Finally I fixed this issue. It turns out I need to enable VLAN on the NIC in ESXi. After that, everything just works

After 3 days of testing and experimenting i found out that one of the cables is not 100%. After putting a new cable between PfSense and the switch everything works with the configuration like described in my question. This means the problem is solved!

Thank you for your answer

Thanks, It was driving me crazy.

If you do not need 4092 on switchport 1 (OPT) it can be removed. 4090 and 4091 are the untagged VLANs for the WAN and LAN ports. You probably want to leave them alone.

@jerricho1422 Turn it on, on both. 802.1q is the only way you're going to get VLANs working between the 2. Both have to be configured with the same VLANs.

Have a nice weekend :-)

@JKnott cool, thanks for your insight. I'll experiment when I have some time to bring my network down and set everything up.

Yeah I guess so too. They are doing a great job and I really like pfSense as a firewall solution.

@yupq6wlc79ts said in Implementing VLAN: @JKnott said in Implementing VLAN: @yupq6wlc79ts First off, if you're using that Asus router as an AP, make sure you connect to the LAN side, not WAN. However, given you have the other AP, why are you using that one? Yes, that setup is working fine. Asus router is connected to LAN (of course), as well as additional Ubiquiti AP. Using it to cover the WiFi gap areas. Also, proper access points, such as the Ubiquiti, support multiple SSIDs and VLANs. You create VLANs in pfSense and configure matching VLANs in the AP, with SSIDs assigned to the appropriate VLAN. In pfSense, you'll also have to configure the DHCP server on each VLAN, according to the desired address range. You'll also have to configure the routing and firewall rules so that you can reach what you need from the VLANs. So I think I am following you: Create VLANs entries in pfSense as desired (VLAN1, VLAN2, etc.) -> Interfaces - VLANs - Add Yes Configure matching VLANs in the AP -> I can create separate VLANs in the Ubiquiti Portal (https://demo.ui.com/manage/site/default/settings/networks/list) and match it with VLANs? Yes Configure DHCP Server on each VLAN in the pfSense -> Where in pfSense? Under Services > DHCP Server. On that page, each interface, including VLANs should be listed. Routing and Firewall rules -> Firewall - Rules? Yes

@dotdash It worked out very well and pfSense is running the network smoothly. Thank you again for your help with this.

Well, as the main question is pretty much sorted - I will have separate VLANs without tagging on separate interfaces and separate switches - could you help me out on some structuring, please? So that's how it would be: [image: 1587396388870-vlan_07.jpg] Should I just create one more VLAN on my spare LAN port and call it WIFI and move the Unifi AP from the LAN switch to there? And then I can create two or three separate WiFi VLANs on the Unifi controller? Question is if I did that should I rather create those WiFi VLANs on that spare LAN port with tagging?!? Is the Kodi box and the printer okay on crap network? I think I can create a firewall rule to access the printer from the LAN and that's fairly straightforward. But what about the kodi box? If I create a rule for the kodi box to access the file server (and only the fileserver) then is there any way to restrict it to only access the media dataset and nothing else on the FreeNAS box?

OMG. Was using 127.0.0.1 so questions like 'What is this Firewall" wouldn't pop up ...

@codybadger said in Need help setting up VLANs (pfsense router, unifi switch, AP-AC-PRO WAP): so would that be a duplicate of my fifth (from top) NAT rule, but for 192.168.55.x instead of 44? I did try that, but it didn't seem to work for me either. This is for outgoing over the WAN. If it should also work when the OpenVPN client is connected (assuming it's the default gateway then) you need an additional rule for OpenVPN like the sixth one. However, it's recommended to assign an interface to the OpenVPN client instance first and add the outbound NAT rule to this specific interface, cause OpenVPN is an interface group which covers all OpenVPN instances you're running, i.e. all clients and all servers.

@vlan2 I would do it like this: VLAN10 (192.168.10.0/24) - Main LAN with servers, laptops, workstations, and ALL printers VLAN20 (192.168.20.0/24) - VOIP network VLAN30 (192.168.30.0/24) - Guest network I typically use a 2 digit VLAN tag scheme, some switches and other network gear use some of the single digit, like "VLAN1" as management access and cant be changed. That gear really shouldn't be used, but it is what it is. If you make the 3rd octet in your addresses the same number as the tag, it's really easy to spot and identify what's coming and going, and from where, in your firewall logs or GUI screens. If you've got anybody VPN'ing into the network, throw them on a 192.168.40.0/24 network. Then you've got no overlapping of addresses, most likely. Now, with a setup like above, you can set static DHCP leases for all the printers and copiers, easily add them to an alias, then create firewall rules to pass printing traffic to them, across your VLAN's. Jeff

@Bob-Dig In that post, I was referring to other than the main LAN to the Internet. However, it would hold for other subnets. The general rule for firewalls is to block by default and then create exceptions for what you need. So, if you find something doesn't work, then firewall rules are a good place to start looking.

@CalTommo I don't know how, if you've set up DHCP. It just works. Configuring DHCP on a VLAN is no different than on an Ethernet port. Do you have a computer you can configure for VLAN 80? If so, just plug it into the LAN side of the pfSense box and see what happens.

You don't bridge VLANs. That would be defeating the purpose of them. Give them their own subnets and let pfSense do the routing and filtering as required. Well, there will be a firewall between the vlans, with block/deny by default, and in that way seperate them. But the real reason why Im talking about bridging vlans, is because it is absolutely essential to have multicast/unicast traverse the vlans. (sonos and alot of iot depends on that protocoll...) But if the community give me good reasons to strongly evade from that idea, I need to come up with something else, like seperate subnets with igmp proxy or pimd, if any of those is known to work.

@johnpoz sorry for the late reply. I did scroll thru the web and found that you are correct. With that in mind, I will not enable Inter-VLAN routing on my switch. Thank you both for your knowledge and insight.