@CatSpecial202 That looks correct to me.

@sic0048 well articulated and great points..

@FWright Your option b wouldn't work. If your untagged network on pfsense is 192.168.10/24 then why would you think you could create a vlan with that same network.. You have few ways to go about this, either change your pfsense untagged network to something other than 192.168.10 or change your vlan 10 IP range.. I too like using an vlan ID that matches up with the 3rd octet.. its an easy way to remember what the vlan ID and network is.. Why not use say 192.168.30/24 vs 10, and use the vlan ID 30. You could change your untagged network to say 10.10.10 or 172.16.10/24 and then you could use 192.168.10 on your vlan 10. Or use one of those other network on your vlan 10.. As mentioned its not actually the vlan 10 that is the problem, its that you have overlapping networks.

@JKnott said in /30 network - This IPv4 address is the network address: Linux & Cisco do. I had no luck with that on Debian but maybe I did something wrong. And I did not try elsewhere so you are most probably right.

@NGUSER6947 Yes but things seem to pop up, at least in discussions. I had it crash a few months back and it didn't want to restart due to a lock file lingering, so changed back. But I also have it running on another instance on CE where it's been working fine...

@keyser Put it in a new file /boot/loader.conf.local That way it will survive pfSense upgrades. I personally install nano to make small file edits via SSH CLI pkg install nano

Hmm. I was under the impression that WiFi 6 was 802.11ac. Apparently, it's 802.11ax. My bad!

I just wanted to follow up after having had some time to test and tinker. @johnpoz : Thanks for your help and patience! Your insight was invaluable. RECAP : Issue My original issue was identified by the supposed failure of pings to traverse through pfSense between two devices on different networks (ex. 192.168.11.xx and 192.168.12.xx). RECAP : Issue No.1 : Windows Firewall Behavior Important issue no.1 didn't have anything to do with pfSense or, for that matter, with the network in general. Windows firewall blocks ICMP Echo requests and this behavior seems to continue even with the firewall turned off in the Control Panel. The weird part with this issue is that both pfSense AND the managed switch could ping both computers. The issue was revealed when the computers could not ping each other (pings timed out). The simplest way to fix this behavior is to add an Allow Rule to Windows Firewall for ICMP behavior. Just... make sure to turn it off before using those test machines elsewhere. RECAP : Issue No.2 : pfSense DHCP Important issue no.2 had to do with weird behavior from the DHCP service on my pfSense machine. I cannot say if this is the result of a bug. I would have to do further testing (which I may follow up on later). This was described by johnpoz as : "if your device... doesn't have a gateway, then you would never be able to talk to it from some other network." Or even simpler : No door (gateway), no exit. This issue was revealed by the ping attempt on one of the computers throwing a "General Failure" error when trying to ping the other computer. Investigation of ipconfig results confirmed the issue (missing network gateway). The proposed solution that fixed the issue was simply to enter a value in the DHCP configuration screen : Other DHCP Options/Gateway. Adding a value here propagated to the two testing machines. The value I used was the IP address of the associated firewall interface (... the default value...). Fin That's it. Pings between the two computers works as expected, even when they are in different networks. The ping works in both directions. Thanks again!

@MoonLight-0 only if your switches supports stacking and can be stacked to one logical switch where you create an identical lagg of 4 ports (one from each switch). If they do not stack you cannot use LAGG as an interface aggregation method accross switches.

@Gblenn said in Switching from igc1 -> ic0 as physical interface starts well and then collapses: Use the topology mapping in Unifi Controller as support as well. It might give you some ideas of where things may be messed up.. issue when the wheels come off my Unifi manager is not reachable... Only switch this is internal static assigned is the ProMax... will remove that and do a static assign on the pfSense... was actually thinking the current config, by the switch is told you are 172.16.10.2, irrespective which port is used for uplink... if anything... i would have expected more problems when the Cat6/2.5 GbE and fiber was patch / active into the pfSense... as it would not have known who is the uplink... Will give all of this a try. G

@mlradioguy firewall rules have nothing to do with, once you enable the dhcp server hidden rules are created that will allow dhcp. Are you seeing dhcp discovery/requests on pfsense? What does the dhcp log say, sniff on pfsense different interfaces are you seeing the dhcp? if you set static, can you ping pfsense IP, do you even see arp entry in your clients for pfsense IP..

Man that does sound like a pain. It also doesn't sound possible to really do per app tunneling like a dedicated VPN app can do particularly for things like web browsers whereas with something like Sweech that uses a narrow host address range plus a specific port number, it would be a piece of cake. I suppose I'd have to keep the desktop app for the PC, but the phone should be ok with it since it's just one app that needs to be configured.

@johnpoz Currently they both carry different vlans via their uplinks to pfsense? Yep that was previous situation. And yep I do have a limmited number of vlan's in a trunk between the two switches. But for the essential management vlan, I did not like that. Note that the bridge I implemented does work as intended! I just do not understand the IMHO crazy way it is implemented !!

@codechurn Yes, you need an outbound NAT rule for the respective subnet on the VPN interface. To limit access to outside destinations only, best practice is to create an RFC 1918 alias, which includes all private IP ranges and use this one in the filter rule. [image: 1730237797744-86600fa1-0b28-4483-813c-42d9d6d521b9-grafik.png] You can use this as destination with "invert match" checked in the policy routing (pass) rule. Or just insert a block rule above of it. Used in a pass rule, it looks like this: [image: 1730238169509-d1fd0a53-d658-4d4d-b99a-431dc1d40461-grafik.png] Also you should limit access in your first rule to services, which are needed like DNS. If you also want to block access to HAproxy, which is listening on the WAN IP, you need an additional block rule for this.

@desquinn Port 4/WAN2 is a unique subnet? The steps in https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html just isolate the port, it should not affect anything else. Steps 21-22 remove 4 from VLAN group 0 but your text shows it in there. If you configure WAN2 but unplug it what happens? Can you ping from pfSense into each VLAN? Check Diagnostics/Routes.

@cyb3rtr0nian Buying used on ebay might be a good idea, but if you are looking for new, perhaps TPLink could be an option. As @AndyRH mentioned there is Unifi which is a good option, but TPLink have pretty much copied their UI in their Omada series. I have Omada at home and run Unifi at our vacation house and my mom's place and I actually think Omada is a bit more "clean" and simple to navigate. Retransmission might be cables, but it's perhaps more likely that it is due to your wifi network. What mesh system are you using today? Some of them seem to reuse the same wifi channel on all AP's which is completely wrong from a radio standpoint. Phones or other devices will change to the next cell based on radio conditions and don't need to be on the same channel to be able to roam in your home. And you can control their "behaviour" via the settings for the AP's. At what signal strength they should be "pushed off" an AP so they connect to the next etc. But I'd say that is not at all necessary to mess with in a normal home with just a few AP's. Placement and channel selection is important however, and you will be trying to minimize interference. Having all AP's on the same channel creates tons of interference, from the AP's themselves as well as all the devices. There are apps on Android you can use to check signal strength of wifi from you neighbours on each channel (Wifi analyzer and Ubiquitis WiFiman). Wifiman has a nice mapping feature that you can use to create a "heat map" showing the signal strength or expected speed in your own home as well. On 2.4Ghz channels are much wider than the numbers suggest, already at 20 Mhz channel width. So channel 6 also covers channels 4, 5, 7 and 8, meaning that the only non overlapping channels are 1, 6, 11 and 14. And don't use more than 20 Mhz... in theory it should give you higher speeds but you will likely get more interference and lower speeds.