@demitri said in Question about VLAN and VPN: The problem I am having is that when I start a large data transfer from my Mac to the NAS, almost any internet access will disconnect the VPN. Hello, note, if the NAS and MAC are on the same subnet then what are we talking about - not pfSense affected bottleneck - is formed due to the following if all your traffic (LAN / WAN) passes through the same VLAN (you know the wrong eth. port) you reduce the throughput of the 1Gig interface ergo, you solved the problem with VLAN, but now everything goes through a real interface (1 pcs - VLAN) (maybe 1Gig) +++++edit: the lesson is that: VLAN is good, but you can't break down a physical interface - to hundreds of millions of VLANs without a drop in speed pls. think, only of the uplink ports of switches with many VLANs and they are usually squeezed into a LAG together with LACP (2 - 4 ports) or we choose a switch that has 2 x 10Gig uplink ports, for example

Ok... Here is 2 tests.. 1 where the networks are on their own physical interfaces layout.. iperf server 192.168.9.10 iperf client 192.168.200.10 [image: 1591975452290-twophysicalnics.jpg] $ iperf3.exe -c 192.168.9.10 -B 192.168.200.10 warning: Ignoring nonsense TCP MSS 466688 Connecting to host 192.168.9.10, port 5201 [ 5] local 192.168.200.10 port 50165 connected to 192.168.9.10 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 108 MBytes 903 Mbits/sec [ 5] 1.00-2.00 sec 113 MBytes 949 Mbits/sec [ 5] 2.00-3.00 sec 114 MBytes 954 Mbits/sec [ 5] 3.00-4.00 sec 113 MBytes 949 Mbits/sec [ 5] 4.00-5.00 sec 114 MBytes 957 Mbits/sec [ 5] 5.00-6.00 sec 113 MBytes 950 Mbits/sec [ 5] 6.00-7.00 sec 113 MBytes 949 Mbits/sec [ 5] 7.00-8.00 sec 113 MBytes 949 Mbits/sec [ 5] 8.00-9.00 sec 113 MBytes 948 Mbits/sec [ 5] 9.00-10.00 sec 113 MBytes 950 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 1.10 GBytes 946 Mbits/sec sender [ 5] 0.00-10.01 sec 1.10 GBytes 944 Mbits/sec receiver iperf Done. So that is maxing out gig.. Couldn't ask for anything more on gig wire.. Now here pfsense is routing between the networks over the same wire.. Same client and server machines - Just changed the switch config to put the client interface on different vlan. And put this vlan on the same physical interface used for vlan 9 (lan on pfsense) igb0 [image: 1591975879274-vlans-samephysical.jpg] $ iperf3.exe -c 192.168.9.10 -B 192.168.66.10 warning: Ignoring nonsense TCP MSS 466688 Connecting to host 192.168.9.10, port 5201 [ 5] local 192.168.66.10 port 50367 connected to 192.168.9.10 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 107 MBytes 895 Mbits/sec [ 5] 1.00-2.00 sec 111 MBytes 933 Mbits/sec [ 5] 2.00-3.00 sec 112 MBytes 940 Mbits/sec [ 5] 3.00-4.00 sec 112 MBytes 939 Mbits/sec [ 5] 4.00-5.00 sec 112 MBytes 941 Mbits/sec [ 5] 5.00-6.00 sec 111 MBytes 930 Mbits/sec [ 5] 6.00-7.00 sec 112 MBytes 940 Mbits/sec [ 5] 7.00-8.00 sec 110 MBytes 925 Mbits/sec [ 5] 8.00-9.00 sec 111 MBytes 934 Mbits/sec [ 5] 9.00-10.00 sec 111 MBytes 931 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 1.08 GBytes 931 Mbits/sec sender [ 5] 0.00-10.00 sec 1.08 GBytes 930 Mbits/sec receiver So not much difference because its duplex and no other traffic on the wire.. Bit of traffic maybe, the overhead of the vlan tags mentioned, etc.. But now sending traffic to the internet through pfsense through that same igb0 interface via speed test from client on that same vlan 9 network.. 500Mbps.. Now look at my iperf test.. $ iperf3.exe -c 192.168.9.10 -B 192.168.66.10 warning: Ignoring nonsense TCP MSS 466688 Connecting to host 192.168.9.10, port 5201 [ 5] local 192.168.66.10 port 50444 connected to 192.168.9.10 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 38.6 MBytes 324 Mbits/sec [ 5] 1.00-2.00 sec 37.1 MBytes 311 Mbits/sec [ 5] 2.00-3.00 sec 26.2 MBytes 220 Mbits/sec [ 5] 3.00-4.00 sec 49.0 MBytes 411 Mbits/sec [ 5] 4.00-5.00 sec 51.0 MBytes 428 Mbits/sec [ 5] 5.00-6.00 sec 52.0 MBytes 436 Mbits/sec [ 5] 6.00-7.00 sec 51.8 MBytes 434 Mbits/sec [ 5] 7.00-8.00 sec 52.4 MBytes 439 Mbits/sec [ 5] 8.00-9.00 sec 51.1 MBytes 429 Mbits/sec [ 5] 9.00-10.00 sec 51.1 MBytes 429 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 460 MBytes 386 Mbits/sec sender [ 5] 0.00-10.01 sec 460 MBytes 386 Mbits/sec receiver iperf Done. So there will be a performance hit when you share bandwidth of physical connection with vlans - because your sharing the capabilities of the interface... But without understanding your traffic flows, and amount of traffic that will be routed intervlan or using that interface going somewhere else, it hard to say if you will notice it or not.. Here is what I would suggest.. If you have the physical ports available on your switch and your router.. Then leverage them for your different networks so that vlans do not share physical ports.. If you do not have enough ports... Then put the vlans that do not talk to each other or use lower amounts of bandwidth on the same physical interface.. Example I put my wireless vlans on the same physical interface of pfsense... Since they would never be able to use full gig anyway, and they don't talk to each other..

