Hi,

production environment in our case our office is on 192.168.10.x and then I receive an email that says the subnet we have been provided by the clients network is 10.200.100.x so I have to migrate that stack over to the final destination

Why if I may ask do you do that in the first place? When I was last working in some sort of local computer retailer where we built the client and servers for a company and then integrated them on premise, we got our infos beforehand and set things up from the start. Doesn't make sense to me to configure systems in your network and set up services, IPs, etc. only to reconfigure them again when you finally get the net details from your client?

But besides that, you can do that - run a second IP range on the same LAN as your normal network. But you shouldn't as there are enough things, that are working with auto discovering etc. that would impact your normal LAN, too. I'd completely separate those networks and create a new VLAN (110? 300?) with a "build" or "test" network. There you can define any IP range you like, block access to the LAN and VoIP network but otherwise let traffic flow out normally to e.g. do your installations, setups and updates before completion. And if you have a "test" network like that, it's easy to reconfigure to your clients specifications. We do that all the time with such an extra (VLAN) interface that is only for the usage above. We configure the client's or upstream's IP and set it up as the hardware would see it at the target site.

If you want to use that network on your LAN regardless any other problems that may bring, check for "Virtual IP" and create an alias IP within the network you get from your client, then you can set up the devices accordingly but don't forget to create matching firewall rules, too (LAN net won't cover networks from Alias IPs so you have to match the source or use */any).

Greets

Hello JKnott,

What do you know- I got it working.

It took me about two more passes of this pfSense hangout configuration in this video to realize I what I didn't do.

I was not including port 5 on the VLAN interface. While I had the picture of the internal 5th port in my head, I wasn't adding it as a member to my VLAN.

For anyone else reading this thread, make sure to add port 5 (internal switch port on SG-3100) as a tagged port (5t) to your VLAN interface so it can pass traffic into pfSense. Once I did this and saved the changes, my PC2 device immediately got an IP address and was on the network.

Thanks again for your help JKnott.

To the firewall, an untagged interface and a VLAN interface are the same thing. The both need firewall rules to block or pass traffic into that interface (physical/untagged or virtual/tagged).

@awebster said in VLAN 0 and pfSense:

I doubt that you'll find any support for VLAN 0 in the SG200

The only difference I can see with VLAN 0 is sending it untagged to the default LAN. I don't imagine that would be hard to do. Beyond that, it should be handled the same as any other tagged frame. Again, I'll have to try it some time.

If you're serious about learning the ins and outs networking, get your hands on some used Cisco gear like 2960 series for L2, or 3750G for L3

I do have a Cisco 2600 router, which I used when I was working on my CCNA. Also, years ago, I worked for Adtran's Canadian distributor. I had plenty of access to networking gear then. 😉

It's not a recommendation. It's an example.

When you try to ping something on your house mate's network, does the tagged port LED flash? Since you have a managed switch, have to set up port mirroring so that you can watch the traffic through that port with Wireshark?

I find using Wireshark, with port mirroring, so useful, I bought a cheap 5 port Gb, managed switch just for that purpose.

Well, it may have been the NIC. I'm not completely sure. I don't think a NIC issue would cause the LAGG to disappear once an IP addresses is assigned. This was on a clean install on an Intel NUC with a certified FreeBSD compatible NIC.

Oh well. I had to switch back to my PF VM.

Thanks Steve,

I do indeed see the same MAC on each port, and this is the upstream mvneta1. However, what's odd is I re-attempted this but using ports 3,4 instead of 1,2. 1,2 are currently active for everything else, so I wanted to avoid any more disruption!

Anyway.. this time I didn't get any MAC address flapping errors on the switch but if I pulled out cable A everything continued working. If I swapped them and pulled out B everything would drop. I left it for a good 10-15 minutes while I went and got a brew and it never moved over to the other interface, despite the port channel being up on the switch.

I'll ask a couple of our network engineers and see if they can figure it out.

could make a difference if he is doing intervlan routing at pfsense be it his internet is 10 or 10ge, etc.

lagg not going to really help unless you have lots of devices talking to lots of other devices across the uplink.

Thanks for the reply. I figured this out. Not knowing the first thing about UCS servers, evidently, the ports I am using are "vNICs". I needed to configure both ends of the link as trunks. This still makes very little sense to me, but it worked.

Yes I understand that.. I didn't know if it would work or not.

I think esxi is beyond the specs of my simple laptop setup. But I'll look into it.

Well he should of stated that then ;)

that Is what I tried to do :(
Do you have a manual or something that I can follow 🙃🙏
Thanks

If you want to use vlan 40 on some ssid the ports 22 and 24 would be TAGGED..

If you just want any wifi client connected to this ssid to be on the native untagged network connected to that switch port then you wouldn't set vlan ID on the ssid.

The ISP may very well use VLANs to separate different types of traffic. However, that's not normally visible to a user. Again, you'll have to contact your ISP to see what they provide and then configure for it. Until we know what they require, we can't offer advice.

I confirm that it's not pfsense, but my cisco config, I need to make some research as I'm not a cisco expert but clearly pfsense is working correctly, thanks for your time guys ! :)