Thanks. I got it working now.

OMG! I took a look at the settings for the VOICE Phase 2 and for some reason had the remote subnet setup as my LAN subnet. I can now ping and access from the LAN. Well, I'm a special one! Thanks everyone for your help! Sorry to waste your time!

@Derelict Ok, found a Microtik post on the parameters around the passthrough and it will reject traffic from a device with the same MAC as the passthrough device. As a workaround, you can create another VLAN interface on Microtik (I created VLAN 11) and did likewise on the pfSense.

@alpha_de said in Converting two LAN (LAN/OPT1) into LAN/VLAN: I would like to convert the 192.168.5.x network in VLAN 99, using the VLAN capability of the two Unifi AP to run both WiFi on each of them, tagging the IoT WiFi as VLAN 99. If the traffic is tagged as 99 out of the AP it should come in on a tagged port in the GS108T. GS 108T would be connected to pfSense LAN and all devices to GS 108T. That'll take care of the LAN traffic but you need an untagged VLAN 99 port on the GS108T connected to the pfSense OPT1 as well. OR Have a tagged port in the GS108T connected to a VLAN-capable (tagged a.k.a. trunk) interface in the pfSense.

now you guys are just rambling I already solved my issue myself no thanks to your sparky comments and now you are posting the same solutions I found already so why ?

@johnpoz said in SPAN from LAN to OPT only shows multicast: Where are you that it would take few weeks? Are you in the middle of some jungle somewhere? Amazon prime is 2 days tops pretty much anywhere ;) hehe Except the Amazon jungle.

You need to leave the PVID on port 3 as 1. That determines what VLAN untagged traffic received on that port gets placed on. You want tagged 621 traffic. Create a new VLAN 621 in Interfaces > Switches, VLANs. Set port 0 and 3 tagged there. That should get you where you need to be with all the other work you have done.

It does not change the MTU thats what I am saying, I changed it in GUI and its still says 1500. There is no vlan involved here.

Your virtual pfsense doesn't actually need them tagged.. You can for sure have interfaces as untagged in pfsense 1 connected to wan and other to lan with 2 virtual interfaces in pfsense. But if your only going to give your pfsense 1 virtual nic - then yeah one of the networks would have to be tagged. If your going to run 2 interfaces into your host - just bridge 1 to 99, and the other to 10 connected to your switch untagged. And then on pfsense create 2 interfaces one connected to the 99 and the other to the 10.. Then both of those could run untagged into proxmox server.

thanks, that was going to be my next task, just didn't know how bad it would behave given that it would be random PCs plugged into these ports... but in any case I may have solved my bridging problem... which I will post in the virtualization thread... MAC spoofing

here this is how it would be setup pfsense --- vlan20T, vlan1U --- switch --- vlan20U --- pc The pvid settings on these ports would be 1 for where vlan 1 is untaged connected to pfsense, the pvid for port connected to pc would be 20.. Some switches do this without any way for you to edit it, other do not.. All a pvid does its tell the switch traffic without a tag that is entering this port from the network will be on this Vlan.. Does pfsense see the dhcp discover from your PC? If not then yeah you got something wrong and no your never going to hand it an IP.. You sure dhcpd is running on your vlan interface, etc. You sure your switch is actually in dot1q mode vs port mode for vlans?

@max33 great! have a nice day)

@saunada said in pfSense Netgate SG-1100 and Unifi UniFi Switch 24 POE-250W Not Working: Why do we make OPT and LAN the same vlan? You don't. I have not made the changes to the VLAN table. Do I need to add a VLAN group 4 for VLAN Tag 70 as show in the pic below? You obviously need to tag your new VLAN on both ports of the switch.

Thank you - I have reached out to them.

@Thuan said in New to pfSense: Do you think I can’t tell the difference between across street WiFi and my own? Dude you would be surprised at how many dumb things I have seen users do over the years! So yeah its freaking possible ;) My overall point is you have provided ZERO info to actually help you...

This is a case where just because you can doesn't mean you should. On an IPv4 broadcast network, the first address in the subnet is the network address and the last address is the broadcast address. Pretend they don't exist for interface numbering purposes and spend your time by the pool instead of chasing problems because some stupid new device doesn't understand the aggressive network numbering scheme you implemented 18 months ago.

@Gertjan I figured out it was a firewall issue within Windows just in time! That was my next step though :) Thank you for your offer of assistance! - Nic.

What? You don't need VLANs at all to make separate networks on each discrete router interface. Interfaces > Assignments https://docs.netgate.com/pfsense/en/latest/book/interfaces/index.html

i got it working. wrong firewall rules thanks

Hello, Unfortunately no. I use the upstream switch for the port mirroring and the target (snort/ELK) is smart enough to ignore pppoe encapsulation.