You don't really need vlans, just separate lans. :)
You already have 5 lan interfaces, and since one should be dedicated to the wan, you can have up to 4 segmented lans to play with, without any vlans.
If you need more that that, then the dlink switch in 802.1p mode can provide even more segmented lans.
But I think 4 is enough.
Lets say 4 zones, business, leisure, guest/wifi/printers/phones, and??
Of course things get complicated if for example you want wifi access to he business segment from wifi for some devices, but not for guests, or we don't want the missus to have fb access (god save us).
You should strive to have devices having common internet requirements on the same lan, so you can leverage pfblockerng et al better.

@mourad13 You're welcome, no problem!

@newberger said in HP switch and vlan:

Also, you might need to check your NAT rules? I had the po

change FW to allow all and still not getting IP. Prior to using wireshark, HP switch is configured to LAGG with Unifi switch, I had remove the LAGG to enable port mirroring.

Capture trace on the port connecting esxi box and vmnic. DHCP traffic vlan50 is captured on the switch port but not on vmnic.

I have pfblocker running and the NAT rules are for DNSBL.

@johnpoz

Yes, QNAP has similar functions, but that makes sense on the setup. I think I will stay with the simple (aka, "working") setup! ;) Thanks for all your help, as usual!

@netblues said in Can't Bridge WAN's Parent Interface [SOLVED]:

@m0j0 I'm glad it worked for you. If you have more than a few vlans, emulating a managed switch this way is quite impractical.
Do some stress testing though. I have no idea what kind of speeds you are expecting from fiber and it would be interesting how it fares.
On the other hand, if only voip will end up being bridged, then traffic will be minimal.
pppoe bound on a vlan tag is ok and with minimal overhead, since vlan tagging is handled at the hardware level of the physical interface.

Thank you for your message. I will keep in mind those points. Indeed you are right I am only using this "emulation" to get VoIP back. My internet package gives me 800Mbps down and 200Mbps up and so far both have been just fine even with fq_codel the Qotom (Celeron 3215U & 2GB RAM) box keeps up. I must admit that I really only monitor the pfsense dashboard and sometimes ssh in and check dmesg.

@Fmstrat So, create a separate dmz interface, with dhcp server and feed the isp router from there. This will assign whatever ip you wish to its wan interface, and also adjust routing.
Having said that, isp router have limited dhcp client capabilities and are often buggy.

@viktor_g Thank you a lot for confirming!

I would also verify what protocol these devices communicate on because you are only allowing TCP in both VLANs.

I think setting the interface 3/1 to Trunk under Switching > VLAN > Switch Port Summary may have resolved the issue. It allowed my DHCP from the firewall to traverse to the VLAN. I will further test this when I get more time.

This may have been a switch config issue and not the firewall. Apologies for posting this issue in the netgate forum.

@jst68

because I think we're over it....hahaha
that’s why you have to work (on pfSense config), when everyone is asleep 😉

@charles_moody said in Trunk/LAGG problem / pfSense UniFi 24-250W PoE Switch and VLANs:

Can anyone tell me how to get the switch to adopt

So this is crux of your issue?

That has nothing to do with pfsense.. Your controller and switch need to be on the same L2 network for adoption... Or you need to use L3 adoption.. This has everything to do with unifi, and not related to pfsense at all.

https://help.ui.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers

behind that about 10 smart-managed Netgear switches

This seems nuts - are they all in closets somewhere.. How big is this house? If you were running cable - why would all your cables not just home run back to your core switching area? Curious where exactly all these switches are?

want LAN just for troubleshooting and because it’s often stated that LAN will strip of the VLAN tags from the traffic

Huh? You can run vlans on lan just like any other interface.. So not sure what your thinking with this statement... Sure you can use lan interface as your management interface.. But it can run vlans on it as well if you want.

@JKnott

I tend to heir on the side of caution when it comes to using terminology I'm not 100% familiar with, but I have the basics down that's for sure.

Regardless, after some extensive troubleshooting I got rid of the Aruba switch and swapped it out with a Ubiquiti.
Had my network infrastructure team troubleshoot the Aruba... nobody could get it working. They let me know about how others have not been able to use Aruba equipment in the past, so i chalked it up to the switch.

Get a third switch to use as your "core" and connect pfSense to that. Connect the other two switches to the "core" switch.

The switches in the SG-1100, SG-3100, or XG-7100 would be a good choice here. Any of those could handle the VLAN trunk links to the other two switches without any messiness like pfSense bridging.

@demitri said in Question about VLAN and VPN:

The problem I am having is that when I start a large data transfer from my Mac to the NAS, almost any internet access will disconnect the VPN.

