If your wanting to do vlans your going to need a vlan capable switch and a vlan capable AP... Or your going to need to run completely different hardware for each network.. Anything else is just completely BORKED!!! You can pick up a 24 port vlan capable switch off ebay for a like 30$.. Do you really need 24 ports? You an get a 5 or 8 port smart switch to handle the vlans and then use your 24 port switch for all the devices that are going to be on 1 vlan..

@markelder said in Separating VOIP Phones vs Other Network Traffic: I see an extra Nic port on the pfSense box and thought maybe I should put it to use. Yes you can do that.

@jknott Figured out the VLAN stuff, all set. Thanks for responding.

Grimson, thank you for your feedback. This just was the little piece of advice I needed. I got it working now thanks! Topic can be closed.

@telescopedepth I appreciate people's goodwill. I understand you, also networking's jobs. you can learn enough, trought forum and community, as I do... If you really want, nothing is impossible! Meanwhile I'll reading some nice book like this Some page for a day, it's easy to follow and full of good pratice, for me. Regards. (Indeed pfSense book it is) Finally I need to thank so much pfsense team for this pretty nice gift, I dicovered few days ago, pfsense book for everyone is a must to have. Cool!

If you need more switch ports get a freaking switch!! A 30$ 8 port gig smart switch will way out perform some software bridge.. Also since your here asking if you can - its going to be way more complex... Get a switch!

Thanks! The switches are HW V4 and the problems related to VLAN 1 were fixed in V3. Is there any other issue they might have?

@dranick said in Strange behavior on LAN: unmanaged was requested Why would you ever request that?? And pretty much any managed switch I have ever seen comes out of the box dumb.. With everything in vlan 1... Only thing that might be a problem is the default IP of the switch - but most of then not they will auto grab an IP off dhcp if running, etc.. You should never request a unmanaged switch...

Ah yes @johnpoz that would solve my problem. Thanks

No. If vmx.11 received untagged traffic it will not respond because it is not the correct VLAN.

It is probably just that the lagg isn't set up yet. If the errors do not increase after it's all booted and established I would not sweat it.

@derelict It was a loop in my network. All I had to do is configure LACP and spanning tree protocol between both switches and flapping stopped. well something like that [image: 1543077914657-2018-11-24_10-35-41-resized.jpg]

You don't tag VLAN 1. At best, I would consider the behavior there to vary across vendors. VLAN 1 is the default, untagged VLAN. It should be untagged on mvneta0. In Interfaces > Assignments You assign the interface you want to see that traffic to mvneta0. When you create VLAN 999 on mvneta0 that will be mvneta0.999. That indicates the traffic will be tagged to, and must be tagged from, the embedded switch. You would assign whatever pfSense interface you intend to be on VLAN 999 to VLAN 999 on mvneta0. On the switch you would have: VLAN 1, ports 1,2,5 VLAN 999, ports 3,4,5t PORT 1,2,5 PVID 1 Port 3,4 PVID 999 In that case there will be NO tagged traffic outside the switch so any connecting switch ports must be UNTAGGED. If you want to make, say, port 4 a "Trunk" port carrying both VLANs you would: VLAN 1, ports 1,2,4,5 VLAN 999, ports 3,4t,5t PORT 1,2,4,5 PVID 1 Port 3 PVID 999 The connecting switch port would need to be configured to have VLAN 1 and the untagged, native VLAN and VLAN 999 tagged.

ok, reason behind was that the next hop firewall managing the next hop was blocking traffic outbound from this pfsense downlink. So the landing page was trying to access some external source, because it was blocked it would timeout after 60 seconds I think, maybe it was the update checker or something, but I would not expect to freeze the interface for that long because of that.

@as-21 said in DD WRT router as guest network with limted bandwidth: What i basically want to do is DD WRT as separate network Well that is not what you did - you just put in dd-wrt as a downstream nat router... If you want it as a GUEST network - then use it as just an AP and connect it to another network on pfsense be it another physical interface on pfsense or via a vlan. Use one of dd-wrt lan ports to connect it this new guest network, turn off its dhcpd and put its lan IP on whatever guest network you create on pfsense.. Setup the firewall rules to allow this guest to do what you want. Does that switch you list do vlans?

Which is exactly what I was saying ;)

Correct, the patches above are copies of the changes made in the repository that will be used to build pfSense 2.4.4-p1. So not "hacks" exactly. If it's all working for you now then there shouldn't be anything to worry about. When you upgrade to 2.4.4-p1 the manually edited files will be replaced with the copies from the new release, which already contain these changes.

Thanks for letting us know.