You can have many untagged vlans - On different interfaces.. Pretty much all vlans are untagged to devices.. But no you can not run multiple untagged vlans on same physical interface.

If your connecting from your switch to an opt interface with no vlan setup - this is an untagged vlan.. You still need to set this up in your switches as some vlan ID, even if pfsense doesn't know about it.

But you have to have a switch that understands vlans to run multiple network on the same switch..

Do you have different physical switches your going to connect these different opt interfaces too? If so then sure what your doing is fine.

As to reasons of different interfaces for each vlan - the big reason to do this, is bandwidth... vlans on the same physical interface share bandwidth.. If I want vlan X and vlan Y to want full bandwidth of the physical interface, then yes I would put them on their own... And no you don't need to tag it, uplink just goes to switch that knows what vlan this traffic is, or a dumb switch that only devices on this network/vlan are going to be on.

Thanks everyone guys.

I have manage that. @Rico i did also inbound rule to windows firewall to work on 445.

50e7dc3c-0d47-4592-9f13-bcb601e541ee-image.png

Even if i am in 85 LAN, i can access files in 42 LAN. This is great stuff. Is very exciting for newbie like me.

please close the thread.

Hi,

@jeecee said in Airplay not working - inter VLAN:

The receiver and client are in the same VLAN

Just to be sure :
When you put that client and receiver together on a dumb switch, this switch hooked up to pfSense directly, it works ?

I do not use VLAN (NIC are so not-expensive these days, far less as manageable switches) but I'm pretty sur that all devices on the same VLAN network is like all devices on the same LAN (network).

pfSense does not interact with devices on the same network : they can reach each other just fine by yelling around = broadcasting etc, on their network.

Install this app : Discovery.

3bfc8fea-029b-4ff2-9091-9aaf244c7c9a-image.png

It's shows everything with details.
There are zero configuration options and one rule : you have to use a Wifi connection.

a155c46e-4edd-438b-8ad3-2424e956054c-image.png

@johnpoz OK thanks.

Problem solved. It was not in pfSense, but in the NAS security settings.
QNap doesn't log any rejected connections.

Network Access Control (NAC)... Also called PNAC, Port Network Access Control.. Take a look at Packet Fence as a way to run this on your network.

I want to control who is able to connect to my Ubitquti AP via mac.

That is just stupid.. As you already understand mac spoofing is so easy anyone with access to google could figure it out.. This is why you would AUTH to get on your wifi.. Ie the PSK would need to be known, or you could get more advanced and use enterprise with need to auth with username/password - or better yet eap-tls, where they also need a certificate assigned by you to that device, etc. etc..

Mac filtering can be used for say a control method of saying kids tablet can not connect between the hours of 10pm and 7am or something... But its not actually a valid security method.

Require your wireless devices to auth, use a strong PSK and do not share it with people you do not want to access. If you want user A that has your psk, not to be able to connect device X.. Then use another control method other than mac address if your worried about the user also spoofing the mac address and they know the PSK or other eap method.. For example you could require eap-tls that is tied to the device.

Most of this is outside the realm of pfsense to be honest.. While you could run the freeradius package on pfsense to provide better means of authing.. While you can do stuff with static arp, and captive portal to control via mac on pfsense, it is a L3 firewall.. And while captive portal and static arp can be used as a control method for mac address.. It can not prevent spoofing of a mac that is allowed.

Look into 802.1x as way to auth a client other mac address.

I use the freerad package and eap-tls to auth to my trusted wifi network.. Only devices that have a cert issued by me can auth to this network.. Now in theory if they had a second device, they could export this cert and install on a 2nd device, etc. But this is much more involved than just spoofing a mac.. And if the device is a work device, they would have to have the appropriate permissions on the device to export it to put on a personal device - which they should not have, etc.

But no matter the method of the auth, if a user has it - be it a psk, username/password, mac address, cert, etc. It can be difficult to control them from using that on another device. You could look to 3rd party supplicant software that would auth to your 802.1x controls.. So they would also need to be able to install this software on their device to be able to auth.. This agent would also be controlled by you and only installed on devices you want to allow on the network be it wireless or wired even.

