@Derelict Got it. Firewall <-> mvneta router <-> switch port 0 It's just odd knowing where the lines are between the pieces in a SoC. Thanks. For others - this was helpful https://www.marvell.com/documents/qc8hltbjybmpjhx36ckw/

@chpalmer Well i agree but as i don't really fully understand what i'm doing and seeing, i try to understand what i read in the logs of PIMD Thanks anyway for your time ;)

Are the IP addresses you are using both public IPs? What address are you testing from? Something in the same subnet? Can you connect out from the console from the new address? Ping, say, both 8.8.8.8 and google.com? Steve

There are two ways this could be handled: Change the behavior of the code. Update the documentation with a note that if you have "auto negotiation" set explicitly and you are seeing the port cycle link repeatedly, try resetting to "default".

@Derelict said in Setting up VLAN: pfSense and UniFi Gear (150w PoE switches, EdgeSwitch 16XG, UniFi Controller, 13 UniFi APs): For future reference there is no issue doing the untagged LAN interface plus tagged VLANs on the same interface. That's often the way VoIP phones are configured, with the phone on a VLAN and computer port on native. Also, access points with multiple SSIDs. As mentioned above, there is no reason why a VLAN cannot share the wire with a native LAN. The only difference between a VLAN frame and native is the contents of the Ethertype field, plus an additional 4 bytes for the tag.

Yes if the pfsense is inside your vm host, ie a vm itself and you want it to handle tags, then the vswitch its connected to that connects it to the real world needs to be set for 4095 if you want pfsense to see the tags. Is your pfsense external to your host?

@chorong761 is ISP connection configured on pfSense? please provide more details

I contacted D-Link customer support and they walked me through the configuration on the DGS-1100-24 switch, for others it is a B2 hardware revision. I now have the AP connected to the switch with the switch connected to the LAN interface of pfSense, no more bridge or additional outbound NAT settings required now. Here is how it is configured now. pfSense LAN interface to switch and from the switch to AP. the AP SSID for the guest wireless has been set to use VLAN 20 and a VLAN was created on pfSense of 20 and assigned to the LAN interface. I made an allow all rule for the VLAN network and have DHCP configured and I am able to access the internet and local resources. I will create a thread under firewall rules for the next part of this configuration. Thanks to both Derelict and Johnpoz for your help, guidance and patience as I am new to VLANs.

Thanks. I can't find the solution yet. I've just flashed it with Openwrt and will see how it goes because it has more control regarding VLAN on Openwrt.

Thanks. I got it working now.

OMG! I took a look at the settings for the VOICE Phase 2 and for some reason had the remote subnet setup as my LAN subnet. I can now ping and access from the LAN. Well, I'm a special one! Thanks everyone for your help! Sorry to waste your time!

@Derelict Ok, found a Microtik post on the parameters around the passthrough and it will reject traffic from a device with the same MAC as the passthrough device. As a workaround, you can create another VLAN interface on Microtik (I created VLAN 11) and did likewise on the pfSense.

@alpha_de said in Converting two LAN (LAN/OPT1) into LAN/VLAN: I would like to convert the 192.168.5.x network in VLAN 99, using the VLAN capability of the two Unifi AP to run both WiFi on each of them, tagging the IoT WiFi as VLAN 99. If the traffic is tagged as 99 out of the AP it should come in on a tagged port in the GS108T. GS 108T would be connected to pfSense LAN and all devices to GS 108T. That'll take care of the LAN traffic but you need an untagged VLAN 99 port on the GS108T connected to the pfSense OPT1 as well. OR Have a tagged port in the GS108T connected to a VLAN-capable (tagged a.k.a. trunk) interface in the pfSense.

now you guys are just rambling I already solved my issue myself no thanks to your sparky comments and now you are posting the same solutions I found already so why ?

@johnpoz said in SPAN from LAN to OPT only shows multicast: Where are you that it would take few weeks? Are you in the middle of some jungle somewhere? Amazon prime is 2 days tops pretty much anywhere ;) hehe Except the Amazon jungle.

You need to leave the PVID on port 3 as 1. That determines what VLAN untagged traffic received on that port gets placed on. You want tagged 621 traffic. Create a new VLAN 621 in Interfaces > Switches, VLANs. Set port 0 and 3 tagged there. That should get you where you need to be with all the other work you have done.

It does not change the MTU thats what I am saying, I changed it in GUI and its still says 1500. There is no vlan involved here.

Your virtual pfsense doesn't actually need them tagged.. You can for sure have interfaces as untagged in pfsense 1 connected to wan and other to lan with 2 virtual interfaces in pfsense. But if your only going to give your pfsense 1 virtual nic - then yeah one of the networks would have to be tagged. If your going to run 2 interfaces into your host - just bridge 1 to 99, and the other to 10 connected to your switch untagged. And then on pfsense create 2 interfaces one connected to the 99 and the other to the 10.. Then both of those could run untagged into proxmox server.

thanks, that was going to be my next task, just didn't know how bad it would behave given that it would be random PCs plugged into these ports... but in any case I may have solved my bridging problem... which I will post in the virtualization thread... MAC spoofing