If you go for max fault tolerance, use Ports 1/g45-46 and 2/g45-46.

@trent6gol Thats fine, also has lots of bandwidth. What I described also works well. Tested in practice by many, in demanding environments.

There isn't a way to do that in the GUI or config at this time.

i checked that and made sure mine matched. what I did find out though is that my lan port (em0) if I change it to my 2nd interface (em2) that it works exactly how I expect it to. I wonder if its a bug and its already assigned that it causes that issue. it is the lowest mac address too so maybe that was my problem

@ncm-com said in VLAN tag on more than 1 interface: but let say if the traffic between VLANs reaching 500mbps it will create a bottleneck on one interface that would not be the case if the traffic using two ports? And how does putting 2 interfaces in the same vlan solve that problem? but let say if the traffic between VLANs reaching 500mbps it will create a bottleneck on one interface that would not be the case if the traffic using two ports? Use different uplinks for your difrerent vlans.. vmnic 2 vlan X, vmnic 3 vlan Y... Putting vlan X on both vmnic 2 and 3 does what?? Put all your vmnics into same vswitch.. Use your port groups to break out the vlans. setup lagg of these 4 nics to your switch from esxi

spf+ tech specs are up to 16gbps.. But yeah highest modules you will find prob 10ge max.. Atleast at any reasonable price, etc.

Man, I understand you because I tried to set up my printer for a very long time and as a result I realized that the problem can be not only in the wrong connection, but in the router itself. Tell me the model number and brand and I will try to make a guide for you. If you can’t solve your problem, you will need to find another printer. I would purchase a high-quality printer from Brother (mrdepot.ca) and this printer is very easy to use and connect.

It shouldn't. You're simply adding a tag, on top of the other normal traffic, on the access point port or switch port. Here's mine, VLAN 8 on a 24 port switch, to connect access points back to pfsense. I'm using VLAN 8 for a guest network, and the access points support VLANs and multiple SSIDs. The guest network is running on top of the LAN network in pfsense, and the guest network is setup with its own subnet. Everything works perfectly. In my picture, port GE27 (back to pfsense) would simulate your port 1 on the Netgear. [image: 1590178283632-screenshot765998.png] I'm assuming the DD-WRT box you're got will behave the same way. Sorry, I forgot, your port 8 on the Zyxel also has to be tagged with your new VLAN number. So, quick summary - add a new VLAN to pfsense, parent interface is LAN, tag port 8 and 2 on Zyxel with your new VLAN number. Then finally, tag port 1 on Netgear with the same number. Tagged and untagged ports on networking gear can exist at the same time, if the gear is any good. Jeff

first, was the vnc connection successful? pftop is sorted by bytes and you have a maximum number of states set to 100 with a lot of DNS traffic. have you tried to narrow down pftop results by adjusting your filter expression from "src net 192.168.30.38" to "src net 192.168.30.38 and dst port 5900"? edit: oh, you should be using src host 192.x.x.x instead of src net. src host host True if the IPv4/v6 source field of the packet is host. src net net True if the IPv4/v6 source address of the packet has a network number of net.

@CodeNinja said in [SOLVED] Cannot ping devices in other VLAN: Is there a way i can do something back? Pay it forward ;) If you can help someone else here - that is always good for the community.. Or help someone else in some other way if you can. Glad you got it sorted.

@ebcdic It is possible for someone directly connected to the LAN to configure the interface to also receive VLAN packets. That means they could appear on both the LAN and VLAN, just as pfSense does. However, someone connected to the guest WiFi wouldn't be able to do that, as they have no direct access to the LAN. The AP will remove the VLAN tag for traffic to WiFi and add it to traffic from it.

UPDATE: Problem solved. After more searching and endless reading, I found this post: https://forum.netgate.com/topic/139859/sg-1100-running-real-vlans turns out I had to tag the ports. All of the tutorials left this part out. [image: 1589544691784-2020-05-15.png]

I'd say the typical deployment would be to use an AP that is trunked to a managed switch and supports VLANs as well as multiple SSIDs. Once that's in place, you'd configure multiple SSID's and assign those SSID's to various VLANs. I am not aware of any solution that would allow you to setup one SSID and drop clients into various VLANs based on their MAC. I am also not familiar with the captive portal, but after skimming over the settings it appears you can configure multiple zones and assign them to various interfaces, but I didn't see anything that suggests the functionality you're looking for exists within captive portal. However, I did skim over a few posts that suggests Cisco has a solution that may work for you, but it would involve implementing a WLAN controller, a Cisco enterprise-grade AP and configuring an authentication server (e.g. Cisco ISE) that supports dynamic VLAN assignment.

@VioletDragon said in 1gbp networking LAGG speed problem: MNHO-048 Thanks for the updates.. Never heard of these guys before. But interesting platform.

Without any details of your setup its impossible to help you figure out what is your issue. What does multiwan issues have to do with L2/Switching/Vlans? Start a new thread with the specific details of your problem.. Do all your clients have access if you don't pull out wan X?