@jpyeron said in tunneling VLAN trunk help needed: I remember the all the different gateways. Thats cool, sounds like you got in to things a bit before me. Yep, I was working with LANs before there was such a thing as Ethernet. I worked on a Time Division Multiplexing network in a Rockwell Collins 8500C computer system, that was part of the Air Canada reservation system. This was late '70s - mid '80s. The various devices, such as tape drives and disk drives connected to the CPU over a tri-axial cable at 8 Mb/s. This system was the communications front end for the Univac computers at the heart of the system.

Update: I have decided to use LAGG to distribute traffic from the XG to the first switch, HPE 1920S-48G. Would it be recommended to continue using LAGG from the HPE 1920 to my second switch, HPE OfficeConnect 1820 24G? Can I simply tag a port with VLANs needed for switch two? Bandwidth needs are minimal for the VLANs dedicated on this second switch. Thanks.

@xyzzyz said in VLAN question for noob moving from Cisco ASA: My question: On my pfSense replacement for the ASA, is there any advantage to setting up a VLAN for the WAN port? No.

It was just the rules that were wrong - all sorted now. Thanks everyone for the quick responses!

Trunk your VLANs on a single pfSense interface. The Netgear docs suck big time. https://community.netgear.com/t5/Smart-Plus-Click-Switches/Port-trunking-on-GSS108E/td-p/1353948

@dotdash Thank you Sir, So, the routes went in nicely, but didn't work. The issue I ran into was in Firewall Rules, for what ever reason, I saw the LAN net and LAN address, but missed completely network, which would allow me to define a segment and allow it access to the firewall's LAN. So then I could create a rule for 192.168.212.0 / 24 to any, one for tcp/upd and one for icmp, once I could ping, all the apps on that segment were able to function properly. Did the same for 192.168.39.0/24 and 192.168.14.0/24. All working now, Thank you for your time and information. Jon

@kevdog Lol yes that is my conclusion. Made things a lot easier. Trying to set it up in DD-WRT was a bit convoluted. Following the tutorial in my OP was perfect, except I changed up the way I connected the main wifi and the guest wifi to my switch.

@airlab Yikes -- like a I said I've only had mine for 6 months. I'm hopeful that in another year and a half this doesn't happen to me -- or maybe I just won't apply firmware updates.

HIPAA only requires that you make reasonable accommodations for security. This may not be a requirement to separate traffic, but I would recommend you do so anyway as this isn't something that end users would see. This can also help or hurt future troubleshooting depending on the issue. Personally, I'd separate the traffic.

For troubleshooting purposes, the firewall allows all traffic between vlans. Windows firewall is disabled as well as any antivirus traffic. The mdns traffic is being forwarded from the iot vlan to my home network vlan. That is why the devices are visible in Chrome and Videostream. But only those two are seeing the devices. No other players such as VLC, or WMP can see them.

@solaris81 Thank you what you have here describe i did that also see the screenhosts, Also this is well the good function. I found where it goings wrong. It was the Turnk port 0 which i must open on my HYPERV adapter... everything works now fine.

Problem solved, it was the HYPERV netwerkadapter Trunk ports..

Yeah what he is talking about is this https://en.wikipedia.org/wiki/Multicast_routing Completely different ball game to be honest ;) This is NOT what the OP was talking about.. not at all!!

[image: 1579503577468-ha-lacp.png]

@mcury said in SMB - Windows share over vlans: Yes, run in the server, or in pfsense interface connected to the server. I presume those 10 networks are /27, /28 /29 right? A /26 or less would give you routing issues due to network overlap. Just realized that the networks are different, my mistake, disregard the quoted info. Nice, good that is now working. Even better, now you have more tools to troubleshoot problems in the future.

Thanks for the feedback. I'm reading the "book" on pfSense as I go. I'm starting to get the way it works.

yeah indeed I just needed to tag the port on the switch to the corresponding vlan. I figured it must have been something super simple that I was missing thanks guys!

Great - any questions just ask, here to help. Remember get those smart switch(es) on order! ;)

Correct... If your sending it to switch sure just tag everything.. This common... But there is nothing saying 1 of those can't be untagged.. There is nothing wrong with it, you just need to understand what your doing. And it sure and the F is not less secure... Say for example was going to plug my AP into that port on the firewall.. And for its management network it has to be untagged.. How would it work if tagged everything on the port on the firewall. Switch don't care, port don't care - it just needs to know what it tags or doesn't tag... When you put more than one vlan on a port.. Only 1 can be untagged, rest tagged, or all of them tagged... Makes no difference.. You just can not expect to run more than 1 untagged network on a port..