@jthombenj Well, VLAN 10 implies tagged frames, when you want untagged for your main LAN. For example, today, I am trying some stuff with multiple SSID on my LAN. My 2nd SSID connects to VLAN 3 and I have added VLAN 3 to my LAN interface. So, frames for the LAN and main SSID will not have a VLAN tag, but those for the 2nd SSID will have a tag for VLAN 3. Desktop computers generally can be configured to work with VLAN tags, but many other devices can't. So, if your main LAN is tagged, then those other devices wouldn't be able to connect. However, if you have a managed switch, then it could take those VLAN 10 tagged frames and strip the tags off, before sending the frames out to the LAN. Of course the reverse happens for frames going the other way.

@dma_pf This was the spot that was in error, but I assumed it was a typing mistake... DMAVoip_vl166 Enabled: Checked Deny Unknown Clients: Checked Range: 192.168.166.10 - 102.168.167.20 The range on that one is incorrect. Jeff

@rterren On your OPT port, you have to first enable it, give it a static IP address with a /24 subnet mask. Don't assign a gateway. [image: 1598109253456-screen-shot-2020-08-22-at-10.13.46-am.png] Then, under Services -> DHCP Server, find that interface, and turn on the DHCP server function. You need to specify a range, a start address and an end address in other words, but that's pretty easy. That's all there is to it. If you plug say, a laptop, into the LAN port, you should get an IP address from that range. Then, if you plug the same laptop into the OPT port, you should get an address in the other range. 2 different IP ranges on the same pfsense box. You don't want to use the "additional pool" thing on your LAN network, that's not correct for this scenario. No offense, but I wouldn't be too tempted to use the SG-1000 just because it's sitting on your desk. I found myself doing/thinking the exact same thing, but I ended up selling my SG-1000, because I couldn't come up with a good enough reason to keep it. Anything I could think of, I could easily do with the other boxes I've already got, the ones with all the extra network ports. Jeff

If i understand correctly, LACP is preferable over static Load Balancing?

@johnpoz I'm beginning to confuse myself so I want to be sure I'm going the right direction before I screw up my network. I especially want to get the VLANs right before I re-introduce pfSense back into the configuration. Does this make sense for configuring the Edge Router X as an L2 switch with VLANs for your 2nd diagram above: -leave switch0 connecting ports eth1 through eth4 as it currently is set up -eth0 is connected to the LiteBeam (WAN) and continues to have the IP address it gets from the LiteBeam; untagged for VLAN10 -eth1 is connected to the ethernet cable going back to the switch in the house and serves as the trunk VLAN; untagged for VLAN10, tagged for VLAN2 -eth2 and eth3 are currently unused -eth4 is connected to the outdoor mesh AP; untagged for VLAN2 managed LAN switch in the house: -all ports get untagged for VLAN2 This was also useful: https://help.ui.com/hc/en-us/articles/115012700967

@sho1sho1sho1 said in Vlan in different subnets cannot connect...: but can you tell me the /24 and /16 should not be the issue? No that is not an issue as long as the networks don't overlap.. and since one is 10.x and the others 192. there is no way they could. There is a whole section about policy routing, which is what your doing when you set a gateway on a rule. And you have to allow intervlan traffic that you want to allow above where you force the traffic out a gateway. Pretty sure its in the multiwan parts of the doc. But if you say what you want to allow and what you want to block - and post your rules happy to validate them for you. And don't forget host firewalls, they don't like other non local vlans normally.. There be a flood of those threads as of late.

Ok got it! Thank you. This is now a great reason to take the time and set up the VPN on pfsense.

I think I've solved both problems. The first problem with the second port of the LACP not working is resolved by removing and then readding the specific interface to the LACP group. After I did that the port started working immediately. After that, there were still messages of "Interface stopped DISTRIBUTING, possible flapping" but now on both interfaces of the LACP group. To resolve this I added the system tunable I already mentioned in my first post ("net.link.lagg.lacp.default_strict_mode" with value 0) and restarted the firewall. Since that moment (last Saturday evening) until this moment I'm writing this, there are zero log entries with that error and the link hasn't gone down either since that.

Hi, I don't see any issue with the intended setup. But, is this switch being shared with internal LAN? If so, triple review VLAN config to avoid security issues. Regarding overhead/hardware load between vlan or multiple NICs, I see no issues. Probably the amount of traffic passing through Pfsense will have hight impact than VLAN tagging. BR, Benito

After lots of debug and hours lost, that turned out to be some incompatibility between the NIC card on the computer I was running those tests, and the NIC on PfSense box (Intel). Probably defective card but only failing when talking to Intel Nic on PfSense (weird). Changed NIC to a new one and problem is gone.

Hello, Sorry to answer that now. With ACLs, cala works. I don't know HaProxy well yet (I was doing this with Nginx), I thought we had to do this with PfSense rules. Thank you so much.

Aha! You are a lifesaver. I feel like an idiot. Thank you so much!

@Raffi_ said in Youtube cast across VLANs: UPNP as you mention if I do decide to put all my devices on the same layer 2. UPnP is always dangerous... @Raffi_ (an enemy of any firewall and/or router) but if handled well, it is indispensable for the game my son is an active PS4 player... (only when he study, he don't....) his buddies taught he to speak english (very well) in the PS4 community (game world), ergo on PS4 is the best and cheapest English teacher... I only tolerate it, in our home network, because the teach.....