@johnpoz Yes, sorry for poor communication skills on this

@NogBadTheBad
Thanks for pointing this out. I have tried setting the net.link.bridge.pfil_bridge to 1 and tested the network capture, sadly still the same result. Therefore this kernel setting doesn't seem to be related. Remember I mentioned remote capturing works properly, and that was done against "bridge0" bridge interface instead of member interfaces whilst the net.link.bridge.pfil_bridge was the default value 0.

Regards.

How do you have this all physically connected? If you have a loop and preventing issues with STP does not really sound like an optimal solution..

Why would you not isolate your L2 networks via vlans on your switch? Where you wan is different L2 than your Lan..

@Rai80

Alright, I go try

WPA3 enterprise would be the new way to go ;) It is hopefully going to be viable here soon on the unifi stuff.

It sounds to me like you have all the nuts and bolts necessary to build a pretty decent segmented network.
There's no mention of your WiFi gear, but regardless of vendor, as long as it supports VLANs you'll good to go with that component too.

Personally, I have networks for servers, kids, media, IoT, guests, etc.
I have a fairly beefy server (16-core, 96GB RAM, 12TB RAID 5) running ESXi with everything virtualized (including pfSense).

Servers and printers share the same network. Parents devices have their own VLAN with DHCP (responds only to named reservations) and rules allowing access to pretty much anything. Each kids has their own VLAN with DHCP (responds only to named reservations) and rules controlling what they can access, and schedules to ensure they get some sleep! - The WiFi has one SSID to rule them all, it is integrated with AD and does per user RADIUS VLAN assignment, but that's just icing on the cake. Media devices, Roku, PS4, etc have a media VLAN again with DHCP, rules and schedules. IoT devides, fridge, thermostat, cameras, etc have their own VLAN with DHCP and rules (generally allow to Internet only) Guests have a VLAN (accessed via the WiFi) with DHCP and captive portal, and rules. (I also added a MAC filter to the WiFi to prevent the kid's devices from using the Guest WiFi and bypassing the above controls). Several LAB VLANs where I can spin up VMs to test various things

Some planning will certainly be required:

Figure out how many VLANs you will need. Keep in mind that while you can make it super complicated, managing it also becomes complicated as does troubleshooting. Each VLAN will need a separate non-overlapping subnet. pfSense will be the default gateway for each subnet. Each subnet will need rules to indicate what it is allowed to access (keep in mind that any other interfaces besides LAN have no default rules, so you'll need to create some).

You could add VLANs to the LAN interface, or natively to the other interfaces, it makes no difference unless you are passing a lot of traffic between two different VLANs, in which case it might make sense to have them on separate ports. Configure the managed switch with the VLANs and assign them to the port(s) facing pfSense.
From there move your devices into the desired VLANs (IP renumbering will be required), and create rules as needed.

Lastly, test and test some more.

Hello jimp,

Thank you for your useful answer.

My original problem was described in another topic, here:
https://forum.netgate.com/topic/146476/issue-with-failover-gateway-group-over-vti-tunnels/2

Since Gateway Groups is not working properly on VTI interface, then I decided to do the automatic failover switching on the Mikrotik router (with a script). That is why I wanted to extend the VTI tunnels from pfSense to Mikrotik router by briding them with an ether interface on pfSense.

Some sort of (GIF) tunnel over VTI tunnel could have solved the problem, but to use these solutions are very limited at "Site B".

I chose a different solution: I installed a second (virtual) instance of pfSense, in this case 2 VTI tunnels were enough instead of three. And because one pfSense had only one VTI tunnel, layer3 connection was enough between Mikrotik and the pfSense routers to do the automatic failover switching on the Mikrotik.

So I already solved this problem... but if you have any idea/hint, I'm open to receive it for the future.

Thanks,
SGábor

@johnpoz as i said man, the proxy (squid) is off while i sort the other issues out. I decided to implement the vlans and ensure everything was running tight before introducing another problem point.

