@johnpoz Thanks, John! Appreciate your example!

@johnpoz Hi, There was no any problem in Subnetmasks or IPs. I found the rootcasue, the servers in vlan35 were configured with dockers and the same vlan1 subnet was occupied by dockers inside the server, thats why we were not able to reach them. thanks

@moji said in Question about inter-Vlan traffic and interface Concept: 1- I suspect this is an issue with tagged and untagged traffic or its just that AP doesn't have a gateway.. To access a device on another network, that device has to know how to talk back to the source network. Validate your AP gateway set to pfsense on the network its on. If you can not do that in this AP, then you could aways source nat your traffic so it looks like pfsense IP on that network is talking to it, and not the remote IP of your client your wanting to use to access the AP gui. soho wifi router are known for this problem, where the native firmware doesn't allow you to set a gateway on the lan interface

@Gblenn wow now this is why I love this forum.... You guys are amasing.... Thank you so much for all your help... I will run with the setup as is for now and look into changing things later... bookie56

@User6buinf43 You can use any free IP for masquerading in fact, but you have to assign it to the respective pfSense interface. Otherwise ARP will not work for it. I advised you to select VLAN 8 address before, however. There is no plausible reason to use any other.

@4RR3N said in How to easily block access between multiple VLANs ?: ncluding grabbing IP via DHCP for my client You can not place a rule that blocks dhcp - because when you enable dhcp hidden rules are created that allow for dhcp before rules you place on the interface or even the floating tab are evaluated. Vs having rules block vlan x, y and z on your vlan a interface.. As mentioned yes just create an alias that contains all your networks, or for that matter just all of rfc1918 space so you can just use one rule. Keep in mind you would need to make sure you allow what you want before this rule - say dns, or ntp or icmp to pfsense IP on that interface, etc.

@pfsense555 The easy way to find out is to do packetcapture on pfsense, and see what happens to LACP control frames when you remove power from one switch.

@viragomann I have DHCP server enabled on IoT [image: 1724006881663-screenshot-from-2024-08-18-20-47-50.png] I tried the Packet Capture and it capture traffic only when I select LAN interface and it even capture traffic when I connect to IoT WLAN and on the IoT interface it does not capture anything

I got it figured out. I don't recall setting up traffic shaper, but somehow they were limited to be pretty low. Maybe I set it up previously when I had a 100/10 speed. I may just turn it off entirely and see how it goes. Thank you both for your help! I'm glad I asked before diving into setting up the second interface.

@hardingd FIXED: It turned out to be the <pvid>1</pvid> on the <swports>. Removed that and VMs started getting DHCP from the VLAN 10 interfaces.

Maybe this helps.

@ff101 Thanks! It's working now which means the issue was in the switch configuration, I'll check that up next.

Hmm, something must have changed. If nothing changed in the firewall/switch it must have been in a client somehow.

When I was setting up VMs on my TrueNAS Core (also FreeBSD based) I discovered a limitation of bridging where an interface could bridge untagged trafffic or VLAN tagged traffic, but not both. My ongoing solution has been to move all my untagged traffic onto a tagged VLAN and just assign that VLAN to the various ports on the switch. So none of the downstream devices see the the VLAN tagging, but to the pfsense and truenas everything is tagged. Without looking through your whole setup, I'd bet that's what you're running into.

@NasKar said in Using home assistant with Iot on different VLAN: I have home assistant on my main network 192.168.5.x and want to put all the wifi IoT devices on a separate VLan (IoT) 192.168.20.x for security purposes. I'm not sure that is the best approach. What is the logic behind not putting Home assistant on the IOT network so it can scan for and communicate with all your IOT devices. Then Enable Main network access to home assistant via the defined Home assistant interface. Home assistant access to the internet & port forwarding from the internet to Home assistant as required. Block any other IOT connections to other local networks (including Main) and the internet as you desire. Doing so avoids having to reverse engineer the communication protocols used between each of your IOT devices and Home assistant.