@netguy Ahh, good I did the followup. I noted that your original question could mean you were talking about pfsense Interfaces rather than switch interfaces. No, adding the same VLAN on more than one Interface on pfSense is a really bad idea. You can theoretically create a bridge containing several interfaces, but it causes a lot of issues and strange/unpredictable behaviour, so definitely something I would recommend you stay away from. Get yourself a managed switch - they are dirt cheap, especially used. You’ll end up doing it anyways even if you choose not to follow my advise now.

@ccgc I also notice now that on this view, you have all the ports 1-8 Tagged instead of Untagged? [image: 1728201786477-3c37ad16-951e-4fda-a3c6-77b63306ab1f-image.png] Did you follow this guide? https://kb.netgear.com/31026/How-to-configure-a-VLAN-on-a-NETGEAR-managed-switch And you really don't have to do anything with VLAN 1, except remove it from the ports you want to have as access ports for VLAN 20 (VIDEO). And of course, VIDEO has to have a different subnet range than LAN. So if VIDEO has 192.168.0.1/24 you have to use something other than 192.168.0.

@Frosch1482 the rfc1918 is just that, an alias that contains all the rfc1918 networks.. Are you other vlans not rfc1918? Why would you need to create several to block rfc1918? You can have lots and lots of aliases if that is what makes sense for what your wanting to do.. Which you have not actually expressed in any sort of detail that would be helpful for someone wanting to help you. I gave you an example of simple set of rules that would allow a "guest" sort of network to access the internet - but not any of your other network (if they are rfc1918) nor any pfsense gui IPs, even if the wan is public and changes.. That is the "this firewall" alias. Those rules I gave as example could be adjusted to whatever your needs are. Maybe you want to allow any dns? Maybe you don't want to allow ntp access or ping of pfsense IP on your guest network, etc.

@Bly On a 3100 the LAN ports are a switch so all the same port from what pfSense sees. You will need to isolate the ports in order to use separate firewall rules. But once you do that, then yes, they are just like separate ports.

@ccgc said in Netgate to Netgear config - VLANs cannot get DHCP or connect to the internet: When the ports added to the VLAN are removed from the default VLAN (vlan 1) can you post your pfsense switch config - it can be a bit tricky for users. Where exactly are you removing vlan 1? Your netgear sounds corrected with the port on it connected to the pfsense having your tagged vlans, and the ports your going to connect your devices to on the netgear in that vlan untagged.

@keyser - I totally forgot about port5 as Lan Uplink, saw it as another port. Thank you!

Another check: I can ping the interface (OPT7 on ix3) if given an IP, so it's working? What else can I do to try using it in the LACP instead of ix0? Thank you very much

@randydeb as @Tzvia mentions switch or switches how you do this. And using switches does not make your other ports on you router useless.. You could use them as other network interfaces.. But trying to make a switch out of discrete interfaces waste good interfaces and makes for a horrible switch! Not sure I would use those vlan IDs - those are quite often reserved or special in the cisco world.. You could use lagg if you want for more bandwidth and redundancy. You could put your other vlans/networks on their own interfaces connected to your switch so your not hairpinning traffic.. I for sure would put your IP cameras on their own interface.. Normally cameras are always streaming data.. While it not normally a huge amount.. I wouldn't share this on same physical interface with other networks/vlans if I had the interfaces to use. 1002-1005 Cisco defaults for FDDI and Token Ring. You cannot delete VLANs 1002-1005. I like to use a vlan ID that matches up with the network, so for example 192.168.9.0/24 the ID is 9, my 192.168.3.0/24 the ID is 3, 192.168.7.0/24 is ID 7, etc.. If you have network/vlans that will do a lot of talking between them - its normally good to put them on their own physical interfaces vs all on the same interface where the traffic will hairpin.

@Stp well if you can ping 8.8.8.8 then internet is working.. Your problem is prob dns related.

@stampeder Not sure what your going on to be honest.. You have gone down some rabbit hole of your own making... I have told you multiple times now how to configure your ports.. you need to set 100 as native vlans on those ports. I even linked to the cisco docs that show you how to set it as native.

@johnpoz Thanks, John! Appreciate your example!

@johnpoz Hi, There was no any problem in Subnetmasks or IPs. I found the rootcasue, the servers in vlan35 were configured with dockers and the same vlan1 subnet was occupied by dockers inside the server, thats why we were not able to reach them. thanks

@moji said in Question about inter-Vlan traffic and interface Concept: 1- I suspect this is an issue with tagged and untagged traffic or its just that AP doesn't have a gateway.. To access a device on another network, that device has to know how to talk back to the source network. Validate your AP gateway set to pfsense on the network its on. If you can not do that in this AP, then you could aways source nat your traffic so it looks like pfsense IP on that network is talking to it, and not the remote IP of your client your wanting to use to access the AP gui. soho wifi router are known for this problem, where the native firmware doesn't allow you to set a gateway on the lan interface

@Gblenn wow now this is why I love this forum.... You guys are amasing.... Thank you so much for all your help... I will run with the setup as is for now and look into changing things later... bookie56

@User6buinf43 You can use any free IP for masquerading in fact, but you have to assign it to the respective pfSense interface. Otherwise ARP will not work for it. I advised you to select VLAN 8 address before, however. There is no plausible reason to use any other.