@johnpoz Thanks

@the-other There isn't any DHCP running on the AP. Yes, I have both a default (non-VLAN) and a separate VLAN network defined on the AP, each with separate SSIDs. Clients that I'm not trying to get onto the VLAN are connecting and operating fine on the default (non-VLAN) network. If I tell that one PC to connect to that SSID it works fine and it gets an IP and is good to go.

@Hoserman You were confusing layer 2 and layer 3 traffic. Be careful not to create a routing loop. STP is your friend when working with multiple networks. STP is Spanning Tree Protocol which you want to use to protect your network. There are at least 3 versions of STP that come to mind right now. Some converge faster than others.

running the following on pfsense shell ifconfig igb0 -vlanhwtag -vlanhwcsum -vlanhwfilter in shell will allow me run run suricata in inline mode, and vlan will still work....you can use the app shellcmd to automatically run the cmd at boot..

@alirx you can bridge 1 vlan.. but you have have multiple vlans on the same bridge.. I am pretty sure it doesn't work that way. You seem to have some money to setup such a network.. bite the bullet and get a switch. Or redo your vlans or add interfaces so you can run your 2.5ge on their own connection

@febu said in LAN x = VLAN x - how to setup?: @JKnott Thank you. I want to connect WAN and WAN_VPN to certain LAN ports by using VLAN configuration of SG2100. I am confused with "tagged" and "untagged" and I tried a setup VLAN, interfaces, firewall, etc. but I could not connect to the internet. What else do you need to know? Can you explain me how to do it? You can find out a bit about VLANs here. What a VLAN does is allow separate networks to be carried over the same cable. VLANs are logically separate, but not physically. When you create a VLAN, a tag is inserted into the Ethernet frame, which includes the VLAN number. Normally, Ethernet does not have that tag. On my home network, I have a VLAN for my guest WiFi, which uses the same cable and Ethernet port as my main LAN. If you don't have more than one network on a cable, you don't need a VLAN on that cable. As for that VPN, you generally use routing to send the VPN traffic where you want it, not VLANs. In fact, you can route several networks over a VPN, with routing. I don't have any experience with that SG2100 so I can't help there.

@Bambos The proper way, when bridging an interface to an existing one, is to move over the IP settings to the bridge. So the member interfaces should remain with IP setting "none".

@copz1998 Depending on your needs, eero has a guest SSID capability when in bridge mode. That would isolate those devices completely. Otherwise does your eero have the ability to host a second SSID for that VLAN?

@johnpoz Thank you for taking a look! Your explanation makes sense to me and the image helps a lot. It also explains why I didn't see firewall (deny) logs. A question I have floating around is if I could still make it work somehow by returning the laptop to vlan10 but then also have it capable of swapping to vlan100 when I want to do management. But there's probably enough explanation for that online already. Once more, thank you very much.

@Gblenn there are multicast vlans, broadcast vlans and Switch Virtual Interfaces SVIs and Multicast VLAN registration. You may need an IGMP querier. And IGMP snooping. And to configure the NAT more completely in the VM. None of that is easy. The full duplex 10gbps part seems wild. You may have to force speed/duplex instead of auto-negotiate for each VM. Some people recommend a NIC for each different VLAN, and plugging them all into the same switch, presumeably to stabilize autonegotiation. I am just going to quote this since I have been stocking igmp in traffic shaping: IGMP Querier An IGMP querier is a multicast router (a router or a Layer 3 switch) that sends query messages to maintain a list of multicast group memberships for each attached network, and a timer for each membership. No clue where you get the time for an SFP+ module. Some people say try PTP and others say NTP can slow you down by 30ms. Most of the time it seems due to machdep on my Zen processor, which transmits data at 70gbps between each core. Some people have built GPSs for their pfSense.

@johnpoz Thanks a million, That's exactly what I was looking for!

@keyser Ok, good to know, thank you. I guess it will just be each switch connected individually to a LAN port on the firewall.

I also have sets of rules to block them on the interfaces themselves however do I need to add this tag anywhere else?

@fireix Just remember VLANs were designed to limit broadcast traffic. The next thing is switching is faster than routing. And last, layer 3 switches are faster than routers. I think of this when I design networks.

@diyfoolwall The NIC of the server can / should only press the power-on button if it receives the secret magic wake up packet : the packet should have a data payload of exactly 3 times its own MAC address. Nothing more, nothing less. To be able to receive this packet, the NIC itself should be powered on. Most ofthen, the NIC goes in low power mode, something like "10 Mbit half duplex' as this is the most economic mode. If the NIC in front of the server doesn't support this mode : wake on lan won't work. This is what probable happened : pfSense sees the NIC (link) down, so it can't use the NIC to send the WOL packet. That's why its best always to use a switch between any pfSense NIC's, and your LAN(s) devices, as switches accepts the full scale of 10 Mbits/half up to 1 Gbit/full as this is their job.

@JonathanLee Ah, yes, it surely looks more flexible with L3 switch in terms of security and how much you can do on port level. I will not be using normal VLANs in my case since I can't do subnetting-isolation (waste of IP-space and tons of config). With regards to mesh, in my case, the two Uplink switches will be physically stacked. So the two switches will communicate as one and I would think that it would reduce the chances of broadcast storms. Or maybe not.. One reason for stacking and LACP is to simplify configuration and avoid relying on STP.

@tomic why you would of ever thought 192.168.2 would be an option is concerning.. Sniff on pfsense on the vlan 10 interface when you try and access the printer... Do you see pfsense send on the traffic, if so then its not a pfsense problem. Also validate your printers mask is correct for your vlan 10 network, if its 192.168/16 and your trying to talk to it from say 192.168.2.x then the printer would think hey that is local and would never send the traffic back to pfsense to be routed back to your client trying to access the printer. Your saying ping works - that points to maybe your using the wrong port to access the printer gui? Or it doesn't like remote access.. Can you access the printer gui from something on the vlan 10 network? To validate the gui is even working or enabled.. If that works, and you show sniffing pfsense sending the traffic - you could always source nat so printer thinks pfsense IP on its own network is talking to it.

@toskium yes running a pcap over the interface configured for LAG will show LACPDUs being sent by the switch and pfsense. Should be bidirectional. Assuming you see that your issue may be elsewhere.