meldown-cray. 😂

e.g;
ping -D -g 8940 -G 9100 -h 1 -i .2 x.x.x.x
OK ...blahblah millisec
OK ...blahblah millisec
…
ping -D -s 9000 x.x.x.x
Too heavy, this ain't UPS grrl. …timeout
Too heavy, this ain't UPS grrl. …timeout
…

@marvosa said in Convert from extending L2 (VLANS) to L3 routing:

was usually helpful that printers were always in a particular range.

The issue with printers on a different subnet is browsing no longer works. You have do specifically configure each printer, rather than just selecting one from one that's available.

you need to add tagged members (port) to each vlan (vlan tag) .

for example :

Vlan tag memebers

201 2, 3t,4t,9t,10t

301 3t,4t,9t,10t

401 3t,4t,9t,10t

Vlan 201 untagged on port 2 and tagged on port 3,4
vlan 301,401 are tagged on port 3,4

port3 and port4 carry vlan 201,301,401 as tagged VLAN

Forget about the built-in switch and just trunk ix0 to your external switch. The only other method is to bridge ix0 with lagg0 and that is not going to get you to where you want to be (a software bridge is not a switch).

@JKnott said in Port tagging on APU2?:

@bingo600

No, just making sure he's not missing anything.

@JKnott
You're right.
Sorry about the "rant" ..

@imark77 Have you checked that there is an outbound nat rule for that vlan? I just solved my problem by manually adding it. See the post above