@johnpoz as i said man, the proxy (squid) is off while i sort the other issues out. I decided to implement the vlans and ensure everything was running tight before introducing another problem point. I set the wpad up via another ngix instance and rather than backing everything out, i just changed the proxy.pac to DIRECT for the two lan segments i had. It seems, even though the win10 wasn't configured to use a proxy, nor was DHCP one the vlan segment, nginx was still reporting an authentication error for the vlan segments. I've now added all the vlan segment to the ngix config and it with my original rules. i have also come across an issue with win10 and the vlans. It seems when win10 is connected to pfsense and goes to sleep with a vlan config, when woken up, it doesn't have a DHCP address and can't be renewed until the adapter is disabled and re-enabled. anyway, seems stable enough i can start again with the netgear and dd-wrt. update: netgear and dd-wrt now good. only strange thing is the win10 pc, doesn't get an ip after waking up on the vlan without toggling the adapter off/on. on the lan it doesn't have this problem. ** oddly enough, this doesn't happen with the PC is connected via the dd-wrt switch. Only when it is directly connected to the qotom box. strange.... but all good now

That sounds like a question better directed toward Protectli or your wireless gear vendor. Don't see a lot to do with pfSense there.

Update: I think I found the reason why I cannot do this. To unselect a selected member from a multi-selection sections you will need to CTRL+click instead of just click by mouse. Pressing down the CTRL key while clicking a selected member will unselect it. So I was doing it wrong. Regards.

Did you not have your coffee this morning?? If the ssid on the AP is set for wpa2-psk for wifi network SSID-X, how and the F could the client use wpa3 on it??? So you could have SSID-A yes on the AP (device) set wpa2-psk, and SSID-B set for wpa3, yes this assumes you have an actual AP that can do more than one wireless network, not some soho wifi router shit box.

@RPisces said in Subnets not reachable on created VLANs: I don't know if I understand all of your question properly but I believe you're asking something similar to what johnpoz has. If you were to set up any firewall/router, you would have your LAN, which all your computers etc. attach to on the native or untagged LAN. Do you have that? I don't see it mentioned anywhere in your description. Also, given you don't know the difference between L2 & L3, I suspect you're tackling something beyond your abilities. L2 refers to Ethernet and is where switches operate. L3 is IP and where routers work. I get the impression you're making things overly complex because you do not understand how things work.'

@geronimobb said in 2 identical VLAN's not working the same: Second problem is it seems impossible to route the vlan networks trough the VPN clients to the outside world Maybe you should be asking why you need to do that. If you have VLANs, you have multiple subnets. Why not just route them through the VPN and recreate the VLANs at the other end? That way, they don't even have to be the same VLAN number or could even be a completely different network.

That Drawing is useless.. It looks Kind of pretty, but your pvfsense is a VM right.. You don't how how that is connected to anything physical. vmx0 and vmx1 would be virtual interfaces.. How is that tied to your hosts physical interfaces? Lets see a screenshot of networking in esxi

@johnpoz said in Setting up pfSense for VLAN and trunk port: Doesn't matter pass or not pass.. That is NOT THE POINT!! The point I've been trying to make is that people have a lot of assumptions that are false. There has never been a reason for unmanaged switches to block VLANs. Think back to the original Ethernet, which ran over coax cable, without switches or even hubs. There was nothing to block anything. When hubs came along, they behaved exactly like the coax, in that they didn't block anything. Then came switches, which then again passed everything, though since they buffered frames, there was a limitation on how big the frames could be. Switches started to become popular back in the late 90s, around the time of 802.3ac. However, at no point was there ever any reason to block VLAN frames in an unmanaged switch. As for using VLANs on managed vs unmanaged switches, I agree managed switches should be used and have one on my home network. But that does not mean unmanaged switches can't be used, nor shouldn't be used on a small network as you might find in a home network. There are also many applications where VLANs and native LAN are used on the same wire. One common application is VoIP phones that have a computer port. With these, a computer is plugged into the phone, which then connects to the switch. Another would be WiFi access points, with multiple SSIDs. If I were to build a network today and had a say in the equipment used, then I would always go with managed switches, but I often don't have that say and have built many networks, in small businesses, without them.

Not all Ethernet interfaces have hardware support for VLAN, watch at end of this document https://docs.netgate.com/pfsense/en/latest/book/vlan/index.html

@Derelict Got it. Firewall <-> mvneta router <-> switch port 0 It's just odd knowing where the lines are between the pieces in a SoC. Thanks. For others - this was helpful https://www.marvell.com/documents/qc8hltbjybmpjhx36ckw/

@chpalmer Well i agree but as i don't really fully understand what i'm doing and seeing, i try to understand what i read in the logs of PIMD Thanks anyway for your time ;)

Are the IP addresses you are using both public IPs? What address are you testing from? Something in the same subnet? Can you connect out from the console from the new address? Ping, say, both 8.8.8.8 and google.com? Steve

There are two ways this could be handled: Change the behavior of the code. Update the documentation with a note that if you have "auto negotiation" set explicitly and you are seeing the port cycle link repeatedly, try resetting to "default".

@Derelict said in Setting up VLAN: pfSense and UniFi Gear (150w PoE switches, EdgeSwitch 16XG, UniFi Controller, 13 UniFi APs): For future reference there is no issue doing the untagged LAN interface plus tagged VLANs on the same interface. That's often the way VoIP phones are configured, with the phone on a VLAN and computer port on native. Also, access points with multiple SSIDs. As mentioned above, there is no reason why a VLAN cannot share the wire with a native LAN. The only difference between a VLAN frame and native is the contents of the Ethertype field, plus an additional 4 bytes for the tag.

Yes if the pfsense is inside your vm host, ie a vm itself and you want it to handle tags, then the vswitch its connected to that connects it to the real world needs to be set for 4095 if you want pfsense to see the tags. Is your pfsense external to your host?

@chorong761 is ISP connection configured on pfSense? please provide more details

I contacted D-Link customer support and they walked me through the configuration on the DGS-1100-24 switch, for others it is a B2 hardware revision. I now have the AP connected to the switch with the switch connected to the LAN interface of pfSense, no more bridge or additional outbound NAT settings required now. Here is how it is configured now. pfSense LAN interface to switch and from the switch to AP. the AP SSID for the guest wireless has been set to use VLAN 20 and a VLAN was created on pfSense of 20 and assigned to the LAN interface. I made an allow all rule for the VLAN network and have DHCP configured and I am able to access the internet and local resources. I will create a thread under firewall rules for the next part of this configuration. Thanks to both Derelict and Johnpoz for your help, guidance and patience as I am new to VLANs.

Thanks. I can't find the solution yet. I've just flashed it with Openwrt and will see how it goes because it has more control regarding VLAN on Openwrt.