@viktor_g Thank you a lot for confirming!

I would also verify what protocol these devices communicate on because you are only allowing TCP in both VLANs.

I think setting the interface 3/1 to Trunk under Switching > VLAN > Switch Port Summary may have resolved the issue. It allowed my DHCP from the firewall to traverse to the VLAN. I will further test this when I get more time.

This may have been a switch config issue and not the firewall. Apologies for posting this issue in the netgate forum.

@jst68

because I think we're over it....hahaha
that’s why you have to work (on pfSense config), when everyone is asleep 😉

@charles_moody said in Trunk/LAGG problem / pfSense UniFi 24-250W PoE Switch and VLANs:

Can anyone tell me how to get the switch to adopt

So this is crux of your issue?

That has nothing to do with pfsense.. Your controller and switch need to be on the same L2 network for adoption... Or you need to use L3 adoption.. This has everything to do with unifi, and not related to pfsense at all.

https://help.ui.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers

behind that about 10 smart-managed Netgear switches

This seems nuts - are they all in closets somewhere.. How big is this house? If you were running cable - why would all your cables not just home run back to your core switching area? Curious where exactly all these switches are?

want LAN just for troubleshooting and because it’s often stated that LAN will strip of the VLAN tags from the traffic

Huh? You can run vlans on lan just like any other interface.. So not sure what your thinking with this statement... Sure you can use lan interface as your management interface.. But it can run vlans on it as well if you want.

@JKnott

I tend to heir on the side of caution when it comes to using terminology I'm not 100% familiar with, but I have the basics down that's for sure.

Regardless, after some extensive troubleshooting I got rid of the Aruba switch and swapped it out with a Ubiquiti.
Had my network infrastructure team troubleshoot the Aruba... nobody could get it working. They let me know about how others have not been able to use Aruba equipment in the past, so i chalked it up to the switch.

Get a third switch to use as your "core" and connect pfSense to that. Connect the other two switches to the "core" switch.

The switches in the SG-1100, SG-3100, or XG-7100 would be a good choice here. Any of those could handle the VLAN trunk links to the other two switches without any messiness like pfSense bridging.

@demitri said in Question about VLAN and VPN:

The problem I am having is that when I start a large data transfer from my Mac to the NAS, almost any internet access will disconnect the VPN.

Hello,

note, if the NAS and MAC are on the same subnet then what are we talking about - not pfSense affected

bottleneck - is formed due to the following

if all your traffic (LAN / WAN) passes through the same VLAN (you know the wrong eth. port)

you reduce the throughput of the 1Gig interface

ergo, you solved the problem with VLAN, but now everything goes through a real interface (1 pcs - VLAN) (maybe 1Gig)

+++++edit:

the lesson is that:

VLAN is good, but you can't break down a physical interface - to hundreds of millions of VLANs without a drop in speed

pls. think, only of the uplink ports of switches with many VLANs and they are usually squeezed into a LAG together with LACP (2 - 4 ports) or we choose a switch that has 2 x 10Gig uplink ports, for example

Ok... Here is 2 tests.. 1 where the networks are on their own physical interfaces

layout..
iperf server 192.168.9.10
iperf client 192.168.200.10

twophysicalnics.jpg

$ iperf3.exe -c 192.168.9.10 -B 192.168.200.10 warning: Ignoring nonsense TCP MSS 466688 Connecting to host 192.168.9.10, port 5201 [ 5] local 192.168.200.10 port 50165 connected to 192.168.9.10 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 108 MBytes 903 Mbits/sec [ 5] 1.00-2.00 sec 113 MBytes 949 Mbits/sec [ 5] 2.00-3.00 sec 114 MBytes 954 Mbits/sec [ 5] 3.00-4.00 sec 113 MBytes 949 Mbits/sec [ 5] 4.00-5.00 sec 114 MBytes 957 Mbits/sec [ 5] 5.00-6.00 sec 113 MBytes 950 Mbits/sec [ 5] 6.00-7.00 sec 113 MBytes 949 Mbits/sec [ 5] 7.00-8.00 sec 113 MBytes 949 Mbits/sec [ 5] 8.00-9.00 sec 113 MBytes 948 Mbits/sec [ 5] 9.00-10.00 sec 113 MBytes 950 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 1.10 GBytes 946 Mbits/sec sender [ 5] 0.00-10.01 sec 1.10 GBytes 944 Mbits/sec receiver iperf Done.

So that is maxing out gig.. Couldn't ask for anything more on gig wire..

Now here pfsense is routing between the networks over the same wire.. Same client and server machines - Just changed the switch config to put the client interface on different vlan. And put this vlan on the same physical interface used for vlan 9 (lan on pfsense) igb0

vlans-samephysical.jpg

$ iperf3.exe -c 192.168.9.10 -B 192.168.66.10 warning: Ignoring nonsense TCP MSS 466688 Connecting to host 192.168.9.10, port 5201 [ 5] local 192.168.66.10 port 50367 connected to 192.168.9.10 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 107 MBytes 895 Mbits/sec [ 5] 1.00-2.00 sec 111 MBytes 933 Mbits/sec [ 5] 2.00-3.00 sec 112 MBytes 940 Mbits/sec [ 5] 3.00-4.00 sec 112 MBytes 939 Mbits/sec [ 5] 4.00-5.00 sec 112 MBytes 941 Mbits/sec [ 5] 5.00-6.00 sec 111 MBytes 930 Mbits/sec [ 5] 6.00-7.00 sec 112 MBytes 940 Mbits/sec [ 5] 7.00-8.00 sec 110 MBytes 925 Mbits/sec [ 5] 8.00-9.00 sec 111 MBytes 934 Mbits/sec [ 5] 9.00-10.00 sec 111 MBytes 931 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 1.08 GBytes 931 Mbits/sec sender [ 5] 0.00-10.00 sec 1.08 GBytes 930 Mbits/sec receiver

So not much difference because its duplex and no other traffic on the wire.. Bit of traffic maybe, the overhead of the vlan tags mentioned, etc..

