OMG.
Was using 127.0.0.1 so questions like 'What is this Firewall" wouldn't pop up ...

@codybadger said in Need help setting up VLANs (pfsense router, unifi switch, AP-AC-PRO WAP):

so would that be a duplicate of my fifth (from top) NAT rule, but for 192.168.55.x instead of 44? I did try that, but it didn't seem to work for me either.

This is for outgoing over the WAN. If it should also work when the OpenVPN client is connected (assuming it's the default gateway then) you need an additional rule for OpenVPN like the sixth one.
However, it's recommended to assign an interface to the OpenVPN client instance first and add the outbound NAT rule to this specific interface, cause OpenVPN is an interface group which covers all OpenVPN instances you're running, i.e. all clients and all servers.

@vlan2

I would do it like this:

VLAN10 (192.168.10.0/24) - Main LAN with servers, laptops, workstations, and ALL printers
VLAN20 (192.168.20.0/24) - VOIP network
VLAN30 (192.168.30.0/24) - Guest network

I typically use a 2 digit VLAN tag scheme, some switches and other network gear use some of the single digit, like "VLAN1" as management access and cant be changed. That gear really shouldn't be used, but it is what it is. If you make the 3rd octet in your addresses the same number as the tag, it's really easy to spot and identify what's coming and going, and from where, in your firewall logs or GUI screens.

If you've got anybody VPN'ing into the network, throw them on a 192.168.40.0/24 network. Then you've got no overlapping of addresses, most likely.

Now, with a setup like above, you can set static DHCP leases for all the printers and copiers, easily add them to an alias, then create firewall rules to pass printing traffic to them, across your VLAN's.

Jeff

@Bob-Dig

In that post, I was referring to other than the main LAN to the Internet. However, it would hold for other subnets. The general rule for firewalls is to block by default and then create exceptions for what you need. So, if you find something doesn't work, then firewall rules are a good place to start looking.

@CalTommo

I don't know how, if you've set up DHCP. It just works. Configuring DHCP on a VLAN is no different than on an Ethernet port. Do you have a computer you can configure for VLAN 80? If so, just plug it into the LAN side of the pfSense box and see what happens.

You don't bridge VLANs. That would be defeating the purpose of them. Give them their own subnets and let pfSense do the routing and filtering as required.

Well, there will be a firewall between the vlans, with block/deny by default, and in that way seperate them. But the real reason why Im talking about bridging vlans, is because it is absolutely essential to have multicast/unicast traverse the vlans. (sonos and alot of iot depends on that protocoll...)
But if the community give me good reasons to strongly evade from that idea, I need to come up with something else, like seperate subnets with igmp proxy or pimd, if any of those is known to work.

@johnpoz sorry for the late reply. I did scroll thru the web and found that you are correct. With that in mind, I will not enable Inter-VLAN routing on my switch. Thank you both for your knowledge and insight.

Most cheap switches would not allow to move management IP to tagged vlan.. And you would almost never tag vlan 1, that is normally a big no no...

Glad you got it sorted.

Yeah see my edit on the elec costs alone on such a beast.. I guessing that thing is a ancient M50 IBM/Lenovo from your calling it a P4 with 800mhz fsb, etc..

If this is just a POC - you don't really have to worry about it routing at wire speed do you... Your just showing that stuff will work, etc. etc.. Not that its going to be at full speed with current hardware, etc. etc.

Yes,
I created 3 VLAN:

VLAN 1 with Port 1 tagged (connected to NAS with VM pfsense) and port 7 untagged (Access Point)
VLAN 10 with Port 1 tagged and Port 2-6 untagged
VLAN 90 with Port 1 tagged and Port 8 8 untagged (connected to DSL router)

In pfsense I have corresponding VLAN with VLAN 90 as DHCP client and VLAN 1 and 10 with DHCP server

Is it ok?

Sorry yeah it's a samsung phone.. just tried how I said I would and with just one ( upstairs wifi router ) connected, my phone will connect to the wifi and on the right subnet but without internet. Tried changing dns, that didnt work so not a dns issue.

@ieandd

DHCP will not pass through routers, unless a relay agent is used.

@johnpoz noted.. thank you so much..

it's not always possible but for realtek you need to install Realtek Ethernet Diagnostic Utility
for intel you do that inside the network card settingswtXcv.jpg vlan3.gif

@User42

Next step is to fire up Packet Capture and see what's happening.

@Derelict said in Layer 2 Isolation with same class network (Not Vlan):

@chpalmer said in Layer 2 Isolation with same class network (Not Vlan):

(caveat- as long as your router does not also house the "switch".)

And don't mistake things like inability to resolve DNS or obtain DHCP as their inability to directly communicate.

Oops.. very true.

I would assume setting native vlan (5, 10, 30) on those would be sufficient? Little divergent in the topic, but your help is much appreciated.

@erasedhammer Whatever your switch calls it, yes.