I got his all working in my lab without issue, rolling into production will need planning as WAN will need re-configured and drop my remote connection.

@lugwitz said in phyiscal pfsense trunk to vSwitch esxi:

I don't see that vlans are supported with it.

it’s hard to imagine, as it is supported in principle by PHY ....(
Intel® 82571EB)

10af4282-d773-4298-8181-24c31db957d7-image.png

but then I found this:

https://social.technet.microsoft.com/Forums/ie/en-US/11584256-b924-4945-a2f4-aefca0c3a43a/intel-1000pro-vlan-not-working-any-idea?forum=winserverhyperv

Scratch the PPPoE bridge, let's say ANY subnet is available through two very different paths that can't be LACPed but they nevertheless access the exact same broadcast domains. Could a LAGGs be use to apply the same sets of rules on "paired" interfaces? Is don't suppose it can also constantly evaluate network conditions to choose the best performing path either, is it? 🤓

@jknott Thanks and think I understand.
regards.

The 5 different Synology models I opened up all had Etron Tech nic's.

@jknott Got it, thanks! I learned a lot, the most bizarre thing is that on VMware switches the MTU is 20bytes less than the one set. Just for VLAN trunking nothing fancy like VXLAN or anything like that.

I also got some super weird results on FreeBSD (not pfSense, or firewall distribution at all) where using this hot new command I learned it'd go until certain MTU and pass the traffic, 9000, for instance, but wehn it's "sweeping" (increasing) but starting an echo request right at the same 9000 would say it's too big. …and if you add LACP to the mix things go cray, Britney-Spears-umbrella-meldown-cray. 😂

e.g;
ping -D -g 8940 -G 9100 -h 1 -i .2 x.x.x.x
OK ...blahblah millisec
OK ...blahblah millisec
…
ping -D -s 9000 x.x.x.x
Too heavy, this ain't UPS grrl. …timeout
Too heavy, this ain't UPS grrl. …timeout
…

@marvosa said in Convert from extending L2 (VLANS) to L3 routing:

was usually helpful that printers were always in a particular range.

The issue with printers on a different subnet is browsing no longer works. You have do specifically configure each printer, rather than just selecting one from one that's available.

you need to add tagged members (port) to each vlan (vlan tag) .

for example :

Vlan tag memebers

201 2, 3t,4t,9t,10t

301 3t,4t,9t,10t

401 3t,4t,9t,10t

Vlan 201 untagged on port 2 and tagged on port 3,4
vlan 301,401 are tagged on port 3,4

port3 and port4 carry vlan 201,301,401 as tagged VLAN

Forget about the built-in switch and just trunk ix0 to your external switch. The only other method is to bridge ix0 with lagg0 and that is not going to get you to where you want to be (a software bridge is not a switch).

@JKnott said in Port tagging on APU2?:

@bingo600

No, just making sure he's not missing anything.

@JKnott
You're right.
Sorry about the "rant" ..

@imark77 Have you checked that there is an outbound nat rule for that vlan? I just solved my problem by manually adding it. See the post above

@Derelict - It worked as expected on the Macbook (must be config issue on my Linux laptop). Thanks.

our lead mentioned that it's a layer 2 switch and that vlan doesn't reside on that layer 2 network

This means the switch is implemented at layer 2 only... i.e. either routing is disabled or the functionality doesn't exist on that particular switch. Without knowing more about the design, we can only offer generalities, but most likely your layer 2 switch has an uplink that is trunked to either a distribution stack or a router. There are various solutions, but what your lead most likely meant was since the VLAN doesn't exist on the switch, it will need to be built out from the distribution out to the access layer.

In other words, the VLAN needed to be added to the layer 2 switch and then allowed over the trunk (on both sides).

edit:
on the SG-3100 I have determined that I did not have the switch ports assigned/enabled to any vlans and after that it gave me DHCP on the lan ports and vlans. however I am still with the issue of some devices getting IP's and some not, on the same laptop over Wi-Fi nothing wired something. My travel AP does not support vlans so it has to be on the base level. and none of my non-Mac computers seem to be getting DHCP. And I don't know what caused it but I managed to crash my old router and ALL INTERNETs last night plugging in the new one to do a test. I went out and bought 4 manageed switches so I could break out all of my VLANs to test, and it was the only ez way to solve ingesting my multiple travel WAN VLANS ( local lan, Wi-Fi, Wi-Fi hotspot, wired LTE modem).

I found a workaround and I don't need to do this anymore, I'm still doing a link/trunkofsorts between two devices but now it's a transit network, not a dozen bridged broadcast domains..in software! Can you imagine the CPU from that--gawdd.

Still, if you're feeling charitable and could confirm if a parent can be bridged without filtering its children just for my curiosity, that'd be awesome.

No keyboard necessary, I'll help you help me, copy/paste checkmark [ ✔︎ ] for "yes they can be bridged alright, shut up already." Cross. ..mark? [ ✘ ] for no, it's per 1 bridge per VLAN (or mixed VLANs in 1 collision domain)

🤓 🔪 The Emoji panel should have network equipment like Visio. Maybe if I say it enough it happens--anybody know blackmagic, not the brand. 😂

Some extra info:
I am running 2.4.5-RELEASE-p1 (amd64)

If I move the vlan interfaces away from the 10G copper (ix0) onto the built-in 1G lagg0 (the internal switch), then connectivity is stable
I followed advises here https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#intel-ix-4-cards so my /boot/loader.conf.local currently looks like:

hw.intr_storm_threshold=10000 hw.ix.flow_control=0

The below is advised in the doc but was already in /boot/loader.conf:

kern.ipc.nmbclusters="1000000" kern.ipc.nmbjumbop="524288"

TSO/LRO and hardware checksum are all disabled from the GUI.

On latency: even though my WAN connection (pppoe) is on another NIC (ix5), it has increased latency beyond the avg for this link (rtt around 40ms, rttsd about 80ms).
The latency goes away if I stop using the 10G port and move my server on a 1G port of the built-in switch of the XG-7100 (connected via LAGG0).

When the physical interface ix0 is going down, other physical interfaces are still online and the pfsense box is still reachable via other logical interface (ie via some vlan interface over the lagg0 built-in switch).

@johnpoz said in DNS Resolution/Routing Issue on VLAN:

Oh good catch ;)

Yeah client will say that is BAD.. Are you doing some sort of source nat?

I suspected the reply from the resolver's other IP was problematic and thought I had indicated that in my original post. My apologies for wasting cycles having been unclear on that. Additionally, I am not doing any source or outbound NAT anywhere.

@viragomann said in DNS Resolution/Routing Issue on VLAN:

So the client is requesting the LAN IP, but pfSense is sending responses from the VLAN IP. Hence the client won't accept the response and the DNS request is failing.

That's not the default behavior, even in a setup like yours. But I have no idea, what could be the reason for this.
Possibly you have something miss-configurated with the VLAN or do a kind of outbound NAT?

However, as I suggested above, simply use the VLAN IP as DNS on the clients and your headache will be gone.

The VLAN is pretty simply configured on pfSense and both downstream switches. I've pored over each config for hours now. I can't find anything in them that leads me back to this issue. Why is pfSense/unbound coming back to that network through the other interface? Ugh.

I suppose I'll acquiesce to changing the DNS configs on that VLAN to query unbound on the VLAN200 interface rather than LAN. That won't bode well for my curiosity, but sometimes you have to admit defeat.

It started working even though I haven't changed anything in my config.

🤷