It shouldn't. You're simply adding a tag, on top of the other normal traffic, on the access point port or switch port.

Here's mine, VLAN 8 on a 24 port switch, to connect access points back to pfsense. I'm using VLAN 8 for a guest network, and the access points support VLANs and multiple SSIDs. The guest network is running on top of the LAN network in pfsense, and the guest network is setup with its own subnet. Everything works perfectly. In my picture, port GE27 (back to pfsense) would simulate your port 1 on the Netgear.

screenshot765998.png

I'm assuming the DD-WRT box you're got will behave the same way.

Sorry, I forgot, your port 8 on the Zyxel also has to be tagged with your new VLAN number.

So, quick summary - add a new VLAN to pfsense, parent interface is LAN, tag port 8 and 2 on Zyxel with your new VLAN number. Then finally, tag port 1 on Netgear with the same number. Tagged and untagged ports on networking gear can exist at the same time, if the gear is any good.

Jeff

first, was the vnc connection successful? pftop is sorted by bytes and you have a maximum number of states set to 100 with a lot of DNS traffic. have you tried to narrow down pftop results by adjusting your filter expression from "src net 192.168.30.38" to "src net 192.168.30.38 and dst port 5900"?

edit: oh, you should be using src host 192.x.x.x instead of src net.

src host host True if the IPv4/v6 source field of the packet is host. src net net True if the IPv4/v6 source address of the packet has a network number of net.

@CodeNinja said in [SOLVED] Cannot ping devices in other VLAN:

Is there a way i can do something back?

Pay it forward ;) If you can help someone else here - that is always good for the community.. Or help someone else in some other way if you can.

Glad you got it sorted.

@ebcdic

It is possible for someone directly connected to the LAN to configure the interface to also receive VLAN packets. That means they could appear on both the LAN and VLAN, just as pfSense does. However, someone connected to the guest WiFi wouldn't be able to do that, as they have no direct access to the LAN. The AP will remove the VLAN tag for traffic to WiFi and add it to traffic from it.

UPDATE:

Problem solved. After more searching and endless reading, I found this post:

https://forum.netgate.com/topic/139859/sg-1100-running-real-vlans

turns out I had to tag the ports. All of the tutorials left this part out.

2020-05-15.png

I'd say the typical deployment would be to use an AP that is trunked to a managed switch and supports VLANs as well as multiple SSIDs. Once that's in place, you'd configure multiple SSID's and assign those SSID's to various VLANs.

I am not aware of any solution that would allow you to setup one SSID and drop clients into various VLANs based on their MAC.

I am also not familiar with the captive portal, but after skimming over the settings it appears you can configure multiple zones and assign them to various interfaces, but I didn't see anything that suggests the functionality you're looking for exists within captive portal.

However, I did skim over a few posts that suggests Cisco has a solution that may work for you, but it would involve implementing a WLAN controller, a Cisco enterprise-grade AP and configuring an authentication server (e.g. Cisco ISE) that supports dynamic VLAN assignment.

@VioletDragon said in 1gbp networking LAGG speed problem:

MNHO-048

Thanks for the updates.. Never heard of these guys before. But interesting platform.

Without any details of your setup its impossible to help you figure out what is your issue.

What does multiwan issues have to do with L2/Switching/Vlans?

Start a new thread with the specific details of your problem.. Do all your clients have access if you don't pull out wan X?

Finally I fixed this issue. It turns out I need to enable VLAN on the NIC in ESXi. After that, everything just works

After 3 days of testing and experimenting i found out that one of the cables is not 100%. After putting a new cable between PfSense and the switch everything works with the configuration like described in my question. This means the problem is solved!

Thank you for your answer

Thanks,

It was driving me crazy.

If you do not need 4092 on switchport 1 (OPT) it can be removed. 4090 and 4091 are the untagged VLANs for the WAN and LAN ports. You probably want to leave them alone.

@jerricho1422

Turn it on, on both. 802.1q is the only way you're going to get VLANs working between the 2. Both have to be configured with the same VLANs.

Have a nice weekend :-)

@JKnott cool, thanks for your insight. I'll experiment when I have some time to bring my network down and set everything up.

Yeah I guess so too. They are doing a great job and I really like pfSense as a firewall solution.

@yupq6wlc79ts said in Implementing VLAN:

@JKnott said in Implementing VLAN:

@yupq6wlc79ts

First off, if you're using that Asus router as an AP, make sure you connect to the LAN side, not WAN. However, given you have the other AP, why are you using that one?

Yes, that setup is working fine. Asus router is connected to LAN (of course), as well as additional Ubiquiti AP. Using it to cover the WiFi gap areas.

Also, proper access points, such as the Ubiquiti, support multiple SSIDs and VLANs. You create VLANs in pfSense and configure matching VLANs in the AP, with SSIDs assigned to the appropriate VLAN. In pfSense, you'll also have to configure the DHCP server on each VLAN, according to the desired address range. You'll also have to configure the routing and firewall rules so that you can reach what you need from the VLANs.

So I think I am following you:

Create VLANs entries in pfSense as desired (VLAN1, VLAN2, etc.) -> Interfaces - VLANs - Add

Yes

Configure matching VLANs in the AP -> I can create separate VLANs in the Ubiquiti Portal (https://demo.ui.com/manage/site/default/settings/networks/list) and match it with VLANs?

Yes

Configure DHCP Server on each VLAN in the pfSense -> Where in pfSense?

Under Services > DHCP Server. On that page, each interface, including VLANs should be listed.

Routing and Firewall rules -> Firewall - Rules?

Yes