Yeah that is great.. but if your in vlan X, you can't arp for something in vlan Y.. Doesn't work that way.. So its working as it should.

Probably too late on the party for this one, and seems like you got a solution anyways- but more than anything else I am a noob and wanting to learn, so this is as much for me as it is for you- but I digress. In the unifi controller, there is a built in option to allow passthrough of a VLAN for the specific purpose of a voip phone. In switch profiles, you can indicate a voice network (which can be a real network, or in this case, a VLAN that is configured as a network in the unifi controller). I think this is a relatively newer feature? But I may be wrong on that. Lawrence Systems on YouTube has a good video on this. Like I said, this may be a solution looking for a problem but thought I'd put it out there.

@Derelict Thank you. Changing the parent interface to lagg0 worked. Now, I'm going to see if I can make it work on the expansion card.

@pi said in Help Config Aruba IAP VLANs: I will configure the OPT1 port this is fine in itself, but I will also follow the Aruba VLAN, when I will have time to read through it

Looks like my onboard NIC doesn't support VLAN tagging. I set up LAN and opt3 identically:[image: 1595787320627-vlan.png] [image: 1595787844589-intelvlan.png] When I have my desktop directly plugged into em1, I don't get an IP from pfsense. When I have the desktop plugged directly into igb1, or igb1 through the switch, I am able to get an IP from the VLAN. I still haven't figured out the TomatoRouter part, but atleast I know now it's not a pfsense issue. My motherboard: https://www.supermicro.com/products/motherboard/Xeon/C216/X9SPU-F.cfm Network Controllers Intel 82574L Dual Port Gigabit Ethernet Virtual Machine Device Queues reduce I/O overhead Supports 10BASE-T, 100BASE-TX, and 1000BASE-T, RJ45 output

You don't really need vlans, just separate lans. :) You already have 5 lan interfaces, and since one should be dedicated to the wan, you can have up to 4 segmented lans to play with, without any vlans. If you need more that that, then the dlink switch in 802.1p mode can provide even more segmented lans. But I think 4 is enough. Lets say 4 zones, business, leisure, guest/wifi/printers/phones, and?? Of course things get complicated if for example you want wifi access to he business segment from wifi for some devices, but not for guests, or we don't want the missus to have fb access (god save us). You should strive to have devices having common internet requirements on the same lan, so you can leverage pfblockerng et al better.

@mourad13 You're welcome, no problem!

@newberger said in HP switch and vlan: Also, you might need to check your NAT rules? I had the po change FW to allow all and still not getting IP. Prior to using wireshark, HP switch is configured to LAGG with Unifi switch, I had remove the LAGG to enable port mirroring. Capture trace on the port connecting esxi box and vmnic. DHCP traffic vlan50 is captured on the switch port but not on vmnic. I have pfblocker running and the NAT rules are for DNSBL.

@johnpoz Yes, QNAP has similar functions, but that makes sense on the setup. I think I will stay with the simple (aka, "working") setup! ;) Thanks for all your help, as usual!

@netblues said in Can't Bridge WAN's Parent Interface [SOLVED]: @m0j0 I'm glad it worked for you. If you have more than a few vlans, emulating a managed switch this way is quite impractical. Do some stress testing though. I have no idea what kind of speeds you are expecting from fiber and it would be interesting how it fares. On the other hand, if only voip will end up being bridged, then traffic will be minimal. pppoe bound on a vlan tag is ok and with minimal overhead, since vlan tagging is handled at the hardware level of the physical interface. Thank you for your message. I will keep in mind those points. Indeed you are right I am only using this "emulation" to get VoIP back. My internet package gives me 800Mbps down and 200Mbps up and so far both have been just fine even with fq_codel the Qotom (Celeron 3215U & 2GB RAM) box keeps up. I must admit that I really only monitor the pfsense dashboard and sometimes ssh in and check dmesg.

@Fmstrat So, create a separate dmz interface, with dhcp server and feed the isp router from there. This will assign whatever ip you wish to its wan interface, and also adjust routing. Having said that, isp router have limited dhcp client capabilities and are often buggy.

@viktor_g Thank you a lot for confirming!

I would also verify what protocol these devices communicate on because you are only allowing TCP in both VLANs.

I think setting the interface 3/1 to Trunk under Switching > VLAN > Switch Port Summary may have resolved the issue. It allowed my DHCP from the firewall to traverse to the VLAN. I will further test this when I get more time. This may have been a switch config issue and not the firewall. Apologies for posting this issue in the netgate forum.

@jst68 because I think we're over it....hahaha that’s why you have to work (on pfSense config), when everyone is asleep

@charles_moody said in Trunk/LAGG problem / pfSense UniFi 24-250W PoE Switch and VLANs: Can anyone tell me how to get the switch to adopt So this is crux of your issue? That has nothing to do with pfsense.. Your controller and switch need to be on the same L2 network for adoption... Or you need to use L3 adoption.. This has everything to do with unifi, and not related to pfsense at all. https://help.ui.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers behind that about 10 smart-managed Netgear switches This seems nuts - are they all in closets somewhere.. How big is this house? If you were running cable - why would all your cables not just home run back to your core switching area? Curious where exactly all these switches are? want LAN just for troubleshooting and because it’s often stated that LAN will strip of the VLAN tags from the traffic Huh? You can run vlans on lan just like any other interface.. So not sure what your thinking with this statement... Sure you can use lan interface as your management interface.. But it can run vlans on it as well if you want.

@JKnott I tend to heir on the side of caution when it comes to using terminology I'm not 100% familiar with, but I have the basics down that's for sure. Regardless, after some extensive troubleshooting I got rid of the Aruba switch and swapped it out with a Ubiquiti. Had my network infrastructure team troubleshoot the Aruba... nobody could get it working. They let me know about how others have not been able to use Aruba equipment in the past, so i chalked it up to the switch.

Get a third switch to use as your "core" and connect pfSense to that. Connect the other two switches to the "core" switch. The switches in the SG-1100, SG-3100, or XG-7100 would be a good choice here. Any of those could handle the VLAN trunk links to the other two switches without any messiness like pfSense bridging.