But now sending traffic to the internet through pfsense through that same igb0 interface via speed test from client on that same vlan 9 network.. 500Mbps..

Now look at my iperf test..

$ iperf3.exe -c 192.168.9.10 -B 192.168.66.10 warning: Ignoring nonsense TCP MSS 466688 Connecting to host 192.168.9.10, port 5201 [ 5] local 192.168.66.10 port 50444 connected to 192.168.9.10 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 38.6 MBytes 324 Mbits/sec [ 5] 1.00-2.00 sec 37.1 MBytes 311 Mbits/sec [ 5] 2.00-3.00 sec 26.2 MBytes 220 Mbits/sec [ 5] 3.00-4.00 sec 49.0 MBytes 411 Mbits/sec [ 5] 4.00-5.00 sec 51.0 MBytes 428 Mbits/sec [ 5] 5.00-6.00 sec 52.0 MBytes 436 Mbits/sec [ 5] 6.00-7.00 sec 51.8 MBytes 434 Mbits/sec [ 5] 7.00-8.00 sec 52.4 MBytes 439 Mbits/sec [ 5] 8.00-9.00 sec 51.1 MBytes 429 Mbits/sec [ 5] 9.00-10.00 sec 51.1 MBytes 429 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 460 MBytes 386 Mbits/sec sender [ 5] 0.00-10.01 sec 460 MBytes 386 Mbits/sec receiver iperf Done.

So there will be a performance hit when you share bandwidth of physical connection with vlans - because your sharing the capabilities of the interface... But without understanding your traffic flows, and amount of traffic that will be routed intervlan or using that interface going somewhere else, it hard to say if you will notice it or not..

Here is what I would suggest.. If you have the physical ports available on your switch and your router.. Then leverage them for your different networks so that vlans do not share physical ports..

If you do not have enough ports... Then put the vlans that do not talk to each other or use lower amounts of bandwidth on the same physical interface.. Example I put my wireless vlans on the same physical interface of pfsense... Since they would never be able to use full gig anyway, and they don't talk to each other..

If you go for max fault tolerance, use Ports 1/g45-46 and 2/g45-46.

@trent6gol Thats fine, also has lots of bandwidth.
What I described also works well. Tested in practice by many, in demanding environments.

There isn't a way to do that in the GUI or config at this time.

i checked that and made sure mine matched. what I did find out though is that my lan port (em0) if I change it to my 2nd interface (em2) that it works exactly how I expect it to. I wonder if its a bug and its already assigned that it causes that issue. it is the lowest mac address too so maybe that was my problem

@ncm-com said in VLAN tag on more than 1 interface:

but let say if the traffic between VLANs reaching 500mbps it will create a bottleneck on one interface that would not be the case if the traffic using two ports?

And how does putting 2 interfaces in the same vlan solve that problem?

but let say if the traffic between VLANs reaching 500mbps it will create a bottleneck on one interface that would not be the case if the traffic using two ports?

Use different uplinks for your difrerent vlans.. vmnic 2 vlan X, vmnic 3 vlan Y... Putting vlan X on both vmnic 2 and 3 does what?? Put all your vmnics into same vswitch.. Use your port groups to break out the vlans. setup lagg of these 4 nics to your switch from esxi

spf+ tech specs are up to 16gbps.. But yeah highest modules you will find prob 10ge max.. Atleast at any reasonable price, etc.

Man, I understand you because I tried to set up my printer for a very long time and as a result I realized that the problem can be not only in the wrong connection, but in the router itself. Tell me the model number and brand and I will try to make a guide for you. If you can’t solve your problem, you will need to find another printer. I would purchase a high-quality printer from Brother (mrdepot.ca) and this printer is very easy to use and connect.

It shouldn't. You're simply adding a tag, on top of the other normal traffic, on the access point port or switch port.

Here's mine, VLAN 8 on a 24 port switch, to connect access points back to pfsense. I'm using VLAN 8 for a guest network, and the access points support VLANs and multiple SSIDs. The guest network is running on top of the LAN network in pfsense, and the guest network is setup with its own subnet. Everything works perfectly. In my picture, port GE27 (back to pfsense) would simulate your port 1 on the Netgear.

screenshot765998.png

I'm assuming the DD-WRT box you're got will behave the same way.

Sorry, I forgot, your port 8 on the Zyxel also has to be tagged with your new VLAN number.

So, quick summary - add a new VLAN to pfsense, parent interface is LAN, tag port 8 and 2 on Zyxel with your new VLAN number. Then finally, tag port 1 on Netgear with the same number. Tagged and untagged ports on networking gear can exist at the same time, if the gear is any good.

Jeff

first, was the vnc connection successful? pftop is sorted by bytes and you have a maximum number of states set to 100 with a lot of DNS traffic. have you tried to narrow down pftop results by adjusting your filter expression from "src net 192.168.30.38" to "src net 192.168.30.38 and dst port 5900"?

edit: oh, you should be using src host 192.x.x.x instead of src net.

src host host True if the IPv4/v6 source field of the packet is host. src net net True if the IPv4/v6 source address of the packet has a network number of net.