I answered my own question. I should have tagged port 2 on the uplink instead of port 1. LMAO

Have you tried to see if restoring a previous backup works? Sounds like you changed some config (probably on the external switch or pfsense box) that dropped all connections.

@Derelict The cable was the problem. I haven't replaced it yet because I just tried flipping the cables to see if the 100baseTX would change to the other NIC but both are now running full Gigabit so it definitely must be one of the two cables. Since it is working now I will leave it and will replace it if it starts to give any issues. I appreciate the help! em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=1009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER> ether 00:1f:29:5a:65:b2 hwaddr 00:1f:29:5a:65:b2 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=1009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER> ether 00:1f:29:5a:65:b2 hwaddr 00:1f:29:5a:65:b3 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC> ether 00:25:b3:0e:1d:a1 hwaddr 00:25:b3:0e:1d:a1 inet6 fe80::225:b3ff:fe0e:1da1%em2 prefixlen 64 scopeid 0x3 inet 172.16.0.250 netmask 0xffff0000 broadcast 172.16.255.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active I'm so used to the cables I make being just fine I didn't think to check one of them.

What? It is an interface just like any other. It has an address, firewall rules, DHCP servers, etc.

Apologies @JKnott , got redacted during the numerous drafts before posting. Yet I can say that I'm pondering the source off all drama to be the Realtek 8153 driver. The setup worked flawlessly for a number of months on esxi. Only with XCP-ng has it became so messy. Yet now I'm looking into compiling the lastest RTL8153 driver. I'll be back to advise once that's completed.

Got it figured out. Was over thinking it. Thanks for the replies.

What model tp-link ap is it? even there more expensive put the web ui as untagged (kind of silly when default state broadcasts whatever network it is on openly) so you may want to untag the port on your cisco switch for whatever vlan you intend to manage the ap with. If the ap is one that doesn't support vlan tagging just untag all traffic on vlan you want it to broadcast on give the ap an ip in 172.22.222.x range and add an allow rule on your land interface to this ip. Also ensure you have an allow rule to !172.22.0.0/16 (or however you want to do it) on your ap interface for internet traffic.

After you create the VLAN, under Interfaces -> VLANs, which it looks like you did correctly, you need to assign it to a valid physical interface. That is done under Interfaces -> Interface Assignments. So, in your examples, you've created VLAN 160 on your LAN interface. After this gets setup, you should be able add the VLAN as an interface, under the dropdown "Available network ports". You've got a photo of it, but your picture says "ovpns1 (OpenVPN)". Is there anything else under that dropdown menu. The VLAN in question should be an option in there. Jeff

Are both services actually on VLAN 1000? That seems unusual. You'd create multiple VLANs and assign appropriate priority to each. Typically, you'd have the Internet on the native LAN and priority stuff on a VLAN, with priority assigned. BTW, based on this and other posts, I'm beginning to think those fibre boxes are actually two separate devices, connected with a switch. Do the 2 services have different MAC addresses?

Don't put an IP on it.. But normally the lan be it vlan or not would be where your staff or mangement vlan is because that is where it puts the antilock out rules. In your case vlan 12.. You can rename it to staff if you want ;)

@h0w1tzr said in Need help with pfSense VPN and subnetting: I currently have pfSense configured with the LAN interface using 10.0.0.1/16 Thats not a very good idea.. You have need to grow to a single L2 of like 65K ips? If you have a bunch of networks that all fall into that /16 space then sure you could push that as a route, and use as firewall rule, etc. But its really large, and you could end up overlapping or stepping on other networks or routes you need to get to as your network grows. Looks like you have 7 segments you need.. You could say almost double that to have room for growth and use a /20 that would give you 10.0.0-10.0.15 to work with for space.. Which you could then use as /24s But pfsense would not have a /20 on one of its interfaces unless you were just going to use that as one large L2.. Pfsense would either have interfaces in each vlan, or would have a transit network connection to your downstream router that would be routing your different /24 vlans.. Its a good idea to also keep your vlans that you use in a larger space in one section of the overall space, say the lower half or the upper half of the space so you can always split that if need be - when you need/want to use the space else where so you don't have to renumber large networks.. So for example while you could use a /20 to give you 16 /24s either try to keep the vlans you use next to each other so its easier to split off at some future time unused space. Vs doing what you have with those .50 and .100 segments... keep them tighter grouped.. You can always skip so you can say grow to a /23 on each segment if needed.. 10.0.0/24 10.0.2/24 10.0.4/24 10.0.6/24 etc.. so now each of those could be moved to /23 without much issue.. But your still only using smaller amount of concurrent space in your larger space.. So if you need to split off some of the larger space you don't have to renumber your current vlans. Or if need be you could use the /24 between for other vlans, etc.. IP space management is quite often overlooked in early spin up of networks, and comes to bite you later.. I have the whole 10/8 to work with... Lets give every site their own /16 in that for example... Or lets put this vlan at the beginning of my /20 and this other vlan at the end of that.. Now what happens when you need to drop that /20 to a /21 or /22 etc..

@atcm89 said in CAN NOT PING IN SAME VLAN ?: Vlan 3 (11.11.11.0/24). Unless that is a typo - or your hiding public space you actually own - that should be changed.. Its not good idea to use public space that is not actually yours. There really is not good reason to do that either - since there is plenty of rfc1918 you could use.. 10.10.10/24 would be valid rfc1918 space you could use.

No they are not bridged they are an actual switch.. https://www.youtube.com/watch?v=NgRy14rYhV8&feature=share Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4

You should be able to configure the switch as you need as long as you don't change to port VLAN mode (not sure why anyone would want to do this in practice) and don't change the port you are connected to for management. You should be able to create a new VLAN, add ports to it, and trunk it up on 9t,10t to a new pfSense VLAN interface. This is no different than having a two-port lagg VLAN trunk to a managed switch. Except that you manage the switch in pfSense and the switch/trunk connection are all in the box.

@jimp Thank you.

You would set it up just like this but instead of 2 broadcast domains (switches) you would set up eight using one port each untagged, plus 9t,10t. https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/switch-overview.html#two-lan-switches

That would be handled by Netgate Professional Services.

thanks for the reply, as i was reading a tad bit the vxlan and transport i just dont know if pfsense has to do with anything