That is what I do as well, some interfaces run multiple vlans. Others have only single interface. My high volume vlans have their own uplink. Other vlans like my wireless ones share an interface. Wireless clients not going to be able to use a full gig interface anyway - not a single device for sure.. Maybe as you move to AX.. But until that time with wifi 5, not really possible for a wireless client to use full gig. So yeah they can share an interface, and rare that any wifi vlan would ever talk to another wifi vlan, etc. This is what is nice about having multiple interfaces on your router. One of the reasons went with the 4860... Lots of discrete interfaces, gives you more options. I don't really have any use for switch ports in my router ;) That is why I have switches... heheh Now what I would love to see, would be a netgate box that has multigig interfaces - support for 802.3bz.. Love to have interfaces that can do 10/100/1000/2.5/5/10ge Multigig switch ports be great.. This could allow for say future connection of AX APs that support say 2.5ge uplink into the router, when you don't actually have a muligig switch, etc.

All good now. Found out that its the client (Win 10) firewall

@JKnott Looks like you are mostly correct. I factory defaulted all of my equipment and setup everything from scratch again. Looks like I am able to issue DHCP to each VLAN correctly. Thank you!

@jknott Thank you .... ill try to inspire from your hint. Thank you again.

@marvosa yea, unfortunately my switches are L2 only, so I don't think inter-vlan routing on the switch is going work for me. Interesting to note VLAN overhead. I didn't think it was that much, but frankly I don't have much experience with VLANs and this is my first attempt at VLANs on a network I control. Thanks for your feedback. Definitely helps me understand and have some base expectations with routing VLANs through pfSense :)

@nerlins said in Am I thinking this topology through correctly?: I did this, but couldn't see Unifi devices in the network controller. Well your only going to see unifi devices when they are in the same L2 network, unless you did L3 adoption.. I even brought up putting wireless and wired in the same vlan, etc. Which is why you would want a switch.. Bridging interfaces is NOT a switch.. As I suggested from the get go - get a switch to put in front of pfsense so you can do whatever you want with putting anything you want in any specific vlan.. If your going to connect a AP that has multiple vlans on it directly into a port on pfsense, you would have no way to add wired devices to any of these vlans.. Without the nonsense that is bridging.. Spend the $40 and get a vlan capable switch to connect all your different devices together.. Then either use multiple uplinks or setup lacp into pfsense so it can route between the networks at L3.. Or get an appliance that has actual switch ports on it, like a 2100 or 3100

@ziarmal What you are referring to is called QinQ, as described in 802.1ad. It's common in the telecom industry, where it's typically used to provide Ethernet over fibre, but I haven't heard of it beyond that. Also, this is strictly a layer 2 issue and so beyond what pfsense can do.

I found the issue is with the Orbis using STP by reading Flash008's post in the link below. https://community.netgear.com/t5/Orbi/Orbi-RBK53-ethernet-backhaul-issue/td-p/1505888 I had a couple of options to address this. Either keep the switches STP off and Enable BPDU, or turn on basic STP on the switches with the ports used by the Orbis using the default priority of 32768. I went with turning on STP and setting the ports to use the default 32768 priority which seemed to have worked. Network did go down for about 30 seconds, but then it recovered without isues since. It's definitely not the pfSense box. On another note, I will most likely tackle some Traffic Limiters next to see if I can't get an A or A+ on dslreports for bufferbloat. Thanks again for everyone's help. I think I'm good. :)

@dennypage To be clear, mDNS traffic WILL still move across the network and is still accessible if you are connected to the 2.4GHz side of your SSID. The problem was actually pretty hard to trace out due to the sporadic nature and the fact that the traffic was present on the network. It's just that the WAPs drop it over the 5GHz side if the meshing is enabled.

@r801248 any update on this?

Well power MAX can for sure be misleading.. Great device to add to your tool belt, if you have any care to what devices draw.. Is a kill-a-watt meter.. Or a smart plug with power reading.. So you can plug a device in, and see what it actually draws.. Say leave it on the plug for 24 hours min.. And try and atleast use it a bit like you think you normally would.. Cost of elect can vary quite a bit.. But at the national average of like 12cents per kwh.. A 100W will cost you 100 Bucks a year. Not counting delivery cost of the elect as well, and taxes on that etc.. so going to be 100+ a year to run something that sucks 100w if left on 24/7/365 I have gotten pretty into how much something draws, even before I went solar.. So Im the blue line - guess when I went solar ;) [image: 1611361470268-electric.png] I always use to be above even my non efficient neighbors (all the networking/computer toys) ;) The part I like the most is where I am under the 0... This is where I produced more than I used.. Which is the goal..

@rmfooty I dont know if it can help you... it was difficult to find on internet cause everybody say just set VLANS on pfsense after set on Switch... but nobody told us to set Hyper V when we are talking about VLANs on Hyper V https://blog.workinghardinit.work/2015/10/13/trunking-with-hyper-v-networking/

Well.... Made a backup of the settings in 2.2.6 and restored them into 2.4.5p1. Had to reinstall packages but everything is working like a charm. Exactly the same settings in interfaces... but now its working.

@cool_corona Yes I understand that, but pfsense is still involved correct? - when I change system -> advanced -> networking performance varies Thanks

@ncat I understand the convenience factor, however, instead of adding complexity, you could also address those issues by adding the appropriate routes as needed. I have yet to hear anything that couldn't be addressed with a routed solution.

Problem is solved, it looks like suricata was blocking my machine somehow.