When I was setting up VMs on my TrueNAS Core (also FreeBSD based) I discovered a limitation of bridging where an interface could bridge untagged trafffic or VLAN tagged traffic, but not both. My ongoing solution has been to move all my untagged traffic onto a tagged VLAN and just assign that VLAN to the various ports on the switch. So none of the downstream devices see the the VLAN tagging, but to the pfsense and truenas everything is tagged. Without looking through your whole setup, I'd bet that's what you're running into.

@NasKar said in Using home assistant with Iot on different VLAN:

I have home assistant on my main network 192.168.5.x and want to put all the wifi IoT devices on a separate VLan (IoT) 192.168.20.x for security purposes.

I'm not sure that is the best approach.

What is the logic behind not putting Home assistant on the IOT network so it can scan for and communicate with all your IOT devices. Then

Enable Main network access to home assistant via the defined Home assistant interface. Home assistant access to the internet & port forwarding from the internet to Home assistant as required. Block any other IOT connections to other local networks (including Main) and the internet as you desire.

Doing so avoids having to reverse engineer the communication protocols used between each of your IOT devices and Home assistant.

@johnpoz Thanks

@the-other There isn't any DHCP running on the AP. Yes, I have both a default (non-VLAN) and a separate VLAN network defined on the AP, each with separate SSIDs. Clients that I'm not trying to get onto the VLAN are connecting and operating fine on the default (non-VLAN) network. If I tell that one PC to connect to that SSID it works fine and it gets an IP and is good to go.

@Hoserman
You were confusing layer 2 and layer 3 traffic. Be careful not to create a routing loop. STP is your friend when working with multiple networks. STP is Spanning Tree Protocol which you want to use to protect your network. There are at least 3 versions of STP that come to mind right now. Some converge faster than others.

running the following on pfsense shell ifconfig igb0 -vlanhwtag -vlanhwcsum -vlanhwfilter in shell will allow me run run suricata in inline mode, and vlan will still work....you can use the app shellcmd to automatically run the cmd at boot..

@alirx you can bridge 1 vlan.. but you have have multiple vlans on the same bridge.. I am pretty sure it doesn't work that way.

You seem to have some money to setup such a network.. bite the bullet and get a switch. Or redo your vlans or add interfaces so you can run your 2.5ge on their own connection

@febu said in LAN x = VLAN x - how to setup?:

@JKnott Thank you. I want to connect WAN and WAN_VPN to certain LAN ports by using VLAN configuration of SG2100. I am confused with "tagged" and "untagged" and I tried a setup VLAN, interfaces, firewall, etc. but I could not connect to the internet. What else do you need to know? Can you explain me how to do it?

You can find out a bit about VLANs here.

What a VLAN does is allow separate networks to be carried over the same cable. VLANs are logically separate, but not physically. When you create a VLAN, a tag is inserted into the Ethernet frame, which includes the VLAN number. Normally, Ethernet does not have that tag. On my home network, I have a VLAN for my guest WiFi, which uses the same cable and Ethernet port as my main LAN. If you don't have more than one network on a cable, you don't need a VLAN on that cable. As for that VPN, you generally use routing to send the VPN traffic where you want it, not VLANs. In fact, you can route several networks over a VPN, with routing. I don't have any experience with that SG2100 so I can't help there.

@Bambos
The proper way, when bridging an interface to an existing one, is to move over the IP settings to the bridge.
So the member interfaces should remain with IP setting "none".

@copz1998 Depending on your needs, eero has a guest SSID capability when in bridge mode. That would isolate those devices completely.

Otherwise does your eero have the ability to host a second SSID for that VLAN?

@johnpoz
Thank you for taking a look!
Your explanation makes sense to me and the image helps a lot. It also explains why I didn't see firewall (deny) logs.

A question I have floating around is if I could still make it work somehow by returning the laptop to vlan10 but then also have it capable of swapping to vlan100 when I want to do management. But there's probably enough explanation for that online already.

Once more, thank you very much.

@Gblenn there are multicast vlans, broadcast vlans and Switch Virtual Interfaces SVIs and Multicast VLAN registration. You may need an IGMP querier. And IGMP snooping. And to configure the NAT more completely in the VM. None of that is easy. The full duplex 10gbps part seems wild. You may have to force speed/duplex instead of auto-negotiate for each VM.

Some people recommend a NIC for each different VLAN, and plugging them all into the same switch, presumeably to stabilize autonegotiation.

I am just going to quote this since I have been stocking igmp in traffic shaping: IGMP Querier
An IGMP querier is a multicast router (a router or a Layer 3 switch) that sends query messages to maintain a list of multicast group memberships for each attached network, and a timer for each membership.

No clue where you get the time for an SFP+ module. Some people say try PTP and others say NTP can slow you down by 30ms. Most of the time it seems due to machdep on my Zen processor, which transmits data at 70gbps between each core. Some people have built GPSs for their pfSense.

@johnpoz

Thanks a million, That's exactly what I was looking for!

@keyser Ok, good to know, thank you. I guess it will just be each switch connected individually to a LAN port on the firewall.

I also have sets of rules to block them on the interfaces themselves however do I need to add this tag anywhere else?

@fireix Just remember VLANs were designed to limit broadcast traffic. The next thing is switching is faster than routing. And last, layer 3 switches are faster than routers. I think of this when I design networks.

@diyfoolwall

The NIC of the server can / should only press the power-on button if it receives the secret magic wake up packet : the packet should have a data payload of exactly 3 times its own MAC address. Nothing more, nothing less.

To be able to receive this packet, the NIC itself should be powered on. Most ofthen, the NIC goes in low power mode, something like "10 Mbit half duplex' as this is the most economic mode.

If the NIC in front of the server doesn't support this mode : wake on lan won't work. This is what probable happened : pfSense sees the NIC (link) down, so it can't use the NIC to send the WOL packet.
That's why its best always to use a switch between any pfSense NIC's, and your LAN(s) devices, as switches accepts the full scale of 10 Mbits/half up to 1 Gbit/full as this is their job.

@JonathanLee Ah, yes, it surely looks more flexible with L3 switch in terms of security and how much you can do on port level. I will not be using normal VLANs in my case since I can't do subnetting-isolation (waste of IP-space and tons of config).

With regards to mesh, in my case, the two Uplink switches will be physically stacked. So the two switches will communicate as one and I would think that it would reduce the chances of broadcast storms. Or maybe not.. One reason for stacking and LACP is to simplify configuration and avoid relying on STP.