@JKnott Thanks for the reply. I didn't provide much info in my original post. I have a couple of pics. The things is I expected that after creating these virtual interfaces and, associating them as in the tutorial, that the original LAN configuration would no longer be in play (which is what I want). It doesn't seem to be; I have a dhcp server on vlan1, port number 1, and it's successfully passing out addresses with the vlan1 network values. The original /24 network across all regular ports is no longer a factor, is it, or am I missing something.

ports.png
ports2.png

Sean

@johnpoz thanks for your help so far. It is fixed. this option was checked. Once I unchecked, I started getting internet. Didn't even know when it got clicked. Thanks.

https://imgur.com/ua2kuQe

hi,nevermind, its already fixed,
please delete post.

Opened up https://redmine.pfsense.org/issues/10890 for the Switch port issue.

@chibaba said in Virtual VLANS Query:

Can anyone think of anything obvious that I've missed or is the Realtek VLAN on the nic stopping things from working correctly?

Is there a special reason why you are using the internal VLAN for the uplinking of the switch chip of the XG7100 on your Cisco switch? Normally you don't and just setup the interface with the appropriate VLAN you want to use instead of jumping up and putting the whole upstream thing from the XG to your network. See no real sense in it perhaps you could elaborate what you're trying to do?

@Inxsible said in VLAN on LAN vs on separate physical port:

Advantage of using the Static ARP over DHCP IP reservation on the VLAN interface ?

The static ARP was used only to configure the IP address. The cameras did not support DHCP and they had no address out of the box. So I would manually create an ARP entry with an IP address, so that I could use a browser to configure the address. After that was done, it was ready for service and the NVR configured for all the cameras. As I mentioned, there was also an app to configure the cameras, but I found it wasn't always reliable, whereas the static ARP method always worked.

@demoso

????

Client separation is a AP issue, not pfsense.

@jthombenj

Well, VLAN 10 implies tagged frames, when you want untagged for your main LAN. For example, today, I am trying some stuff with multiple SSID on my LAN. My 2nd SSID connects to VLAN 3 and I have added VLAN 3 to my LAN interface. So, frames for the LAN and main SSID will not have a VLAN tag, but those for the 2nd SSID will have a tag for VLAN 3. Desktop computers generally can be configured to work with VLAN tags, but many other devices can't. So, if your main LAN is tagged, then those other devices wouldn't be able to connect. However, if you have a managed switch, then it could take those VLAN 10 tagged frames and strip the tags off, before sending the frames out to the LAN. Of course the reverse happens for frames going the other way.

@dma_pf This was the spot that was in error, but I assumed it was a typing mistake...

DMAVoip_vl166
Enabled: Checked
Deny Unknown Clients: Checked
Range: 192.168.166.10 - 102.168.167.20

The range on that one is incorrect.

Jeff

@rterren On your OPT port, you have to first enable it, give it a static IP address with a /24 subnet mask. Don't assign a gateway.

Screen Shot 2020-08-22 at 10.13.46 AM.png

Then, under Services -> DHCP Server, find that interface, and turn on the DHCP server function. You need to specify a range, a start address and an end address in other words, but that's pretty easy.

That's all there is to it. If you plug say, a laptop, into the LAN port, you should get an IP address from that range. Then, if you plug the same laptop into the OPT port, you should get an address in the other range. 2 different IP ranges on the same pfsense box. You don't want to use the "additional pool" thing on your LAN network, that's not correct for this scenario.

No offense, but I wouldn't be too tempted to use the SG-1000 just because it's sitting on your desk. I found myself doing/thinking the exact same thing, but I ended up selling my SG-1000, because I couldn't come up with a good enough reason to keep it. Anything I could think of, I could easily do with the other boxes I've already got, the ones with all the extra network ports.

Jeff

If i understand correctly, LACP is preferable over static Load Balancing?

@johnpoz
I'm beginning to confuse myself so I want to be sure I'm going the right direction before I screw up my network. I especially want to get the VLANs right before I re-introduce pfSense back into the configuration.

Does this make sense for configuring the Edge Router X as an L2 switch with VLANs for your 2nd diagram above:
-leave switch0 connecting ports eth1 through eth4 as it currently is set up
-eth0 is connected to the LiteBeam (WAN) and continues to have the IP address it gets from the LiteBeam; untagged for VLAN10
-eth1 is connected to the ethernet cable going back to the switch in the house and serves as the trunk VLAN; untagged for VLAN10, tagged for VLAN2
-eth2 and eth3 are currently unused
-eth4 is connected to the outdoor mesh AP; untagged for VLAN2

managed LAN switch in the house:
-all ports get untagged for VLAN2

This was also useful:
https://help.ui.com/hc/en-us/articles/115012700967

@sho1sho1sho1 said in Vlan in different subnets cannot connect...:

but can you tell me the /24 and /16 should not be the issue?

No that is not an issue as long as the networks don't overlap.. and since one is 10.x and the others 192. there is no way they could.

There is a whole section about policy routing, which is what your doing when you set a gateway on a rule. And you have to allow intervlan traffic that you want to allow above where you force the traffic out a gateway. Pretty sure its in the multiwan parts of the doc.

But if you say what you want to allow and what you want to block - and post your rules happy to validate them for you.

And don't forget host firewalls, they don't like other non local vlans normally.. There be a flood of those threads as of late.

Ok got it! Thank you. This is now a great reason to take the time and set up the VPN on pfsense.

I think I've solved both problems.

The first problem with the second port of the LACP not working is resolved by removing and then readding the specific interface to the LACP group. After I did that the port started working immediately.

After that, there were still messages of "Interface stopped DISTRIBUTING, possible flapping" but now on both interfaces of the LACP group. To resolve this I added the system tunable I already mentioned in my first post ("net.link.lagg.lacp.default_strict_mode" with value 0) and restarted the firewall. Since that moment (last Saturday evening) until this moment I'm writing this, there are zero log entries with that error and the link hasn't gone down either since that.

Hi,

I don't see any issue with the intended setup. But, is this switch being shared with internal LAN? If so, triple review VLAN config to avoid security issues.

Regarding overhead/hardware load between vlan or multiple NICs, I see no issues. Probably the amount of traffic passing through Pfsense will have hight impact than VLAN tagging.

BR,
Benito