I would like to install xcp-ng as hypervisor and also have redundancy in case one of the nodes or one of the switches fails. I haven't done this before. css326 should serve mainly for making the connections with the patch panel and as failover if the crs326 switch would fail.
Is the following plausible to setup or what would you recommended ?

3.png

Well, no exactly, I already got noisy stuff under one subnet. I'm just curious if it can be achieved by merely using a transparent firewall technique while keeping the rest of the L2s separated. This is the first time I've thought about pfSense filtering below L3 I believe.

The switches I have, come with lots of stuff for multicast, fancy is actually a fitting word for it's a lot, from multicast filtering to routing to something in the middle (MVR) Plenty more features than for the other L2/L3 areas. But playing with these can easily lead to trouble, nothing too serious yet not far off--I traced a painfully slow network to the Avahi plugin when 2.4.5p1 was first released. It's been switched off since then.

There is one multicast feature that I though seemed like a good compromise, in Ubiquiti-branded stuff it's called MVR, everywhere else is just Multicast VLAN, in Cisco it's probably named by its RFC # and then their licensed next to it. 😆 MVR is supposed to drop all multicast traffic regardless of source VLAN into a dedicated VLAN so traffic traffic won't bother other operations, setting up the ports' mode for it is contradictory in all documentation even it's got not router/source/whatever port designations. I tried so hard to make it work but I kept missing the almost-never-mentioned point: it only goes one-way, same as all other multicast protocols, they're designed to work in this waterfall-like fashion, as if source always were an IPTV operator for instances; remote from the Internet, doesn't care what you have to say. It's never a mesh or at least one-ways-for-all situation. The naming doesn't make it easier either, I know VLANs inside and out now, but when I go through these docs that aren't even for VLANs it makes me question how much do I really know about VLANs, ADHD kicks in and I've lost all day when I eventually l land in the document that triggered the spiral.

Not that useful for something like a remote app, or Spotify Connect/AirPlay, all relying heavily on multicast, treated like broadcast but even less smart. Some just assume your wireless network is the same as the wired one or the most infuriating are those incompatible Enterprise WPAs that expects the other device setting it up to connect to the same SSID otherwise it won't take it. It drives me insane this Harmony Hub I use for domo losses connectivity I have to go get a step ladder to pair it over Bluetooth, to then failing its "tests" to give you an IP input field only at the very end while you wait balancing on the ladder. 🤬

Got sidetracked there, sorry. Avahi and mDNS Repeater seem to be the only tools available for this but they're not really protocols, are they? They're included everywhere, well, Avahi is, but it's banned from switches it seems. They only router appliance I've seen that dealt with this type is in the Ubiquiti USG line, Ubiquiti as a brand sort of constantly readjusts its priorities (or has no direction), so it doesn't really count. So I'm exploring option to see what could be done if I didn't have or didn't know how to setup a RADIUS server (and pfSense didn't have one right in there). There's a lot more happening at L2 beyond ethenet so I'm curious.

I'd love to get my hands on one of those old ATM cards though I woulnd't know what to do with it 5 seconds later. I think my ISP is still using ATM despite delivering fiber I have this hunch. All of their naming still hints to ATM stuff. :)

I don't think you know how much I appreciate those little bits about Plex and preemptive filtering 'cause it's the first kind of thing that pops in my mind when I run into trouble. Thanks for the help!

I'm seeing the same behavior on my network for both wired and wireless clients.
https://forum.netgate.com/topic/157090/periodic-drops/4

Thank you for this post, it let me isolate the cause of the network disruption. I'm still not sure what the root cause is, but at least I have a starting point.

SOLVED it myself in the end!!!
For anyone else out there with the same problem.......
It was Enable 802.1q VLAN mode in the Switch Settings on the SG-3100.

I unchecked this so it was using Port Mode, left it at the default, and I can now connect.

@Inxsible said in Unable to connect to wireless SSID with VLAN:

However, I am no longer getting access to the internet when I am connected to the SSIDs with VLAN ids.... Do you see anything wrong with my Firewall rules in the above post?

I had to add Outbound NAT rules because I have mine set up as Manual. Once I added those and the allow rule to access the firewall for DNS, I was able to access the internet from the devices connected to the VLANed SSIDs

@JKnott OK, thanks I understand that now. I do not have any media to change so 'Switch port' can be left alone.
As for the section below, and looking at the pfSense Book, I don't think I need to add a gateway.
Thanks very much for your input.

