@mcury Wow way too much time spent on this lately but finally getting it to where I want it to be. [image: 1609995306377-vlan.jpg] Vlan1: Management This is the Lan off the pfsense firewall. It has access to pfsense gui, all switches, ap, vlans. Vlan3: Server Unraid server running plex, LMS, a few other things Allowed: pfBLockerNG, DNS, Plex to HDHomeRun tuner on Vlan4, Internet Blocked: Firewall & Internal communication. Vlan4: Home Theater Denon Receiver, (3) piCorePlayers, (2) Nvidia Shields, Xbox, (2) HDHomeRun Tuners Allowed: pfBLockerNG, DNS, Plex players to Plex on unraid, piCorePlayer to LMS on unraid, Internet Blocked: Firewall & Internal communication. Vlan5: Work Work laptop, (2) VOIPs Allowed: pfBLockerNG, DNS, Internet Blocked: Firewall & Internal communication. Vlan8: Wireless (2) Iphones Allowed: pfBLockerNG, DNS, Internet Blocked: Firewall & Internal communication. Vlan9: Guest Wireless (2) Chrome books, (2) iphones, (2) kindles, PicorePlayer, roku, PC Allowed: pfBLockerNG, DNS, Internet Blocked: Firewall & Internal communication. Equipment: Pfsense box: HP Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz, 16 gigs of ram, HP 4 port ethernet card - Packages running: aprwatch, iperf, nmap, ntopng, pfBlockerNG, RRD_Summary, Status_Traffic_Totals, Telegraf Access Point: Netgear R7800 running Openwrt Switches: TP-Link TL-SG1024DE, (2) TP-Link TL-SG108PE Server: ASRock X99 Extreme3, CPU 2GHz 12 cores(24 HT), 32gigs ram Unraid Parity Drive: 4tb 15TB HD Space Cache Drive for Dockers Unassigned drive for VMs (Windows, Hassio, Linux) Things still testing: Iphone control while on Vlan8 to items in Vlan3(plex), Vlan4(Receiver, PiCorePlayers, Shields, Roku). Verify anything in Vlans 3+ can't get to pfsense box, switches, APs, Server. I am sure I am forgetting something.

Pfsense would not strip tags.. You can view tags in the capture by doing a sniff on the parent interface with tcpdump and using the -e flag You will then see this for something that has tag on it. ethertype 802.1Q (0x8100), length 58: vlan 4, p 0, ethertype IPv4

@jknott Yes typo, thank you. S/b: VLAN 1 untagged on ETH5-8. I have since added all the VLANs I need and VLAN1 works untagged and the rest are tagged and working on ETH5-8. [image: 1609790814484-pfsense_xg7100_switch_vlans.jpg]

@kiokoman said in VMware Vlans and PFSENSE: 0t thanks for replying, that was the issue once I tagged the 0 and 2 interfaces it worked like a charm

@johnpoz said in Need suggestions for home topology: Poor guy ... 10 100 days downtime/yr We both did typos ;) 365 - nice catch - doh! Well maybe i can get my tuition money back for calc ... Nice catch too

@bingo600 said in VLAN security question: As Mac should be unique. Well, any router that's connected to multiple VLANs will have the same MAC on those VLANs. On the other hand the IP addresses will be different, as they're on different subnets.

@bingo600 Yes all the management of the network is done from the 163 network. The only things connected to the 163 network is a Microsoft AD server and trusted computers in that AD domain. There is an additional physical 160 network set up just like the 163 network (physical ports on the switch and wifi) with the exception that it connects to pfSense on EM1 and it has port 13 assigned to it as a tagged port . There is an additional tagged SSID on the access point for devices to connect to the 160 network. This is also a dedicated interface with no other networks. It has various trusted devices, laptops, phones tablets etc that should not access the other networks. Those devices connect either by ethernet or wireless. Every network (physical or vlan) has firewall rules that reject access to RFC1918 networks with the exception of a few select devices on the 163 network that are used to manage the full network.

@sgw said in how to manage APs and various ESSIDs: What do you mean with "native LAN" ? The standard LAN on pfsense? "Native LAN" refers to the network without any VLANs. For example, with pfsense, you have an interface for your LAN. You can run all sorts of traffic over it, but there is no separation into virtual LANs. Anything beyond that basic network, is carried over VLANs on the same basic network. Of course, you could use a managed switch to remove the VLAN tag and place the packets on another physical network. Any traffic on that network would be "native", even though it would be VLAN elsewhere. On my system, I my native LAN interface is bge0. I also have bge0.3, which is VLAN3 on my native LAN. If you were to watch the traffic on that physical interface, you would see frames both with and without VLAN tags. While many devices can handle VLANs and work directly with tagged frames, others can't, which means they can only be on the native LAN or be behind a managed switch that has a port dedicated to that VLAN. My VLAN is used for my guest WiFi. So, I have pfsense, my AP and my switch configured for that VLAN. Both native LAN and VLAN 3 are on the switch ports connected to pfsense and the AP. All other ports are native LAN only.

@rostyslav-didus said in Trunk port beetwen Cisco 3750g & PfSense 2.4.2-RELEASE: @bingo600 Yes sir! My mistake-I didn't say that pfsense is on Esxi. We updated pfsense. Now it got last stable version. I am going to read how to make proper vlans on Esxi to allow vlan 5 flow. I'll show esxi config in 2 hours. Thanks. I have not tried a pfSense on ESXi , but have a small home ESXi , where i used vSwitch to make the trunk (& Vlan definitions). Someone else w. pfSense on a VM experience should chip in. Have a look in this section. https://forum.netgate.com/category/33/virtualization

Nevermind. I figured it out. It was something on my own computer blocking it. Thanks for the advice and the help anyway!

@johnpoz, thank you.

well Netgear vlan switch arrived,.. figured out how to configure it,.. and I now have 5 local VLANs enabled all working fine,.. There are just so many configurable things with this unit,.. BTW does anyone know how to save the config,.. without using the netgear cloud,. or is that the catch,. they want you to use their paid service... or am I just being a Scrooge...

I got his all working in my lab without issue, rolling into production will need planning as WAN will need re-configured and drop my remote connection.

@lugwitz said in phyiscal pfsense trunk to vSwitch esxi: I don't see that vlans are supported with it. it’s hard to imagine, as it is supported in principle by PHY ....( Intel 82571EB) [image: 1608715056514-10af4282-d773-4298-8181-24c31db957d7-image.png] but then I found this: https://social.technet.microsoft.com/Forums/ie/en-US/11584256-b924-4945-a2f4-aefca0c3a43a/intel-1000pro-vlan-not-working-any-idea?forum=winserverhyperv

Scratch the PPPoE bridge, let's say ANY subnet is available through two very different paths that can't be LACPed but they nevertheless access the exact same broadcast domains. Could a LAGGs be use to apply the same sets of rules on "paired" interfaces? Is don't suppose it can also constantly evaluate network conditions to choose the best performing path either, is it?

@jknott Thanks and think I understand. regards.

The 5 different Synology models I opened up all had Etron Tech nic's.