Thank you - I have reached out to them.

@Thuan said in New to pfSense:

Do you think I can’t tell the difference between across street WiFi and my own?

Dude you would be surprised at how many dumb things I have seen users do over the years! So yeah its freaking possible ;)

My overall point is you have provided ZERO info to actually help you...

This is a case where just because you can doesn't mean you should.

On an IPv4 broadcast network, the first address in the subnet is the network address and the last address is the broadcast address. Pretend they don't exist for interface numbering purposes and spend your time by the pool instead of chasing problems because some stupid new device doesn't understand the aggressive network numbering scheme you implemented 18 months ago.

@Gertjan I figured out it was a firewall issue within Windows just in time! That was my next step though :) Thank you for your offer of assistance! - Nic.

What? You don't need VLANs at all to make separate networks on each discrete router interface.

Interfaces > Assignments

https://docs.netgate.com/pfsense/en/latest/book/interfaces/index.html

i got it working. wrong firewall rules thanks

Hello,

Unfortunately no.
I use the upstream switch for the port mirroring and the target (snort/ELK) is smart enough to ignore pppoe encapsulation.

I answered my own question. I should have tagged port 2 on the uplink instead of port 1. LMAO

Have you tried to see if restoring a previous backup works? Sounds like you changed some config (probably on the external switch or pfsense box) that dropped all connections.

@Derelict

The cable was the problem. I haven't replaced it yet because I just tried flipping the cables to see if the 100baseTX would change to the other NIC but both are now running full Gigabit so it definitely must be one of the two cables. Since it is working now I will leave it and will replace it if it starts to give any issues. I appreciate the help!

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=1009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
ether 00:1f:29:5a:65:b2
hwaddr 00:1f:29:5a:65:b2
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=1009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
ether 00:1f:29:5a:65:b2
hwaddr 00:1f:29:5a:65:b3
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
ether 00:25:b3:0e:1d:a1
hwaddr 00:25:b3:0e:1d:a1
inet6 fe80::225:b3ff:fe0e:1da1%em2 prefixlen 64 scopeid 0x3
inet 172.16.0.250 netmask 0xffff0000 broadcast 172.16.255.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active

I'm so used to the cables I make being just fine I didn't think to check one of them.

What? It is an interface just like any other. It has an address, firewall rules, DHCP servers, etc.

Apologies @JKnott , got redacted during the numerous drafts before posting. Yet I can say that I'm pondering the source off all drama to be the Realtek 8153 driver.

The setup worked flawlessly for a number of months on esxi. Only with XCP-ng has it became so messy.

Yet now I'm looking into compiling the lastest RTL8153 driver. I'll be back to advise once that's completed.

Got it figured out. Was over thinking it.

Thanks for the replies.

What model tp-link ap is it? even there more expensive put the web ui as untagged (kind of silly when default state broadcasts whatever network it is on openly) so you may want to untag the port on your cisco switch for whatever vlan you intend to manage the ap with. If the ap is one that doesn't support vlan tagging just untag all traffic on vlan you want it to broadcast on give the ap an ip in 172.22.222.x range and add an allow rule on your land interface to this ip. Also ensure you have an allow rule to !172.22.0.0/16 (or however you want to do it) on your ap interface for internet traffic.

After you create the VLAN, under Interfaces -> VLANs, which it looks like you did correctly, you need to assign it to a valid physical interface. That is done under Interfaces -> Interface Assignments.

So, in your examples, you've created VLAN 160 on your LAN interface. After this gets setup, you should be able add the VLAN as an interface, under the dropdown "Available network ports". You've got a photo of it, but your picture says "ovpns1 (OpenVPN)". Is there anything else under that dropdown menu. The VLAN in question should be an option in there.

Jeff

Are both services actually on VLAN 1000? That seems unusual. You'd create multiple VLANs and assign appropriate priority to each. Typically, you'd have the Internet on the native LAN and priority stuff on a VLAN, with priority assigned.

BTW, based on this and other posts, I'm beginning to think those fibre boxes are actually two separate devices, connected with a switch. Do the 2 services have different MAC addresses?

Don't put an IP on it.. But normally the lan be it vlan or not would be where your staff or mangement vlan is because that is where it puts the antilock out rules.

In your case vlan 12.. You can rename it to staff if you want ;)

@h0w1tzr said in Need help with pfSense VPN and subnetting:

I currently have pfSense configured with the LAN interface using 10.0.0.1/16

Thats not a very good idea.. You have need to grow to a single L2 of like 65K ips?

If you have a bunch of networks that all fall into that /16 space then sure you could push that as a route, and use as firewall rule, etc. But its really large, and you could end up overlapping or stepping on other networks or routes you need to get to as your network grows.

Looks like you have 7 segments you need.. You could say almost double that to have room for growth and use a /20 that would give you

10.0.0-10.0.15 to work with for space.. Which you could then use as /24s

But pfsense would not have a /20 on one of its interfaces unless you were just going to use that as one large L2.. Pfsense would either have interfaces in each vlan, or would have a transit network connection to your downstream router that would be routing your different /24 vlans..

Its a good idea to also keep your vlans that you use in a larger space in one section of the overall space, say the lower half or the upper half of the space so you can always split that if need be - when you need/want to use the space else where so you don't have to renumber large networks..

So for example while you could use a /20 to give you 16 /24s either try to keep the vlans you use next to each other so its easier to split off at some future time unused space.

Vs doing what you have with those .50 and .100 segments... keep them tighter grouped.. You can always skip so you can say grow to a /23 on each segment if needed..

10.0.0/24
10.0.2/24
10.0.4/24
10.0.6/24

etc.. so now each of those could be moved to /23 without much issue.. But your still only using smaller amount of concurrent space in your larger space.. So if you need to split off some of the larger space you don't have to renumber your current vlans.

Or if need be you could use the /24 between for other vlans, etc..

IP space management is quite often overlooked in early spin up of networks, and comes to bite you later.. I have the whole 10/8 to work with... Lets give every site their own /16 in that for example... Or lets put this vlan at the beginning of my /20 and this other vlan at the end of that.. Now what happens when you need to drop that /20 to a /21 or /22 etc..