You can if you want to use the same ID, as long as one side connected to pfsense is untagged vs tagged., since they are isolated by by L3. But you would not use the same L3 network.

Its not tricky.. Upstream and Downstream routers are used all the time everywhere. What think your misunderstanding is the difference between a vlan (layer 2 always) and a L3 network.

What you use for the ID is only going to matter with devices on those L2 networks. Unless you want to use pfsense as a layer2/bridging firewall the vlan ID have zero to do with what is on 1 side of a L3 firewall/router and the other side.

As to creating a vlan on pfsense. Its as simple as creating the vlan, assign an ID and put on your parent physical interface.

https://www.netgate.com/docs/pfsense/interfaces/vlan-trunking.html

If your devices got an IP from the dhcp server, then yeah they are going to be in the dhcp lease table.. If your not seeing them, then they didn't get an IP from pfsense.

@someone0 said in Is setting mac address setting in the bridge gui broken?:

I'm using pfsense version 2.4.3-RELEASE-p1 (amd64) and I have setup a bridge for the LAN side. But for some reason, when I have a valid fictitious mac address in the setting for the bridge GUI(interface > bridge0 > MAC Address), it won't take that. Every time I rebooted, I keep getting random mac address. Is this menu setting broken or am I doing something wrong? or is there a workaround?

There is an open bug for this: https://redmine.pfsense.org/issues/8138

That all looks good. Whatever you connect to igb2 has to be tagged VLAN 20. After that any access port on the switch that is on VLAN 20 should get DHCP.

@jknott said in Hardware switch or NIC brridge?:

There used to be some cut through switches, that would start switching as soon as it learned the destination MAC, but those have disappeared

And there still are, the cisco nexus 5000 line did/does it... The 9000 series nexus I believe default to cut through but can be put in store and forward, etc.

So disappeared is not true... But cut through was never in the soho or budget lines of any switch maker..

@jknott said in VLAN tagging with untagged parent interface:

You'll find that's typical when VoIP phones and computers share the same cable.

Do I sound as if I needed this explained?
Being able to remember the distant past but not 5 minutes ago is called Morbus Alzheimer. My mom suffers from it badly.

Same with WiF access points and multiple SSIDs.

Buy serious wireless APs with all traffic tagged, not consumer gear on steroids.

@braveben said in One L3 per VLAN across 2+ interfaces:

Speaking of those sexy XG-7100’s 10Gbit SFPs, how would they respond to being a trunk with the same VLAN’s as one of the switch ports? Could I still share a L3 interface/IP on the single VLAN?

You would, again, have to software bridge them. I would suggest using the 10G to an external switch instead.

@pvn said in VLAN setup:

my workstation will have eth0 in 10.1 (corporate network) and eth1 in 10.2 (my private network)

You better be careful with that. You might wind up bypassing the corporate network security.

@sgw As you were guessing: create the VLAN(s) on both nodes of the cluster, setup a CARP VIP for that VLAN and just treat it like another physical "LAN" interface in any regard, then you're good to go.

Greets

@tlum:

…What I'm hearing is that pfSense can't create a default interface dedicated exclusively to untagged traffic...

Where do we lose you when saying:
EM0 is your default interface and handles all untagged traffic.
EM0_VLANxyz rides on top of that, tagged.

You don't need to create it, it's there when you assign a network to a (physical) interface.