I set the wpad up via another ngix instance and rather than backing everything out, i just changed the proxy.pac to DIRECT for the two lan segments i had. It seems, even though the win10 wasn't configured to use a proxy, nor was DHCP one the vlan segment, nginx was still reporting an authentication error for the vlan segments. I've now added all the vlan segment to the ngix config and it with my original rules.

i have also come across an issue with win10 and the vlans. It seems when win10 is connected to pfsense and goes to sleep with a vlan config, when woken up, it doesn't have a DHCP address and can't be renewed until the adapter is disabled and re-enabled.

anyway, seems stable enough i can start again with the netgear and dd-wrt.

update: netgear and dd-wrt now good.

only strange thing is the win10 pc, doesn't get an ip after waking up on the vlan without toggling the adapter off/on. on the lan it doesn't have this problem. ** oddly enough, this doesn't happen with the PC is connected via the dd-wrt switch. Only when it is directly connected to the qotom box. strange.... but all good now

That sounds like a question better directed toward Protectli or your wireless gear vendor.

Don't see a lot to do with pfSense there.

Update:

I think I found the reason why I cannot do this.

To unselect a selected member from a multi-selection sections you will need to CTRL+click instead of just click by mouse. Pressing down the CTRL key while clicking a selected member will unselect it.

So I was doing it wrong.

Regards.

Did you not have your coffee this morning??

If the ssid on the AP is set for wpa2-psk for wifi network SSID-X, how and the F could the client use wpa3 on it???

So you could have SSID-A yes on the AP (device) set wpa2-psk, and SSID-B set for wpa3, yes this assumes you have an actual AP that can do more than one wireless network, not some soho wifi router shit box.

@RPisces said in Subnets not reachable on created VLANs:

I don't know if I understand all of your question properly but I believe you're asking something similar to what johnpoz has.

If you were to set up any firewall/router, you would have your LAN, which all your computers etc. attach to on the native or untagged LAN. Do you have that? I don't see it mentioned anywhere in your description. Also, given you don't know the difference between L2 & L3, I suspect you're tackling something beyond your abilities. L2 refers to Ethernet and is where switches operate. L3 is IP and where routers work. I get the impression you're making things overly complex because you do not understand how things work.'

@geronimobb said in 2 identical VLAN's not working the same:

Second problem is it seems impossible to route the vlan networks trough the VPN clients to the outside world

Maybe you should be asking why you need to do that. If you have VLANs, you have multiple subnets. Why not just route them through the VPN and recreate the VLANs at the other end? That way, they don't even have to be the same VLAN number or could even be a completely different network.

That Drawing is useless.. It looks Kind of pretty, but your pvfsense is a VM right.. You don't how how that is connected to anything physical.

vmx0 and vmx1 would be virtual interfaces.. How is that tied to your hosts physical interfaces? Lets see a screenshot of networking in esxi

@johnpoz said in Setting up pfSense for VLAN and trunk port:

Doesn't matter pass or not pass.. That is NOT THE POINT!!

The point I've been trying to make is that people have a lot of assumptions that are false. There has never been a reason for unmanaged switches to block VLANs. Think back to the original Ethernet, which ran over coax cable, without switches or even hubs. There was nothing to block anything. When hubs came along, they behaved exactly like the coax, in that they didn't block anything. Then came switches, which then again passed everything, though since they buffered frames, there was a limitation on how big the frames could be. Switches started to become popular back in the late 90s, around the time of 802.3ac. However, at no point was there ever any reason to block VLAN frames in an unmanaged switch. As for using VLANs on managed vs unmanaged switches, I agree managed switches should be used and have one on my home network. But that does not mean unmanaged switches can't be used, nor shouldn't be used on a small network as you might find in a home network. There are also many applications where VLANs and native LAN are used on the same wire. One common application is VoIP phones that have a computer port. With these, a computer is plugged into the phone, which then connects to the switch. Another would be WiFi access points, with multiple SSIDs.

If I were to build a network today and had a say in the equipment used, then I would always go with managed switches, but I often don't have that say and have built many networks, in small businesses, without them.

Not all Ethernet interfaces have hardware support for VLAN, watch at end of this document
https://docs.netgate.com/pfsense/en/latest/book/vlan/index.html

@Derelict

Got it. Firewall <-> mvneta router <-> switch port 0

It's just odd knowing where the lines are between the pieces in a SoC. Thanks.

For others - this was helpful https://www.marvell.com/documents/qc8hltbjybmpjhx36ckw/