If i understand correctly, LACP is preferable over static Load Balancing?

@johnpoz
I'm beginning to confuse myself so I want to be sure I'm going the right direction before I screw up my network. I especially want to get the VLANs right before I re-introduce pfSense back into the configuration.

Does this make sense for configuring the Edge Router X as an L2 switch with VLANs for your 2nd diagram above:
-leave switch0 connecting ports eth1 through eth4 as it currently is set up
-eth0 is connected to the LiteBeam (WAN) and continues to have the IP address it gets from the LiteBeam; untagged for VLAN10
-eth1 is connected to the ethernet cable going back to the switch in the house and serves as the trunk VLAN; untagged for VLAN10, tagged for VLAN2
-eth2 and eth3 are currently unused
-eth4 is connected to the outdoor mesh AP; untagged for VLAN2

managed LAN switch in the house:
-all ports get untagged for VLAN2

This was also useful:
https://help.ui.com/hc/en-us/articles/115012700967

@sho1sho1sho1 said in Vlan in different subnets cannot connect...:

but can you tell me the /24 and /16 should not be the issue?

No that is not an issue as long as the networks don't overlap.. and since one is 10.x and the others 192. there is no way they could.

There is a whole section about policy routing, which is what your doing when you set a gateway on a rule. And you have to allow intervlan traffic that you want to allow above where you force the traffic out a gateway. Pretty sure its in the multiwan parts of the doc.

But if you say what you want to allow and what you want to block - and post your rules happy to validate them for you.

And don't forget host firewalls, they don't like other non local vlans normally.. There be a flood of those threads as of late.

Ok got it! Thank you. This is now a great reason to take the time and set up the VPN on pfsense.

I think I've solved both problems.

The first problem with the second port of the LACP not working is resolved by removing and then readding the specific interface to the LACP group. After I did that the port started working immediately.

After that, there were still messages of "Interface stopped DISTRIBUTING, possible flapping" but now on both interfaces of the LACP group. To resolve this I added the system tunable I already mentioned in my first post ("net.link.lagg.lacp.default_strict_mode" with value 0) and restarted the firewall. Since that moment (last Saturday evening) until this moment I'm writing this, there are zero log entries with that error and the link hasn't gone down either since that.

Hi,

I don't see any issue with the intended setup. But, is this switch being shared with internal LAN? If so, triple review VLAN config to avoid security issues.

Regarding overhead/hardware load between vlan or multiple NICs, I see no issues. Probably the amount of traffic passing through Pfsense will have hight impact than VLAN tagging.

BR,
Benito

After lots of debug and hours lost, that turned out to be some incompatibility between the NIC card on the computer I was running those tests, and the NIC on PfSense box (Intel). Probably defective card but only failing when talking to Intel Nic on PfSense (weird).

Changed NIC to a new one and problem is gone.

Hello,

Sorry to answer that now.
With ACLs, cala works. I don't know HaProxy well yet (I was doing this with Nginx), I thought we had to do this with PfSense rules.

Thank you so much.

Aha! You are a lifesaver. I feel like an idiot. Thank you so much!

@Raffi_ said in Youtube cast across VLANs:

UPNP as you mention if I do decide to put all my devices on the same layer 2.

UPnP is always dangerous... @Raffi_
(an enemy of any firewall and/or router)
but if handled well, it is indispensable for the game

my son is an active PS4 player...
(only when he study, he don't....)

his buddies taught he to speak english (very well) in the PS4 community (game world), ergo on PS4 is the best and cheapest English teacher...😉

I only tolerate it, in our home network, because the teach.....

Yeah that is great.. but if your in vlan X, you can't arp for something in vlan Y.. Doesn't work that way.. So its working as it should.

Probably too late on the party for this one, and seems like you got a solution anyways- but more than anything else I am a noob and wanting to learn, so this is as much for me as it is for you- but I digress.

In the unifi controller, there is a built in option to allow passthrough of a VLAN for the specific purpose of a voip phone. In switch profiles, you can indicate a voice network (which can be a real network, or in this case, a VLAN that is configured as a network in the unifi controller). I think this is a relatively newer feature? But I may be wrong on that. Lawrence Systems on YouTube has a good video on this.

Like I said, this may be a solution looking for a problem but thought I'd put it out there.

@Derelict Thank you. Changing the parent interface to lagg0 worked.

Now, I'm going to see if I can make it work on the expansion card.

@pi said in Help Config Aruba IAP VLANs:

I will configure the OPT1 port

this is fine in itself, but I will also follow the Aruba VLAN, when I will have time to read through it 😉

Looks like my onboard NIC doesn't support VLAN tagging.
I set up LAN and opt3 identically:vlan.png

intelvlan.png

When I have my desktop directly plugged into em1, I don't get an IP from pfsense.

When I have the desktop plugged directly into igb1, or igb1 through the switch, I am able to get an IP from the VLAN.

I still haven't figured out the TomatoRouter part, but atleast I know now it's not a pfsense issue.

My motherboard: https://www.supermicro.com/products/motherboard/Xeon/C216/X9SPU-F.cfm
Network Controllers
Intel® 82574L Dual Port Gigabit Ethernet
Virtual Machine Device Queues reduce I/O overhead
Supports 10BASE-T, 100BASE-TX, and 1000BASE-T, RJ45 output