What do you mean you can't add them.. .Sure you can.. Post up the screen where you trying to add them, and what errors or whatever that is keeping you from posting them..

Here.. example
rules.jpg

i ran into something slightly similar with usg (before moving to pfsense) -

the ISP had given us one of those combo units, and the TV worked through MoCA (not sure if this is what you mean by IPTV)
was entirely not compatible with USG (at that time).

got a dedicated modem, no wifi, usg was still gateway after that for a while (until i started wanting more funtionality that unifi just does not offer)

to my point, our cable tv would not work after switching to modem only. we ended up having to replace the cable boxes as they entirely relied on MoCA (edit additional - new modem did not have MoCA)

im guessing you want to add vlan tags to pfsense interfaces to get it to pass-thru in a sense?

my knowledge on VLAN specifically isn't that high up, but from what I understand, you'd likely want that vlan tagged to be allowed on wan, and also on the port supplying connecting facing your unifi?

i feel like i missing something, but hope this helps

It's not being used as tag.. Its what you set in esxi to let it know not to strip tags where you set the vlan id in the switch... It just puts it in a special trunk mode.. You don't actually use the tag anywhere else.

the logs also show dhcp discover and offer (on the correct vlan) but then loops over again and again - it never gets the request or ack.

@detox

If I'm reading your description right, you've got only VLAN 10 going to the AP. You need a trunk port that carries all VLANs. Also, I don't see how you could get staff to work on the AP, as you don't seem to have a connection for the native LAN to the AP.

BTW, some TP-Link switches have problems with VLANs and I believe the fault may allow the native LAN to get through where it's not supposed to. This may be how the staff LAN is getting through.

@mohkhalifa said in pfSense on ESXi | Best Practices:

problem SOLVED after "Disabling hardware checksum offload"

Awesome. I poked around on a few of mine and didn't find any with that enabled. Mostly Dell hardware here. Good find.

@jpyeron said in tunneling VLAN trunk help needed:

I remember the all the different gateways. Thats cool, sounds like you got in to things a bit before me.

Yep, I was working with LANs before there was such a thing as Ethernet. I worked on a Time Division Multiplexing network in a Rockwell Collins 8500C computer system, that was part of the Air Canada reservation system. This was late '70s - mid '80s. The various devices, such as tape drives and disk drives connected to the CPU over a tri-axial cable at 8 Mb/s. This system was the communications front end for the Univac computers at the heart of the system.

Update:
I have decided to use LAGG to distribute traffic from the XG to the first switch, HPE 1920S-48G.

Would it be recommended to continue using LAGG from the HPE 1920 to my second switch, HPE OfficeConnect 1820 24G? Can I simply tag a port with VLANs needed for switch two? Bandwidth needs are minimal for the VLANs dedicated on this second switch.

Thanks.

@xyzzyz said in VLAN question for noob moving from Cisco ASA:

My question: On my pfSense replacement for the ASA, is there any advantage to setting up a VLAN for the WAN port?

No.

It was just the rules that were wrong - all sorted now.

Thanks everyone for the quick responses!

Trunk your VLANs on a single pfSense interface.

The Netgear docs suck big time.

https://community.netgear.com/t5/Smart-Plus-Click-Switches/Port-trunking-on-GSS108E/td-p/1353948

@dotdash Thank you Sir,

So, the routes went in nicely, but didn't work.
The issue I ran into was in Firewall Rules, for what ever reason, I saw the LAN net and LAN address, but missed completely network, which would allow me to define a segment and allow it access to the firewall's LAN.

So then I could create a rule for 192.168.212.0 / 24 to any, one for tcp/upd and one for icmp, once I could ping, all the apps on that segment were able to function properly. Did the same for 192.168.39.0/24 and 192.168.14.0/24. All working now,

Thank you for your time and information.

Jon

@kevdog Lol yes that is my conclusion. Made things a lot easier. Trying to set it up in DD-WRT was a bit convoluted. Following the tutorial in my OP was perfect, except I changed up the way I connected the main wifi and the guest wifi to my switch.

@airlab

Yikes -- like a I said I've only had mine for 6 months. I'm hopeful that in another year and a half this doesn't happen to me -- or maybe I just won't apply firmware updates.

HIPAA only requires that you make reasonable accommodations for security. This may not be a requirement to separate traffic, but I would recommend you do so anyway as this isn't something that end users would see. This can also help or hurt future troubleshooting depending on the issue.

Personally, I'd separate the traffic.

For troubleshooting purposes, the firewall allows all traffic between vlans. Windows firewall is disabled as well as any antivirus traffic. The mdns traffic is being forwarded from the iot vlan to my home network vlan. That is why the devices are visible in Chrome and Videostream. But only those two are seeing the devices. No other players such as VLC, or WMP can see them.

@solaris81 Thank you what you have here describe i did that also see the screenhosts, Also this is well the good function. I found where it goings wrong. It was the Turnk port 0 which i must open on my HYPERV adapter... everything works now fine.