Hello,

note, if the NAS and MAC are on the same subnet then what are we talking about - not pfSense affected

bottleneck - is formed due to the following

if all your traffic (LAN / WAN) passes through the same VLAN (you know the wrong eth. port)

you reduce the throughput of the 1Gig interface

ergo, you solved the problem with VLAN, but now everything goes through a real interface (1 pcs - VLAN) (maybe 1Gig)

+++++edit:

the lesson is that:

VLAN is good, but you can't break down a physical interface - to hundreds of millions of VLANs without a drop in speed

pls. think, only of the uplink ports of switches with many VLANs and they are usually squeezed into a LAG together with LACP (2 - 4 ports) or we choose a switch that has 2 x 10Gig uplink ports, for example

Ok... Here is 2 tests.. 1 where the networks are on their own physical interfaces

layout..
iperf server 192.168.9.10
iperf client 192.168.200.10

twophysicalnics.jpg

$ iperf3.exe -c 192.168.9.10 -B 192.168.200.10 warning: Ignoring nonsense TCP MSS 466688 Connecting to host 192.168.9.10, port 5201 [ 5] local 192.168.200.10 port 50165 connected to 192.168.9.10 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 108 MBytes 903 Mbits/sec [ 5] 1.00-2.00 sec 113 MBytes 949 Mbits/sec [ 5] 2.00-3.00 sec 114 MBytes 954 Mbits/sec [ 5] 3.00-4.00 sec 113 MBytes 949 Mbits/sec [ 5] 4.00-5.00 sec 114 MBytes 957 Mbits/sec [ 5] 5.00-6.00 sec 113 MBytes 950 Mbits/sec [ 5] 6.00-7.00 sec 113 MBytes 949 Mbits/sec [ 5] 7.00-8.00 sec 113 MBytes 949 Mbits/sec [ 5] 8.00-9.00 sec 113 MBytes 948 Mbits/sec [ 5] 9.00-10.00 sec 113 MBytes 950 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 1.10 GBytes 946 Mbits/sec sender [ 5] 0.00-10.01 sec 1.10 GBytes 944 Mbits/sec receiver iperf Done.

So that is maxing out gig.. Couldn't ask for anything more on gig wire..

Now here pfsense is routing between the networks over the same wire.. Same client and server machines - Just changed the switch config to put the client interface on different vlan. And put this vlan on the same physical interface used for vlan 9 (lan on pfsense) igb0

vlans-samephysical.jpg

$ iperf3.exe -c 192.168.9.10 -B 192.168.66.10 warning: Ignoring nonsense TCP MSS 466688 Connecting to host 192.168.9.10, port 5201 [ 5] local 192.168.66.10 port 50367 connected to 192.168.9.10 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 107 MBytes 895 Mbits/sec [ 5] 1.00-2.00 sec 111 MBytes 933 Mbits/sec [ 5] 2.00-3.00 sec 112 MBytes 940 Mbits/sec [ 5] 3.00-4.00 sec 112 MBytes 939 Mbits/sec [ 5] 4.00-5.00 sec 112 MBytes 941 Mbits/sec [ 5] 5.00-6.00 sec 111 MBytes 930 Mbits/sec [ 5] 6.00-7.00 sec 112 MBytes 940 Mbits/sec [ 5] 7.00-8.00 sec 110 MBytes 925 Mbits/sec [ 5] 8.00-9.00 sec 111 MBytes 934 Mbits/sec [ 5] 9.00-10.00 sec 111 MBytes 931 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 1.08 GBytes 931 Mbits/sec sender [ 5] 0.00-10.00 sec 1.08 GBytes 930 Mbits/sec receiver

So not much difference because its duplex and no other traffic on the wire.. Bit of traffic maybe, the overhead of the vlan tags mentioned, etc..

But now sending traffic to the internet through pfsense through that same igb0 interface via speed test from client on that same vlan 9 network.. 500Mbps..

Now look at my iperf test..

$ iperf3.exe -c 192.168.9.10 -B 192.168.66.10 warning: Ignoring nonsense TCP MSS 466688 Connecting to host 192.168.9.10, port 5201 [ 5] local 192.168.66.10 port 50444 connected to 192.168.9.10 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 38.6 MBytes 324 Mbits/sec [ 5] 1.00-2.00 sec 37.1 MBytes 311 Mbits/sec [ 5] 2.00-3.00 sec 26.2 MBytes 220 Mbits/sec [ 5] 3.00-4.00 sec 49.0 MBytes 411 Mbits/sec [ 5] 4.00-5.00 sec 51.0 MBytes 428 Mbits/sec [ 5] 5.00-6.00 sec 52.0 MBytes 436 Mbits/sec [ 5] 6.00-7.00 sec 51.8 MBytes 434 Mbits/sec [ 5] 7.00-8.00 sec 52.4 MBytes 439 Mbits/sec [ 5] 8.00-9.00 sec 51.1 MBytes 429 Mbits/sec [ 5] 9.00-10.00 sec 51.1 MBytes 429 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 460 MBytes 386 Mbits/sec sender [ 5] 0.00-10.01 sec 460 MBytes 386 Mbits/sec receiver iperf Done.

So there will be a performance hit when you share bandwidth of physical connection with vlans - because your sharing the capabilities of the interface... But without understanding your traffic flows, and amount of traffic that will be routed intervlan or using that interface going somewhere else, it hard to say if you will notice it or not..

Here is what I would suggest.. If you have the physical ports available on your switch and your router.. Then leverage them for your different networks so that vlans do not share physical ports..

If you do not have enough ports... Then put the vlans that do not talk to each other or use lower amounts of bandwidth on the same physical interface.. Example I put my wireless vlans on the same physical interface of pfsense... Since they would never be able to use full gig anyway, and they don't talk to each other..

If you go for max fault tolerance, use Ports 1/g45-46 and 2/g45-46.

@trent6gol Thats fine, also has lots of bandwidth.
What I described also works well. Tested in practice by many, in demanding environments.

There isn't a way to do that in the GUI or config at this time.