Ok.. here the scenario

I have one main subnet called LAN0 (192.168.1.1/24).
This network has its own server (192.168.1.3) and ISP (192.168.1.1)

I want to segmentate this network in two, creating a VLAN2 where I want to create a transparent bridge that will be used to reduce the communication VLAN2 --> LAN0 but leaving full communication in the opposite direction (LAN0 --> VLAN2).

Moreover, on this network, I want to add two independent network: MUSUX (VLAN62) and OUTSIDE (VLAN42). In this case the DHCP Server is supplied by pfSense.
The first one MUSUX will have access to all internal networks (LAN0 and OUTSIDE) and to internet, instead the OUTSIDE network will have only access to internet.

For this reason I designed three independent networks and pfSense will route through its firewall the connections between networks according to the rules explained above.

Here a simplified network chart:
alt text

I hope this gives you a more clear scenario.

Thanks for your help

System / Advanced / Networking
have you disabled harware checksum ?
is Open-VM-Tools package installed on your pfsense?

right now we only know that it's not working so let's start from the basic steps

i'm on esxi 6.7u3 and i have more or less the same configuration but i don't have this problem
i'm using vmxnet3, all my vswitch are tagged with 4095 and they fisically go to a cisco switch
if it's not something specific to 6.5..

Thanks everyone, I’ve got it sorted out.
Did as I explained in my previous post and added allow rules under every vlan, then it started working.
Still doesn’t explains the firewall logs showing green for passed while it wasn’t the case.

If you already have NAT configured for the others, did you look into 1:1 NAT (https://docs.netgate.com/pfsense/en/latest/book/nat/1-1-nat.html) which forwards all traffic for the public IP to that private IP? Or does the VPN device actually require a public IP address in it?

@viragomann I made the recommended changes to my VLAN3 firewall rules and once completed, I re-ran setup for my Ring Doorbell Pro... Seems to be working correctly now!!! I suspect in my many iterations of changes, I had not re-run setup on my Ring Doorbell Pro and it may have worked straight away had I just restarted it...

Thank you so much for your help!

@johnpoz said in Netgear/Vlans/Pfsense:

Who makes this card exactly??? 6c:b3:11 does not show up as vendor .. ipolex?

Not sure how accurate this information is but a Google search shows that his NIC is made by the following company in China. Never heard of them. Maybe this NIC is not compatible FreeBSD 11.x?

Company
Shenzhen Lianrui Electronics Co.,Ltd
Address
Block C4 XinTang Industrial Park
Baishixia FuYong Town BaoAn District
Shenzhen Guangdong 518000
CHINA
Range
6C:B3:11:00:00:00 - 6C:B3:11:FF:FF:FF
Type
IEEE MA-L

@tpit

100 half? That sounds like a cable problem. If you can ssh to it, see what ifconfig shows. Here's my WAN interface:
media: Ethernet autoselect (1000baseT <full-duplex,master>)

That's what it should look like.

i just saw this, maybe related?:

@kiokoman said in Allowing ICMP/Ping From WAN to Machine On LAN for Ptunnel:

i tested it and it work for me, what machine is it? windows?
if it's windows maybe you need to do this
https://forum.netgate.com/post/895254

Okay so it was actually an issue with the windows PC, its now all working.

I now have 4 networks:
LAN 10.0.0.0/24
IOT 10.0.50.0/24
PRIV 10.0.60.0/24
GUEST 10.0.70.0/24

Its working as intended across ethernet & wifi, and I can configure firewall rules to allow/block traffic between the nets. I've even managed to get mDNS/Apple Airplay from PRIV to IOT network working.

However, the last remaining issue is with the VPN. I've set up an IPSec VPN a while ago, and while it still works, it lets me only access LAN (10.0.0.0/24), but none of the VLANs. I tried googling for a solution, however nothing I've tried seems to work. I tried adding a second phase 2 with the IOT network, however it does not work.

This is the VPN config overview:
alt text

And in the firewall I have:

What do I have to do in order to reach 10.0.50.0/24 from a mobile IPSec client?