i just saw this, maybe related?:

@kiokoman said in Allowing ICMP/Ping From WAN to Machine On LAN for Ptunnel:

i tested it and it work for me, what machine is it? windows?
if it's windows maybe you need to do this
https://forum.netgate.com/post/895254

Okay so it was actually an issue with the windows PC, its now all working.

I now have 4 networks:
LAN 10.0.0.0/24
IOT 10.0.50.0/24
PRIV 10.0.60.0/24
GUEST 10.0.70.0/24

Its working as intended across ethernet & wifi, and I can configure firewall rules to allow/block traffic between the nets. I've even managed to get mDNS/Apple Airplay from PRIV to IOT network working.

However, the last remaining issue is with the VPN. I've set up an IPSec VPN a while ago, and while it still works, it lets me only access LAN (10.0.0.0/24), but none of the VLANs. I tried googling for a solution, however nothing I've tried seems to work. I tried adding a second phase 2 with the IOT network, however it does not work.

This is the VPN config overview:
alt text

And in the firewall I have:

What do I have to do in order to reach 10.0.50.0/24 from a mobile IPSec client?

What do you mean you can't add them.. .Sure you can.. Post up the screen where you trying to add them, and what errors or whatever that is keeping you from posting them..

Here.. example
rules.jpg

i ran into something slightly similar with usg (before moving to pfsense) -

the ISP had given us one of those combo units, and the TV worked through MoCA (not sure if this is what you mean by IPTV)
was entirely not compatible with USG (at that time).

got a dedicated modem, no wifi, usg was still gateway after that for a while (until i started wanting more funtionality that unifi just does not offer)

to my point, our cable tv would not work after switching to modem only. we ended up having to replace the cable boxes as they entirely relied on MoCA (edit additional - new modem did not have MoCA)

im guessing you want to add vlan tags to pfsense interfaces to get it to pass-thru in a sense?

my knowledge on VLAN specifically isn't that high up, but from what I understand, you'd likely want that vlan tagged to be allowed on wan, and also on the port supplying connecting facing your unifi?

i feel like i missing something, but hope this helps

It's not being used as tag.. Its what you set in esxi to let it know not to strip tags where you set the vlan id in the switch... It just puts it in a special trunk mode.. You don't actually use the tag anywhere else.

the logs also show dhcp discover and offer (on the correct vlan) but then loops over again and again - it never gets the request or ack.

@detox

If I'm reading your description right, you've got only VLAN 10 going to the AP. You need a trunk port that carries all VLANs. Also, I don't see how you could get staff to work on the AP, as you don't seem to have a connection for the native LAN to the AP.

BTW, some TP-Link switches have problems with VLANs and I believe the fault may allow the native LAN to get through where it's not supposed to. This may be how the staff LAN is getting through.

@mohkhalifa said in pfSense on ESXi | Best Practices:

problem SOLVED after "Disabling hardware checksum offload"

Awesome. I poked around on a few of mine and didn't find any with that enabled. Mostly Dell hardware here. Good find.

@jpyeron said in tunneling VLAN trunk help needed:

I remember the all the different gateways. Thats cool, sounds like you got in to things a bit before me.

Yep, I was working with LANs before there was such a thing as Ethernet. I worked on a Time Division Multiplexing network in a Rockwell Collins 8500C computer system, that was part of the Air Canada reservation system. This was late '70s - mid '80s. The various devices, such as tape drives and disk drives connected to the CPU over a tri-axial cable at 8 Mb/s. This system was the communications front end for the Univac computers at the heart of the system.

Update:
I have decided to use LAGG to distribute traffic from the XG to the first switch, HPE 1920S-48G.

Would it be recommended to continue using LAGG from the HPE 1920 to my second switch, HPE OfficeConnect 1820 24G? Can I simply tag a port with VLANs needed for switch two? Bandwidth needs are minimal for the VLANs dedicated on this second switch.

Thanks.

@xyzzyz said in VLAN question for noob moving from Cisco ASA:

My question: On my pfSense replacement for the ASA, is there any advantage to setting up a VLAN for the WAN port?

No.

It was just the rules that were wrong - all sorted now.

Thanks everyone for the quick responses!

Trunk your VLANs on a single pfSense interface.

The Netgear docs suck big time.

https://community.netgear.com/t5/Smart-Plus-Click-Switches/Port-trunking-on-GSS108E/td-p/1353948

@dotdash Thank you Sir,

So, the routes went in nicely, but didn't work.
The issue I ran into was in Firewall Rules, for what ever reason, I saw the LAN net and LAN address, but missed completely network, which would allow me to define a segment and allow it access to the firewall's LAN.

So then I could create a rule for 192.168.212.0 / 24 to any, one for tcp/upd and one for icmp, once I could ping, all the apps on that segment were able to function properly. Did the same for 192.168.39.0/24 and 192.168.14.0/24. All working now,

Thank you for your time and information.

Jon

@kevdog Lol yes that is my conclusion. Made things a lot easier. Trying to set it up in DD-WRT was a bit convoluted. Following the tutorial in my OP was perfect, except I changed up the way I connected the main wifi and the guest wifi to my switch.

@airlab

Yikes -- like a I said I've only had mine for 6 months. I'm hopeful that in another year and a half this doesn't happen to me -- or maybe I just won't apply firmware updates.

HIPAA only requires that you make reasonable accommodations for security. This may not be a requirement to separate traffic, but I would recommend you do so anyway as this isn't something that end users would see. This can also help or hurt future troubleshooting depending on the issue.

Personally, I'd separate the traffic.