https://www.youtube.com/watch?v=NgRy14rYhV8 https://forum.netgate.com/topic/138167/sg-3100-lagg

I got this figured out finally. I'm working on this from about 700 miles away so I was lacking some crucial documentation which I got when I asked for some pictures of the network rack. There's a managed Cisco SG300 switch that connects the pfSense firewalls which has never been configured. I thought I was going crazy when sh cdp neighbor was only showing a single MAC and not two firewalls. I had assumed both firewalls were plugged directly into the Catalyst 2960 which had a left over port description that wasn't updated. Thanks all - we are good!

https://www.netgate.com/resources/videos/configuring-netgate-appliance-integrated-switches-on-pfsense-244.html Enjoy -Rico

UPnP has no idea whether it is on a VLAN or not.

@johnpoz My drawing above is the existing config. The Netgear switch is completely unused. I would be fine using that if need be for the VLAN or port 5 or 6, although from Example 1 here, which I was going to loosely follow for the VLAN tagging, it appears to me, I should be able to remove a port from VLAN 1. https://www.tp-link.com/us/faq-788.html Tim

Ok I finally was able to get the management interface to work, but in a backwards way. I added an ipv4 interface with VLAN 10 and rather than setting the IP I let it get it from DHCP. It did, and it worked fine! I then put a static IP mapping in pfSense for the MAC and forced a refresh of the management interface and now it has the IP I wanted all along. I then changed the IP over to "static" on the switch. My question is why did it work via DHCP, but not via just setting it up as a static mapping? The only thing I can think of is that when I add the interface manually with a static IP it is doing something weird with the default route or not updating the default route and it's trying to access the management VLAN over a different interface. Anyone seen this before?

@johnpoz said in Browsing nfs share in other VLAN not working.: @herman said in Browsing nfs share in other VLAN not working.: When the family is watching a movie and I start to copy large files the movie stutters or even stops. And the kids do not appreciate that :-) If your loading up the server, might not matter if your on another interface or not if your sucking up the I/O to a shared disk or CPU of the machine. If your on a switch you doing something between A and B doesn't effect traffic between C and D.. Adding another interface on B, will only solve the problem of stuttering a streaming movie if the only problem was saturation of the interface.. But if your working with the same disk that the movie is streaming from... Your issue might not be network bandwidth it could be your hitting the I/O of the disk limits, or the cpu of the server streaming, etc.. Thank you @johnpoz for the info... I wil dig in it.

You will definitely want to do a fair amount of planning and schedule an after-hours change window because there will be some downtime. You'll need to configure a transit network, configure the SVI's on your switches, if dhcp was previously coming from PFsense... you'll need to figure out where your new DHCP server is going to live, add helper addresses to each SVI, change the default gateway for all of your dhcp scopes, change the default gateway for all static devices, etc. There's quite a bit of work to do, but it will be worth it.

Everything depends on your setup. Would need more details. Post a network map. Are your VLANs terminated on PFsense or your switch? Post your server1.conf What are the IP's in the VLAN you're trying to access? What do the rules look like on your LAN and OpenVPN tab?

If you want to use the DHCP server from the Main Office, you need to set a DHCP Relay address on the Branch Office with the IP(s) of the DHCP Server(s) from the Main Office. So the branch office will sent the DHCP request to the Main Office.

So set VLAN 1 on port 1 to Untagged.

Thank you. That worked. I just created another rule above the IOTnet to any with this gateway. Then I can disable that rule as needed.

Yea, I've come to the conclusion short of getting new storage and putting it squarely in each VLAN that I need to do L3 routing at the switch for VLAN 20 and 70. I guess I was just more or less asking if there was any other architecture you can think of that may have worked better, but it really seems like it is that straight forward. So to summarize my changes: Disable Snort on VLAN 20 and 70 Create 172. something /30 subnet for transit Create new VLAN tag 172 in pfSense Create new interface tied to this VLAN At both switches I will add a new VLAN for the transit network, and set that as the default route to 172.something.1 Add VLAN 20 and VLAN 30 at the core switch (sg300-10). I'll put in ACLs to block everything between the VLANs except the IP\Port combos I currently have in my firewall relating to those two subnets. Disable VLAN 20 and VLAN 70 interfaces in pfSense Create new gateway with 172.something.1 as gateway Create new static routes for 10.37.70.0/24 and 10.37.70.0/24 via the gateway created above Enable Snort rules on new Transit interface. Verify any needed VLAN 172 firewall rules that are needed (shouldn't be any as this will only be used for outbound requests, correct?) Sound about right?

at Johnpoz Thanks for that. I'll give it a go (the worst fate is that guests have no access for a while, but then I don't get a million guests a day and I have an unlimited-data 4G modem if my occasional guests are "unhappy"). I am "greenfield" in a sense -- I have total and exclusive control over my networks and report only to myself in the event of a disaster (yeah, I might get some $#1t from Madame, but there is always the 4G modem to calm her down). I have elected to move to "my-net 3.0" -- my decision was unanimous :) Why do I seek tagged admin? Most VLAN attacks go for VLAN1, or failing which, go for native-VLAN. I ask myself WHY should I have VLAN1 or native-VLAN connected to anything at all ... let alone to the admin heart of the network -- just seems a silly choice! Off to the mountains for skiing: you wont hear from me for a week or two, but I'll report back. Appreciate all the feedback so far. regards, Chris

RTFM: https://docs.netgate.com/pfsense/en/latest/book/interfaces/interfacetypes-lagg.html

After thinking about how MAC addresses work on a switch, I replicated the MAC across all bridge members and the bridge itself, and things began working!

I installed with success. I set mikrotik like a Wisp AP - Bridge, I deleted DHCP rules and i create 1 vlan on eth5. In PfSense I created 1 vlan, in Interfaces / Interface Assignments I associate WAN with PPPOE0(em0) created in PPPs like a Link Type - pppoe. Now I have an Pfsense router with 1 single ethernet port for WAN and LAN. Thanks!