Are both services actually on VLAN 1000? That seems unusual. You'd create multiple VLANs and assign appropriate priority to each. Typically, you'd have the Internet on the native LAN and priority stuff on a VLAN, with priority assigned. BTW, based on this and other posts, I'm beginning to think those fibre boxes are actually two separate devices, connected with a switch. Do the 2 services have different MAC addresses?

Don't put an IP on it.. But normally the lan be it vlan or not would be where your staff or mangement vlan is because that is where it puts the antilock out rules. In your case vlan 12.. You can rename it to staff if you want ;)

@h0w1tzr said in Need help with pfSense VPN and subnetting: I currently have pfSense configured with the LAN interface using 10.0.0.1/16 Thats not a very good idea.. You have need to grow to a single L2 of like 65K ips? If you have a bunch of networks that all fall into that /16 space then sure you could push that as a route, and use as firewall rule, etc. But its really large, and you could end up overlapping or stepping on other networks or routes you need to get to as your network grows. Looks like you have 7 segments you need.. You could say almost double that to have room for growth and use a /20 that would give you 10.0.0-10.0.15 to work with for space.. Which you could then use as /24s But pfsense would not have a /20 on one of its interfaces unless you were just going to use that as one large L2.. Pfsense would either have interfaces in each vlan, or would have a transit network connection to your downstream router that would be routing your different /24 vlans.. Its a good idea to also keep your vlans that you use in a larger space in one section of the overall space, say the lower half or the upper half of the space so you can always split that if need be - when you need/want to use the space else where so you don't have to renumber large networks.. So for example while you could use a /20 to give you 16 /24s either try to keep the vlans you use next to each other so its easier to split off at some future time unused space. Vs doing what you have with those .50 and .100 segments... keep them tighter grouped.. You can always skip so you can say grow to a /23 on each segment if needed.. 10.0.0/24 10.0.2/24 10.0.4/24 10.0.6/24 etc.. so now each of those could be moved to /23 without much issue.. But your still only using smaller amount of concurrent space in your larger space.. So if you need to split off some of the larger space you don't have to renumber your current vlans. Or if need be you could use the /24 between for other vlans, etc.. IP space management is quite often overlooked in early spin up of networks, and comes to bite you later.. I have the whole 10/8 to work with... Lets give every site their own /16 in that for example... Or lets put this vlan at the beginning of my /20 and this other vlan at the end of that.. Now what happens when you need to drop that /20 to a /21 or /22 etc..

@atcm89 said in CAN NOT PING IN SAME VLAN ?: Vlan 3 (11.11.11.0/24). Unless that is a typo - or your hiding public space you actually own - that should be changed.. Its not good idea to use public space that is not actually yours. There really is not good reason to do that either - since there is plenty of rfc1918 you could use.. 10.10.10/24 would be valid rfc1918 space you could use.

No they are not bridged they are an actual switch.. https://www.youtube.com/watch?v=NgRy14rYhV8&feature=share Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4

You should be able to configure the switch as you need as long as you don't change to port VLAN mode (not sure why anyone would want to do this in practice) and don't change the port you are connected to for management. You should be able to create a new VLAN, add ports to it, and trunk it up on 9t,10t to a new pfSense VLAN interface. This is no different than having a two-port lagg VLAN trunk to a managed switch. Except that you manage the switch in pfSense and the switch/trunk connection are all in the box.

@jimp Thank you.

You would set it up just like this but instead of 2 broadcast domains (switches) you would set up eight using one port each untagged, plus 9t,10t. https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/switch-overview.html#two-lan-switches

That would be handled by Netgate Professional Services.

thanks for the reply, as i was reading a tad bit the vxlan and transport i just dont know if pfsense has to do with anything

For the record and for people facing the same question: I have solved this issue. I use the Netgate SG-3100 and the switch which is by default configured as the LAN added another layer of complexity which made things difficult. So, I changed the OPT1 and LAN assignments so now I have my LAN on a single port out of the device. On this LAN I created a VLAN and bridged this with the WAN. That way (filtered) bridging works out of the box, so now I have my filtered WAN on a VLAN distributed in my infrastructure. (PS. Yes, I am aware of potential security risks, but as you will find in this thread, I have considered and weighed these before proceeding.) Thomas

Issue resolved, it was a VLAN setting issue within the GS752TP plus old traffic shaper rules blocking traffic. See here: https://community.netgear.com/t5/Smart-Plus-Click-Switches/LAGG-with-GS752TP-and-pfsense/m-p/1743593#M12367

You can assign the lan to any interface you want in the assignment section. So could be a vlan even on a different physical nic. Lan is just what pfsense would place the antilock out rule if enabled ;) You can even delete it if you want.. They wouldn't allow you to delete... Just take care you don't lock yourself out based upon your rules on your other interfaces.

You do not need to assign it but you cannot assign it and disable it. Just don't select it in Interfaces > Assignments. The parent interface for the VLANs should be an available network port there. Countless people run VLANs that way. If you are having a problem it is something peculiar to your environment that will need to be identified and corrected.

@dennypage Denny posted in a Sonos thread that HEOS could work without resorting to PIM or IGMP proxies, i.e Check these things: You have firewall interfaces in both the client subnet (where your iPhone is) and the server subnet (where the HEOS device is). You have Avahi (2.0.0_2) with the allowed interfaces set to include both the client subnet and the server subnet. You have "Enable" and "Enable reflection" checked in the Avahi configuration. You do not have "Disable IPv4" checked in the Avahi configuration. You do not have anything defined in the "Advanced settings" section of the Avahi configuration. You have added rules to allow ptp packets from the clients to the HEOS device you are trying to control. You have restarted or disconnected/reconnected both HEOS clients and servers after changing the any of the above. I haven't had any luck so far and wanted to see if anyone else had success preferably without resorting to third party apps? I see my Denon Amp (HS2) but it only appears to be broadcasting Spotify as a connection point? [image: 1555646991097-inetscan-resized.jpg]

@Herman said in Network Discovery not working on VLAN: Does this help? No, I'm not familiar with that software and it doesn't answer my question. How does it scan? You can fire up Wireshark or packet capture to see what's on the wire.

The PVLANs are tagged, but as you said, the issue is multiple devices and trunking in play here. Using the HA pair, two switches and the 10Gbps trunk means I either need pfSense to understand PVLANs or the Cisco switch to do the work for it. I am opening a ticket with Cisco to see if this model can do what is needed. Thanks for the response.