Yeah what he is talking about is this

https://en.wikipedia.org/wiki/Multicast_routing

Completely different ball game to be honest ;) This is NOT what the OP was talking about.. not at all!!

HA+LACP.png

@mcury said in SMB - Windows share over vlans:

Yes, run in the server, or in pfsense interface connected to the server.
I presume those 10 networks are /27, /28 /29 right?

A /26 or less would give you routing issues due to network overlap.

Just realized that the networks are different, my mistake, disregard the quoted info.

Nice, good that is now working.
Even better, now you have more tools to troubleshoot problems in the future.

Thanks for the feedback. I'm reading the "book" on pfSense as I go. I'm starting to get the way it works.

yeah indeed I just needed to tag the port on the switch to the corresponding vlan. I figured it must have been something super simple that I was missing 🤦

thanks guys!

Great - any questions just ask, here to help.

Remember get those smart switch(es) on order! ;)

Correct... If your sending it to switch sure just tag everything.. This common... But there is nothing saying 1 of those can't be untagged.. There is nothing wrong with it, you just need to understand what your doing.

And it sure and the F is not less secure...

Say for example was going to plug my AP into that port on the firewall.. And for its management network it has to be untagged.. How would it work if tagged everything on the port on the firewall.

Switch don't care, port don't care - it just needs to know what it tags or doesn't tag... When you put more than one vlan on a port.. Only 1 can be untagged, rest tagged, or all of them tagged... Makes no difference.. You just can not expect to run more than 1 untagged network on a port..

Got it. Once again thank you. I know what i need to do now.

I don't know why you're getting 2 MAC addresses.

Because of some weird issue in the firmware?

Given they're sequential, they are likely from the same device.

That has to be the case.

What does Packet Capture show.

I have not captured any packets so far, but I will.

One thought, do you have a static mapping configured for that address, but with the wrong MAC?

I do have a static mapping for MAC address: 50:c7:bf:3d:4b:48 .

Also, that capture of the AP status shows modes b,g & n listed, which means you have all of those enabled. Mine shows n only. I have configured it that way, as all my devices are capable of using n. You can change the mode on the Wireless Settings page.

Mea maxima culpa! Setting corrected now.

Yeah that was there reasoning behind not being able to remove vlan 1 ;) Now that you can remove vlan 1 from ports - you should be able to limit from what network you can access the switch gui from.

UPDATE *
I did more test today and I don't understand why pfblocker NG causes the issue on my VLAN but not my LAN since both networks are assigned to the same interface and screened by the same rules under pfblockerNG... The IP was white listed therefore it should not be an issue in my opinion...

@BBcan177 Maybe you can shed some light on my issue if you have time, I would appreciate that. :)

Thanks in advance!

Okay I'll write what's causing this behaviour. It has nothing todo what the different masks, using pfsense as a wireless-bridge, using bridged interfaces, routing or whatever. Basically it because Linux hosts have default kernel-setting "reverse path filtering" enabled. This can be temporary disabled (untill next reboot) by sudo sysctl -w 'net.ipv4.conf.all.rp_filter=0. Now I understand why it happened. So you have to take that into account.

@boniface50 At a high level, typically, you'd have the LAN interface enabled but unconfigured, create tagged VLANs off the LAN interface, tag the VLANs you want to traverse the "trunk" between PFsense and your switch(s), then configure your access ports with the correct VLAN(s).

The switch configuration will vary across the different vendors, but the above is an overview of what needs to happen. What make/model switch are you using? If you have a Cisco switch, I can offer some guidance. Otherwise, someone else may need to chime in.

You only need 1 uplink (trunk) per switch unless you want to configure a port-channel for extra aggregate bandwidth. Also, that bridge is going to take a performance hit. I'd recommend removing the bridge, starting from scratch and get tagged VLANs working.

gracias por su atención, solucione mi problema ;)

Im not really sure exactly what was wrong...

I've started from scratch, and came to the same or new issues. Doing troubleshooting, i found that the broadcast address was way off, which I did not really understood. I then found that the VLAN interface was created as /32 CIDR, which it defaults to, so its highly important to remember to change this. 😆

Changed it to /24 CIDR, and then it started working.

@marvosa Now on to the next problem (which will be it's own post if I decide to continue) - HomeKit and WeMo don't talk to one another from the LAN to the VLAN. I found a few guides and attempted to open some ports but it's still not working.

At this point, I don't know if it's still worth it. I'd love to be able to have the IoT devices on their own network to avoid them compromising my LAN but it seems like a PITA to get them to talk across networks.