@prx said in Speed Interface error in QinQ interface:

In the GUI under Assignments -> Interfaces I can only select "autoselect"

Due to the nature of "LAG", both sides require the same - next:

-Be of the same speed
-Have the same Duplex settings

When negotiating the LAG speed (merged), only "auto" can be considered, because of the above.

Just think along, two parent interface, which is 1Gig
in LAG (with LACP) 2 Gig

if one of the parent interfaces becomes detached, the combined speed will again be only 1 Gig, so the speed of the LAG interface cannot be predefined, but depends on the group members (from their number / speed)

@JKnott Thanks for the reply. I didn't provide much info in my original post. I have a couple of pics. The things is I expected that after creating these virtual interfaces and, associating them as in the tutorial, that the original LAN configuration would no longer be in play (which is what I want). It doesn't seem to be; I have a dhcp server on vlan1, port number 1, and it's successfully passing out addresses with the vlan1 network values. The original /24 network across all regular ports is no longer a factor, is it, or am I missing something.

ports.png
ports2.png

Sean

@johnpoz thanks for your help so far. It is fixed. this option was checked. Once I unchecked, I started getting internet. Didn't even know when it got clicked. Thanks.

https://imgur.com/ua2kuQe

hi,nevermind, its already fixed,
please delete post.

Opened up https://redmine.pfsense.org/issues/10890 for the Switch port issue.

@chibaba said in Virtual VLANS Query:

Can anyone think of anything obvious that I've missed or is the Realtek VLAN on the nic stopping things from working correctly?

Is there a special reason why you are using the internal VLAN for the uplinking of the switch chip of the XG7100 on your Cisco switch? Normally you don't and just setup the interface with the appropriate VLAN you want to use instead of jumping up and putting the whole upstream thing from the XG to your network. See no real sense in it perhaps you could elaborate what you're trying to do?

@Inxsible said in VLAN on LAN vs on separate physical port:

Advantage of using the Static ARP over DHCP IP reservation on the VLAN interface ?

The static ARP was used only to configure the IP address. The cameras did not support DHCP and they had no address out of the box. So I would manually create an ARP entry with an IP address, so that I could use a browser to configure the address. After that was done, it was ready for service and the NVR configured for all the cameras. As I mentioned, there was also an app to configure the cameras, but I found it wasn't always reliable, whereas the static ARP method always worked.

@demoso

????

Client separation is a AP issue, not pfsense.

@jthombenj

Well, VLAN 10 implies tagged frames, when you want untagged for your main LAN. For example, today, I am trying some stuff with multiple SSID on my LAN. My 2nd SSID connects to VLAN 3 and I have added VLAN 3 to my LAN interface. So, frames for the LAN and main SSID will not have a VLAN tag, but those for the 2nd SSID will have a tag for VLAN 3. Desktop computers generally can be configured to work with VLAN tags, but many other devices can't. So, if your main LAN is tagged, then those other devices wouldn't be able to connect. However, if you have a managed switch, then it could take those VLAN 10 tagged frames and strip the tags off, before sending the frames out to the LAN. Of course the reverse happens for frames going the other way.

@dma_pf This was the spot that was in error, but I assumed it was a typing mistake...

DMAVoip_vl166
Enabled: Checked
Deny Unknown Clients: Checked
Range: 192.168.166.10 - 102.168.167.20

The range on that one is incorrect.

Jeff

@rterren On your OPT port, you have to first enable it, give it a static IP address with a /24 subnet mask. Don't assign a gateway.

Screen Shot 2020-08-22 at 10.13.46 AM.png

Then, under Services -> DHCP Server, find that interface, and turn on the DHCP server function. You need to specify a range, a start address and an end address in other words, but that's pretty easy.

That's all there is to it. If you plug say, a laptop, into the LAN port, you should get an IP address from that range. Then, if you plug the same laptop into the OPT port, you should get an address in the other range. 2 different IP ranges on the same pfsense box. You don't want to use the "additional pool" thing on your LAN network, that's not correct for this scenario.

No offense, but I wouldn't be too tempted to use the SG-1000 just because it's sitting on your desk. I found myself doing/thinking the exact same thing, but I ended up selling my SG-1000, because I couldn't come up with a good enough reason to keep it. Anything I could think of, I could easily do with the other boxes I've already got, the ones with all the extra network ports.

Jeff