Solved

It was a layer 8 issue - between the chair and the monitor. Static routing on LAN2 was incorrect. Reconfigured the static route (as per the settings in my previous reply) and connections are not dropping anymore.

Using LAN is OK as long as you understand that you almost certainly shouldn't put anything but other routers with full infrastructure routing knowledge on LAN.

If you tell pfSense to tag on VLAN 5, and the switch port connected to that has tagged VLAN 5, then your workstation needs to be connected to an untagged VLAN 5 port on the switch to have layer 2 connectivity to pfSense.

That's the whole point.

OK then the MAC address should be spoofed. The MAC address on the LAGG should also be the spoofed MAC. That is exactly what would be expected.

Please post your rule set not a summary of what you think is there. You left out a lot of key information.

@Asamat: Your 'this Bug' URL is this thread here. ☺

-Rico

@derelict Thank you for pointing us in the right direction. Eventually found in the switch a different ARP the in the pfsense. Eventually followed those issue around in the network and solved the issue.

Thank you for the advice.

Two things that I forgot to mention are that I already have OpenVPN set up successfully for my normal network and that since I'm new to the pfSense concept, I've never worked with VLANs on it before. I do, however, understand the VLAN broad concept since I've taken a Principles of Networking class as a computer systems administration student at my university.

Thank you for pointing me in the right direction, I am brand new to pfsense. I wasn't expecting the SG-3100 to have it's built in little switch.

I am finding conflicting information regarding the SG-3100 being able to support LACP on a LAGG.

This post indicates the SG-3100 seems to not support LACP
https://forum.netgate.com/topic/131207/lagg-on-switched-ports-on-sg-3100

and this Netgate article has LACP described for the SG-3100 has LACP listed as a protocol for the SG-3100.

I am still have difficulty created a 2 port LAG to a Cisco switch using LACP and trunking multiple VLANs over it.

Has anyone here been successful at this?

Thank you.

Now if only I could edit the topic, I could change it to solved!

@jknott thanks for your help,
finely i got it to work, i needed to add the VLAN to the switch and then tag the ports i want to transfer the VLAN with

@johnsed said in VLAN over openvpn:

so I have 11 vpns on each router

Certainly not how I would do it. I'd have a central site feeding all of those. I would have redundancy at the central site so no one failure took everything down. That site would route between the "spokes." Everything necessary to all of the "spokes" would be accessible via the central site.

They way you have done it is take the number of sites you have and the number of problems that might ring your phone is sites^2 instead of sites/2.

Did you put a gateway on your vlan 5 rules? This is common mistake where users set a gateway on the rule, this forces traffic out that gateway vs allowing pfsense to use it routing table.

Post up your rule(s) you put on vlan 5 interface

Blocking rfc1918 on the interface have seen as well.

Hello
Completely true, IP duplicated in the LAN segment.

Thank you so much.

Ah, well then it shouldn't be required through the edge router either. Just a matter of getting it to pass the traffic.

Steve

@sccmadmin said in Camera VLAN Configuration:

The DVR will need to have access to both VLANs to access the cameras and to be accessed from user computers to login to web interface to view the camera feed/recordings.
How can I accomplish this?

That is called routing.. And yes that is how any device in vlan X gets access to devices not on vlan X.. Be they are vlan (tagged) or just different physical networks.

That is what pfsense does out of the box.

You can set the rules to be any any on both networks/vlans or you can restrict traffic to the specific ports needed.

I would NOT recommend dual homing your DVR.. Unless your going to isolate all your camera's behind the DVR itself on different vlan that doesn't even have to touch pfsense. And then another nic on the DVR will give the DVR access to the rest of your network, etc.

What needs to be done is all the vlans that you want on the downstream switch need to be tagged and allowed on the port that connects the switches on both switches.. Cisco calls that a trunk port yes.

edit: BTW moving this to the L2 section.

Create a LAGG on pfsense and on the switch stack. Use the LAGG as the vlan parent.

If your talking about changing the vlan interface mac addresses, you can’t you need to change the mac on the parent interface.

@johnpoz said in Setting up a Vlan for security,:

You should never be suggesting to someone that they can get by with using a dumb switch if they want to start using vlans.

What about my original intention for using a VLAN. I have an access point that supports multiple SSIDs and I was planning on setting up a guest SSID & VLAN. It was the only device on my network, other than pfSense, that would use a VLAN. Was I supposed to toss a perfectly good Cisco unmanaged switch, just because I was running a VLAN to one device?

However, I definitely recommend VLANs for security cameras, VoIP phones, etc.. In some cases, it makes sense to use a managed switch to keep LAN and VLAN separate. In others, maybe not. An example would be a network where most devices are VoIP phones, with computers plugged into the phones. (I've seen networks where there's nothing else other than VoIP phones & computers and the Internet connection) In that situation, what advantage would a managed switch provide? Due to the way switches filter traffic, there would be very few VLAN frame appearing at devices not configured for a VLAN. As always, look at the requirements and be guided accordingly. That said, there's not much reason to not buy a managed switch these days.

BTW, my plan failed because our favorite manufacturer, TP-Link, didn't know how to handle VLANs properly.

Me and jknott bang heads about this all the time.

And you have horns on yours! 😉